The Internal Revenue Service is not keeping pace with modern hacking, according to agency watchdogs.
Major online tax preparation firms, within months of customer account hacks, all required many users to sign on with passwords, plus codes delivered by text or email.
But a year after crooks gamed IRS.gov to view 334,000 taxpayers' records, the agency says it will not be able to shift to stronger login procedures until after this year’s tax season.
Mired in contractual obligations and antiquated IT systems that cannot text or email the public, the Internal Revenue Service is not keeping pace with modern hacking, according to agency watchdogs.
The private sector, by contrast, has rushed to activate so-called multifactor authentication in the aftermath of security breaches. The latest example: Criminals, between November and December 2015, sidestepped TaxAct's old ID verification system to open and print customer tax returns, according to a Jan. 11 notification letter.
Now, the final edition of TaxAct 2015 released in January requires that users sign in with a password and code sent through a separate communications channel, TaxAct spokeswoman Shaunna Morgan said.
Tax refund fraud happens when criminals use stolen personal information to file a falsified tax return claiming a refund. Intuit, maker of TurboTax, provided all users the option of locking down their accounts with two-factor authentication in November 2015, after fraudulent e-filing spiked last year.
H&R Block, which reportedly has experienced similar schemes in the past, made the feature available five years ago, company spokesman Gene King said. All three companies send a one-time passcode to the user's smartphone or email address.
The IRS has not been able to bolt on an additional lock as swiftly as federal investigators would like.
Last month, the Treasury Inspector General for Tax Administration released a statement, criticizing the IRS for providing "only single-factor authentication despite the government standards requiring multifactor authentication for such high-risk applications," adding that, "as a result, unscrupulous individuals have gained unauthorized access to tax account information."
The watchdog was referring to revelations last August that ID thieves abused a “Get Transcript” feature on IRS.gov to see previous year tax filings on hundreds of thousands of Americans. The agency yanked the online service after discovering the breach. IRS officials have said they believe the culprits intend to use the transcripts to file for illegal refunds this tax season.
Part of a $5.8 Billion Problem
ID thieves successfully pocketed about $5.8 billion in fraudulent tax refunds during 2013, according to the Government Accountability Office.
"Tax refund fraud affects hundreds of thousands, if not millions, of U.S. citizens annually," security researcher Brian Krebs said in Dec. 14, 2015, blog post. "Victims usually first learn of the crime after having their returns rejected because scammers beat them to it."
An IRS official emailed Nextgov a statement, saying the agency anticipates "multifactor authentication will be in place later this year" for IRS.gov citizen services. The agency's inspector general reported the launch is slated for summer 2016 at the earliest. Affected services include the breached Get Transcript tool and a form fraud victims can use to obtain an identity protection PIN.
"There are contractual issues related to the validation of financial data" that must be resolved before the transition to stronger ID verification, Michael McKenney,deputy IG for audit said in a Nov. 19 review.
Basic technical issues also are hindering IRS.gov login improvements. There’s essentially no way to instantly transmit a secondary code, because the agency does not communicate with the public via email or text. Fraud victims who request an identity protection PIN wait for the mail carrier to deliver the code via snail mail.
A couple of safeguards IRS now offers until multifactor ID checks are a reality, unfortunately, contain their own loopholes, information security experts say. The online application fraud victims fill out for an identity protection PIN, to enter on future returns, suffers from the same security flaw as Get Transcript.
Already, troublemakers are instructing aspiring bad guys how to trick the system to obtain a victim's PIN, according to a screenshot from an underground Web forum.
The key failing of the Get Transcript and identity protection PIN services is that they rely on the applicant supplying static personal information or answering "knowledge-based authentication" questions. The requisite data can be answered by guessing, searching social networks, or consulting the online black market.
"My guess is that a huge chunk of 334,000 victimized via the IRS’ site this year probably will not request the IP PIN and will in fact have fraudulent tax returns filed with their info — whether they request the IP PIN and it is stolen or not," Krebs said in his blog post. "The IRS should just issue the IP PINs to affected taxpayers, instead of asking victims to do it themselves."
Is the Mail Safer?
The security enhancement for the Get Transcript site is snail mail. The U.S. Postal Service, not the website, delivers tax returns to users who enter a valid Social Security number and a matching, valid physical address. What would stop a criminal who possesses someone's Social Security number and name from changing that person's mailing address to retrieve the tax returns?
Nothing, said Rob Bagnall, founder of Maverick Cyber Defense, a security company with civilian agency, commercial and military customers: "I can change the address, yes."
The IRS says it has taken other precautions to counter fraud while work on multiformat ID verification continues.
"We have enacted additional security enhancements to protect these applications for the 2016 filing season," the emailed IRS statement said. "Detailing safeguards or outlining vulnerabilities will only help the identity thieves. All of our safeguards are designed to stop fraudsters from using information stolen elsewhere to create or change IRS-related accounts."
On Jan. 22, the service for obtaining an identity protection PIN was taken offline. An IRS spokesman told Nextgov the feature is down for a few days for maintenance and the issue does not appear to be security related. As of Sunday night, the site said: "Alert This service is currently unavailable. We apologize for any inconvenience."