recommended reading

Tax Collectors Want 'Selfies' to Prove You Are Who You Say You Are

kaisorn/Shutterstock.com

Some state revenue agencies and motor vehicle departments are receiving federal funds to verify the smartphone selfies of taxpayers, say government and corporate officials involved. 

Individuals residing in North Carolina and Georgia will be allowed late next year to download a facial recognition app -- for selfie matching -- that should bar others from claiming tax refunds in their name. 

Why enlist the DMV? 

"They do a fantastic job of in-person proofing someone's identity, and that's a necessary step to get into a high-level assurance for any kind of electronic credential that you might want to issue," Mark DiFraia, a senior director at biometric technology provider MorphoTrust, said in an interview. 

Now that so much of our personal information is readily available online, confidential biographical data alone is not enough protection against ID theft, experts say.

In August, the federal government disclosed that crooks gamed an Internal Revenue Service online tool, by entering stolen private information on about 334,000 individuals, and filed for $39 million in fraudulent refunds.    

Earlier this year, TurboTax temporarily unplugged state return e-filing after several states reported criminals using false identities to attempt to collect refunds. 

But come late 2016, thousands of state residents will be able to block anyone from filing for their refund who does not have the same facial features, personal information and driver's license, according to officials. The new service will be offered as a preemptive measure for the tax season that begins Jan. 5, 2017. 

Here's how the anti-spoofing mechanism will work: 

  1. An individual downloads a MorphoTrust app that will be available on many types of smartphones.
  2. The user scans the barcode on the driver's license with the phone.
  3. The person uses the phone to take a picture of the front of the license so the DMV can verify it is a valid card. 
  4. And, then "they actually take a selfie," by bringing the camera up and taking a self-portrait, DiFraia said.
  5. The taxpayer consents to having the barcode scan and pictures cross-matched with data in the DMV's records. 

The images transmitted are not stored by MorphoTrust, the DMV or the state tax collector, DiFraia said. The DMV is not sharing any personal information in its records with the tax collector. The revenue agency only receives a confirmation or denial of a match. The selfie stays on the user's phone.

"This whole service is built from the core with privacy and consent as their key tenets," DiFraia said. "We're not giving DMV any data they don't already have."

The trial aims to sign up at least 75,000 individuals across both North Carolina and Georgia. 

A federally funded, industry-led initiative to secure online transactions with credentials other than passwords has granted the project $1.8 million, officials announced this week. H&R Block also is a partner in the selfie-authentication effort.

Mike Garcia, acting director of the National Strategy for Trusted Identities in Cyberspace National Program Office, tells Nextgov the service "creates this sort of componentized separation, so the interaction that is occurring with the DMV is completely distinct from the interaction that's occurring with the department of taxation of revenue. That's intentional. That's, from our view, a privacy feature."

As of now, federal-level tax returns are not part of the project. 

"We do not have any plans with the IRS as of yet for this solution," DiFraia said. "But we're optimistic that what we're demonstrating and the ideas contained within the grants would be interesting to them and something that they might consider as a way of providing users with another option where they can proactively do something to try to mitigate the risk of this kind of fraud."

The IRS paid out $5.8 billion to criminals in 2013, according to the Government Accountability Office.

When ID bandits struck TurboTax earlier, H&R Block reportedly said there was no indication of a similar problem with its tax returns. H&R Block's security safeguards included requiring a federal e-filed return to be accepted by the IRS before transmitting a state e-filed return. With TurboTax, it was possible to file a state return online without sending a federal return. 

This is not H&R Block's first foray into biometrics. On Aug. 31, the tax software provider announced a partnership with the Transportation Security Administration to house fingerprinting kiosks in H&R Block offices where customers can enroll in TSA's PreCheck expedited screening program. 

Garcia said of the taxpayer verification service, "if done right, it's actually about putting less information out there." The data already captured at the DMV, eliminates the need for "going through another proofing event with the office of taxation and revenue," he added. 

Some privacy advocates questioned an anti-fraud program that relies on biometric databases, especially as the Office of Personnel Management just announced the compromise of fingerprints of millions of national security workers.

“No amount of authentication can compensate for insecure hardware and software,” Electronic Frontier Foundation senior staff attorney Lee Tien said. “Plus, we just saw that OPM admitted something like 5.6 million fingerprints were compromised—isn’t biometric authentication wonderful?”

In the taxpayer security situation, “here, I guess the issue is face recognition—but if I can make my phone send a picture of you, is that enough?” he wondered.

(Image via kaisorn/ Shutterstock.com)

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • It’s Time for the Federal Government to Embrace Wireless and Mobility

    The United States has turned a corner on the adoption of mobile phones, tablets and other smart devices, outpacing traditional desktop and laptop sales by a wide margin. This issue brief discusses the state of wireless and mobility in federal government and outlines why now is the time to embrace these technologies in government.

    View
  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

    View
  • A New Security Architecture for Federal Networks

    Federal government networks are under constant attack, and the number of those attacks is increasing. This issue brief discusses today's threats and a new model for the future.

    View
  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

    View
  • Software-Defined Networking

    So many demands are being placed on federal information technology networks, which must handle vast amounts of data, accommodate voice and video, and cope with a multitude of highly connected devices while keeping government information secure from cyber threats. This issue brief discusses the state of SDN in the federal government and the path forward.

    View
  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.

    View

When you download a report, your information may be shared with the underwriters of that document.