IRS pushes back on data protection criticisms

The IRS has endured a steady stream of criticism over the past few years from Congress, the public and even its own inspector general over the agency's efforts to modernize its IT systems and better protect taxpayer data against identity theft and fraud.

Most recently, the tax agency was forced to backpedal on the award of a $7.2 million contract extension to data company Equifax, because the company had been breached and lost more than 140 million records.

On an Oct. 17 conference call with reporters, IRS chief John Koskinen said that he didn't expect the Equifax breach to result in new problems for tax filers.

"We actually think that it won’t make any significantly or noticeable difference. Unfortunately, as a result of previous breaches … our estimate is a significant percent of those taxpayers already had their information in the hands of criminals," Koskinen said.

On the call, Koskinen touted overall improvements since the agency teamed up with tax and financial industry partners to tackle data security in 2015 following the breach caused by a vulnerability in the Get Transcript application.

"Since 2015, IRS has worked with states and the private sector to put safeguards in place to stop identity thieves,"  Koskinen said. "Industry partners have shared dozens of data points that help IRS isolate and identify identity theft."

Koskinen credited actions taken since IRS convened a 2015 security summit along with internal improvements to agency fraud detection systems with an overall reduction in reported instances of identity theft in the past two years.

According to figures cited during the call, the IRS has stopped 883,000 instances of confirmed identity theft-enabled tax returns in 2016, down 37 percent from the previous year. Through the first eight months of 2017, the agency has reported 443,000 fraudulent return attempts, a 30 percent drop from the same time last year.

However, an annual memo from the Treasury Inspector General for Tax Administration has identified security over taxpayer data and identity theft and impersonation fraud as the top two management and performance challenges at the IRS for the past two years running. While identity theft is still regarded as a top challenge, TIGTA did credit the IRS with improved detection capabilities and noted the agency is "making progress" on this front.

Auditors found that the agency has not fully implemented network monitoring tools and does not effectively check audit logs for suspicious activity, citing one case of an employee who accessed thousands of names, dates of birth and Social Security numbers from agency data systems to claim $550,000 in fraudulent tax refunds.

Koskinen also cited improvements to the Return Review Program. Initially the system was hard to adjust on the fly, but since 2016, the IRS has added to and expanded the information that goes through the system, and it now filters more than 200 different types of data.

A 2016 TIGTA report found that other fraud detection systems within the IRS were able to discover more than 50,000 confirmed instances of fraudulent tax returns that weren't picked up by the new system. In June 2017, TIGTA determined that "IRS processes are still not sufficient to identify all employment identity theft victims."

Social Security numbers have been consistently identified by TIGTA and other third-party financial fraud experts as one of the key tools used by scammers to commit tax identity theft.

On Oct. 3, White House cybersecurity advisor Rob Joyce indicated that the Trump administration is looking into developing alternatives to the Social Security number, calling the identifier a relic from the pre-information age that "has outlived its usefulness."

"There are technologies we can look at … a public private key, something I can use publicly but not put the information at risk, something that can be revoked if it's known to be compromised," said Joyce.

Koskinen did not take a firm position on Joyce's suggestion, but expressed skepticism that a change to a new number or identifier would lead to improved security.

"There's almost no place now where you can use [just a Social Security number], because everyone understands that data by itself does not identify you," Koskinen said.

John Pescatore, director of emerging security trends at SANS, said the government could adopt identity management strategies from the private sector, such as tying taxpayer access privileges to a remote accessible device, such as a key fob or even a cell phone in addition to the standard request for personally identifiable data. While not immune to disruption or spoofing, such devices could potentially make it much more difficult for unauthorized users to gain access to personal data.

"Even if someone knows my Social Security number, if the request is not coming from one of the five devices I use all the time, why am I getting away with it?" Pescatore asked.