The IRS is testing multifactor authentication for taxpayers who use its online systems to cut down on electronic tax fraud.
The tax agency hopes the improved security could be ready to go in a few months, IRS Commissioner John Koskinen told the House Committee on Ways and Means’ Subcommittee on Oversight Tuesday.
Currently, the IRS is testing the multifactor authentication internally, “having security experts try to hack into it,” Koskinen said. The agency is piloting a system that sends a one-time code to a user’s mobile device, like a phone or tablet, that they would then use to verify they really are who they claim to be.
The problem though, the commissioner said, is the IRS doesn’t in most cases have taxpayers’ phone numbers or emails on hand. “We correspond with people by paper,” he said. Therefore, the IRS plans to bring in an outside firm to provide that information.
“The balance is how can we keep criminals out without keeping all of the taxpayers out at the same time,” Koskinen said.
With the ability to ping online users on a secondary device and through another unique account, Koskinen believes the IRS can stop fraudsters who’ve gotten increasingly sophisticated at masquerading as taxpayers, especially given the amount of personal information stolen in recent hacks, like the 2013 breach at Target.
In recent months the IRS has seen hundreds of thousands of taxpayers’ information stolen or misused by criminals through its Get Transcript portal, which allows users to retrieve their prior years’ tax transcripts, and its Identity Protection PIN tool, given to victims of identity theft to confirm they are who they say they are online. Both systems have since been taken offline. Koskinen said the IRS sees about 1 million attempts every day from outside sources to access its information.
Yet, the IRS worries multifactor authentication could also make it harder for genuine taxpayers to login to their online accounts. Already, with what he called “out-of-wallet” authentication questions — the typical prompts like the name of your first dog or make and model of your first car — nearly a quarter of taxpayers can’t remember their answers, Koskinen said.
“The problem will be and our goal will be over time to make that work smoothly enough that we can back to the 80 percent [login rate],” Koskinen said. “We’ll probably never have an authentication system that everybody can get through.”
Watchdogs present at the hearing supported the introduction of multifactor authentication, but they weren’t so sure the move was as easy as Koskinen — who had previously estimated the new security control would be ready by the start of this spring — made it sound.
“I think it’s a significant challenge but I know they’re dedicated to doing that, and our agents have consulted with them on things that we’ve seen in investigations of the [Get Transcript] breaches,” said Timothy Camus, the Treasury Department’s inspector general for tax administration. “We’re sharing that information with them, but it is a significant undertaking, and a complex one.”
Jessica Lucas-Judy, acting director for strategic issues in the Government Accountability Office, expects the move to “take a while,” she said. “There is a lot for them to consider.”
The insidious criminals outside of the IRS aren’t the agency’s only concern, however. There are more than 55,000 IRS employees with privileged access to taxpayers’ information as part of their daily job who could take advantage of it.
Camus pointed to the so-called insider threat as the biggest problem with the IRS’ IT security, saying the agency needs to ensure employees “don’t do horrible things with that data and commit identity theft themselves.”
In a number of investigations, Camus said, the IRS has found cases of identity theft by its own employees.
One of the most significant of those cases, the agency discovered its employee, Alabama-native Nakeisha Hall, stole taxpayers’ identities using her internal position to plan a scheme to collect up to $1.5 million. She was found guilty by a U.S. district court and required to pay restitution on the $438,187 in funds actually paid out by the IRS, according to Alabama.com. She awaits sentencing.
“We believe the IRS must prioritize its focus on insider threats posed by IRS employees,” Camus said.