Treasury Secretary Says Electronic Stimulus Payments ‘More Secure,' But Are They?

Treasury Secretary Steven Mnuchin told Americans collecting personal and banking information through the IRS website and using direct deposit is a “more secure” path to get stimulus payments, but some security professionals disagree.

“We want to do as much of this electronically as we can,” Mnuchin said during Monday’s White House briefing on the administration’s pandemic response efforts. “It’s very important in this day and age. It’s more secure, and you don’t have to go to the bank.”

Mnuchin’s remark looked to assuage cybersecurity fears but runs counter to conventional thinking within the security community. 

“Asking individuals to submit their information is not ‘more secure,’” Scott Straub, public sector lead for risk markets at the digital identity company Neustar, told Nextgov. “How do you know that the person entering the information into the website is not a fraudster redirecting the payment?”

Straub notes aspiring impersonators already have access to many consumers’ personal identifying information, or PII, through social engineering or from purchasing it on the dark web.

“A fraudster could easily open a bank account online in the target’s name and use the bank account for the funds to be deposited,” he said. “It would be too new for anyone to detect and the funds would get funneled out.  We have already seen this happen when criminals who have someone’s PII file tax returns before the actual person does—stealing their refunds.”

Straub said more sophisticated hackers could also create and use “synthetic identities” to trick the IRS into misdirecting the stimulus payments online.

This would be especially easy, he said, “if the criminals have already filed taxes on behalf of a fake identity.”

The IRS has long struggled to prevent identity thieves from collecting their victims’ legitimate tax refunds. However, between 2015 and 2018, the agency demonstrated progress against criminals by protecting $24 billion in fraudulent claims with procedural and software changes.

But the agency continues to struggle with verifying identities. The IRS inspector general flagged the problem of spurious digital identities in a March 23 report, noting the agency was not in compliance with related National Institute of Standards and Technology requirements.

“The IRS acknowledged that [its] workflow processes did not fully meet [Identity Assurance Level] 2 standards...to remotely identity proof and authenticate taxpayers,” the IG wrote.

Jeremy Grant of the Better Identity Coalition told Nextgov IAL2 standards are "more or less where an agency wants to be for any application that releases something of value (like personal data or money).” 

The IG’s report notes the IRS is developing a digital identity solution, but “the implementation date for the solution to include all the IRS’s public-facing applications is unknown.”

The IRS did not respond to a request for comment on whether a pilot planned for June 2020 was moved up to account for the rollout of the new stimulus disbursement tool.