The IRS Knows What Computer You Are Using -- and That Might Be a Good Thing

The Internal Revenue Service is preparing to give taxpayers and tax preparers new identity-theft protections for filing online returns, partly because ID fraud has cost the U.S. Treasury nearly $6 billion. 

One counter-fraud measure will capture identifying data from the laptop or PC used to file a return, according to a federal audit released Thursday.

Repeat submissions from the same device could point to the work of a criminal using stolen aliases to amass multiple refunds. This would be a low-cost endeavor, Government Accountability Office auditors estimate. Many tax software programs already collect the device information, a unique number that identifies the individual device used to e-file a return.

Another, potentially more expensive approach would issue taxpayers unique logins, smart cards, one-time passwords or a mixture of these tools to confirm they are who they claim to be.

Either the IRS or an outside service, such as the user's bank or a credit reporting agency, would "identity proof" the user with security questions (i.e. “Who is your mortgage lender?”) and then issue the credential.

Requiring all filers to obtain an IRS-issued PIN also is under consideration. 

There are tradeoffs with some of these methods. Crooks can guess security questions by consulting the trail of personal information people leave on social media every day. Taxpayers could lose their PINs or IRS-issued credentials because both would only be used once a year. And there is a cost attached to enrolling taxpayers in ID registries and managing authentication.

Auditors criticized the IRS for not weighing the pros and cons of different ID-protection mechanisms under consideration. 

"Without analysis of costs, benefits and risks, IRS and Congress will not have quantitative information that could inform decisions about whether and how much to invest in the various authentication options," James R. White, GAO director for tax issues, said in the report. "The lack of this information could hinder decision-makers’ ability to select which option (or combination of options) is most cost beneficial."

This tax season, IRS officials are collecting device IDs from companies that provide e-filing services who volunteer the information. Next year, device registration is expected to become mandatory.

"Beginning in filing season 2016, IRS plans to require these companies to submit a device identification number with each e-filed tax return," White said. 

Yet, unlike some of the other ID safeguards, "device identification will impose minimal, if any, costs on taxpayers, third parties, or IRS," he noted. "It will not require additional taxpayer action," either.

In a Dec. 30, 2014 letter, responding to a draft audit, IRS officials confirmed they are examining several new means of checking taxpayer IDs.

"The IRS is evaluating many options in determining how we can best provide a method where returns can be filed with a reasonable assurance that the person filing the return is the legitimate owner of the Taxpayer Identification Number used on the return,” John Dalrymple, IRS deputy commissioner for services and enforcement, said in the letter.

However, tight budgets might prevent a thorough cost-benefit study, tax agency officials said. “The depths and scope of this analysis may be limited based on available resources and time,” Dalrymple said.

The consideration of multistep ID verification comes as the IRS and Department of Homeland Security warn of a new scam targeting tax preparers.

The scheme involves malicious "phishing" emails that lure tax professionals into divulging certain identification codes for filing returns. 

The emails ask tax pros to update "IRS e-services" information and Electronic Filing Identification Numbers. But the email is not actually from the IRS.

“The links that are provided in the bogus email to access IRS e-services appear to be a phishing scheme designed to capture your username and password," tax agency officials said in an alert Wednesday. "Disregard this email and do not click on the links provided." 

As GAO reported last summer, the IRS paid more than $5 billion to fraudsters in 2013. 

(Image via Pressmaster / Shutterstock.com)