Skip navigation

Effective October 28, 2019 Duo Security will be transitioning to Cisco's Privacy Statement. View the Duo Privacy Data Sheet.

Industry News

Multi-Layer or Multi-Factor? Assessing IRS Fraud Fixes

With its online filing system badly abused by online scammers, the IRS is beefing up online checks to protect the integrity of online tax filing. Will multi-factor authentication be part of the mix?

The first inkling that my wife and I had that we were in for trouble this tax season was a letter from the Internal Revenue Service in early March saying that the agency was having some trouble processing our tax return and asking us for some additional information to help complete the filing.

The problem? We hadn’t filed our tax return yet, and weren’t planning to for another week. No surprise, then, when the IRS rejected the return we did file electronically using tax preparation software. The error message indicated (shocker) that we had already filed a return.

As we discovered: my wife and I were among the 100,000 or so taxpayers who were the victims of a not-very-sophisticated online scam in which cyber criminals used stolen information on U.S. residents to game a challenge/response security feature of an IRS web application called “Get Transcript.” By correctly answering questions about taxpayers, the criminals were able to access stored returns from previous years and electronically file a fraudulent return seeking significant refunds.

The IRS said that 200,000 taxpayer accounts were targeted and that around 100,000 filings – or %0.04 of the approximately 240 million returns filed – were used to file fraudulent claims. That sounds like a too-small number to me. The police log in my hometown and neighboring towns have been riddled with reports of “tax fraud” and “IRS fraud” in recent weeks – scores of reports. And that’s just a few small towns in one county in one state. Don’t be surprised if that 200,000 taxpayer figure turns out to low!

The question now isn’t so much “what happened” (though, as a reporter, I think that is still a fine question to ask) as “what is the IRS going to do about it?” The agency to steps last week to answer that, but the agency’s statements raise as many questions as they answer. Specifically: will the IRS use strong, two-factor authentication to secure taxpayer accounts, or continue to rely on soft “multi layered” authentication checks?

In a statement released on June 11, the agency announced planned updates to a service called “Get Transcript” that will allow the agency, working in concert with state- and private tax preparations services, to “authenticate” tax filings online against known “data elements” about the taxpayer submitted at the time of filing. Among these are the IP address of the filer, the device identification used to file, the transaction “metadata” as well as factors such as the time taken to complete the filing – an effort to spot automated attacks.

These are all improvements over the static “challenge/response” questions – such as past addresses or the company you have your mortgage with – that can easily be gamed or obtained through underground, identity theft markets. They’re also methods that banks have used for more than a decade to spot suspicious or fraudulent online banking sessions. A natural question for the government might be: ‘what took you so long?’

What’s missing, of course, is a hard second factor for identifying and authenticating taxpayers. While soft authentication like device ID and IP address checks, as well as session monitoring can make run of the mill scams and automated fraud attacks harder to carry out, they also can be gamed – while imposing significant overhead for filers. The IRS should be expecting the “false positive” rate for e-filings to be high, and staff its support lines accordingly.

Undoubtedly, strong second factor authentication via text message or one time passcodes are a missing element in the IRS’s effort to crack down on fraud. Combining the metadata matching that the IRS is already using with a hard token in the form of a mobile device or one time password generator would make tax fraud much harder and more expensive to conduct. If history is any measure, that would be enough to drive cyber criminals on to easier prey.