US faces $5b filching by ID thieves in fake tax returns

The IRS appears to have slipped over its own shoelaces in an attempt to help its customers. This has emerged from a Senate meeting to find why some $5-billion has gone astray to “hackers and other fraudsters”. The essence of the dilemma is that while the IRS website wants to “legitimately help” compliant taxpayers with their data, its site is vulnerable to misuse of its “get transcript” application. This has enabled Identity thieves to access the files of 104,000 people and 13,000 tax returns were based on fraud. – PW

By Richard Rubin

(Bloomberg) – The American Internal Revenue Service (IRS) is promoting an initiative to expand online services for taxpayers. Yet this it more likely that the US tax agency will be hit by “hackers and other fraudsters”, the agency’s inspector general said Tuesday.

One of the IRS’s early forays into interactive service was halted last month after the agency said identity thieves had accessed past tax returns of 104,000 people. The IRS provided updated numbers Tuesday, showing that about 13,000 fake tax returns have been filed using that information, with an estimated loss of $39 million to the government.

Though the data breach didn’t compromise the IRS’s core systems, it marked a significant setback for the agency’s efforts to cut costs. “Providing taxpayers more avenues to obtain answers to their tax questions or to access their own tax records online also creates greater risk to an organisation and provides more opportunities for exploitation,” Russell George, the inspector general, said in prepared remarks for a Senate Finance Committee hearing Tuesday.

The data breach involved a “get transcript” function on the IRS’s website. Taxpayers had to submit personal information, such as their Social Security number, date of birth, and tax filing status. Then they had to authenticate that information with so-called out-of-wallet information — such as monthly mortgage or car payments, according to IRS commissioner John Koskinen.

Past tax returns are especially valuable to identity thieves because they allow them to create plausible fake tax returns that mimic a real return, evade computerised anti-fraud filters, and then direct the refund to a prepaid debit card.

The identity thieves were repeatedly able to bypass the safeguards and the IRS stopped the application on May 21. Several agencies are investigating the incident and the IRS is contacting the affected taxpayers.

“Your agency has failed these taxpayers,” Senate Finance Chairman Orrin Hatch, a Utah Republican, said to Koskinen.

Not all 104,000 thefts led to fake tax returns because some of the legitimate taxpayers had already filed returns or because IRS computers rejected the returns as suspicious. “The IRS is not and will never be exempted from this constant threat,” Hatch said. “In fact, there is reason to believe the IRS will be more frequently targeted in the future.”

The most recent data breach is a fraction of the identity theft problem facing the IRS. According to George’s testimony, the IRS lost more than $5-billion to refund fraud in 2013.

George’s prepared testimony questioned the IRS’s data-security efforts, and said the agency hasn’t implemented 44 recommendations from his office. For example, he said the agency could do a better job terminating unused accounts and limiting shared accounts. Data security is especially important, he said, as the IRS expands its online efforts. According to George’s statement, the IRS is planning a secure messaging pilot programme in 2016 “that will lay the foundation for a broader taxpayer digital communication rollout in the future”.

Congress has been cutting the IRS budget, and Koskinen has pitched expanded online services as a way the agency can conserve resources and serve taxpayers.

The get-transcript application served 23-million taxpayers this year and the agency would have been “much less efficient” without it, Koskinen said. IRS call centres and walk-in offices were jammed during the 2015 tax filing season.

In his testimony Tuesday, Koskinen showed few signs of veering from that path: “We must balance the strongest possible authentication processes with the ability of taxpayers to legitimately access their data and use IRS services online. “The challenge will always be to keep up with, if not get ahead of, our enemies in this area.”