Taxpayer First Act: Improving identity verification and modernizing the IRS

Reducing costs and efficiently serving customers online is an objective of most organizations. This is also true for most federal agencies, but since the first website was created, federal agencies have faced the constant challenge of verifying the identities of their online users. Large-scale breaches have put citizens’ personally identifiable information (PII) up for sale on the dark web, increasing the challenges of identity verification. How can you be certain who is accessing a website and transacting business?  

Identity verification and the GAO reports

In June 2018, the Government Accountability Office (GAO) published a report entitled, “Identity Theft – IRS Needs to Strengthen Taxpayer Authentication Efforts”. As noted in the report, “In May 2015, [the] IRS temporarily suspended its Get Transcript service after fraudsters used personal information obtained from sources outside IRS to pose as legitimate taxpayers and access tax return information from up to 724,000 accounts.” This breach is highlighted by GAO along with the 2015 Office of Personnel Management (OPM) breach that affected over 22 million current and former employees and contractors as well as the 2018 Equifax breach that affected 145 million Americans.

GAO also highlighted that the IRS estimates there were attempts to steal at least $12.2 billion through identity theft (IDT) tax refund fraud in 2016. However, it estimates that it prevented the theft of at least $10.5 billion of that amount. That means that at least $1.6 billion was paid out to fraudsters. I’ll repeat, $1.6 billion in taxpayer dollars paid to criminals.  

The sheer volume of PII available to fraudsters warrants alternative approaches to the common practices of verifying identities online. Knowledge-based verification (KBV) typically challenges online users with questions from their credit report that only they should know. Today, there is a strong likelihood that fraudsters know that information, too.

Challenges in verifying identities securely are not limited to the IRS. The reality is most federal agencies do not have high confidence in the persons interfacing with them online. This garnered the attention of Congress and tasked GAO to examine online identity verification processes deployed at six federal agencies that routinely interface with citizens online, including the Centers for Medicare and Medicaid Services (CMS), General Services Administration (GSA), IRS, SSA, USPS and the Department of Veterans Affairs (VA).

Some agencies not moving off knowledge-based verification

In May 2019, GAO released “Data Protection – Federal Agencies Need to Strengthen Online Identity Verification Processes.” The good news is that some, including the IRS, no longer exclusively rely on KBV, while surprisingly, others including CMS have no plans to move on. GAO reported that, “Several officials cited reasons for not adopting alternative methods, including high costs and implementation challenges for certain segments of the public. For example, mobile device verification may not always be viable because not all applicants possess mobile devices that can be used to verify their identities. Nevertheless, until these agencies take steps to eliminate their use of knowledge-based verification, the individuals they serve will remain at increased risk of identity fraud.”

Our Identity is Our Competitive Advantage

About the Author

Katherine Hearn

IT Strategy, Planning, and Business Operations Intern

Katherine is a 2019 IT Intern on the Strategy, Planning, and Business Operations team at Symantec. She studies at Cal Poly, San Luis Obispo, majors in Business Administration, and concentrates in finance. She aspires to one day be the CFO of a tech company.

Symantec Mobile Threat Defense: Stop Relying on Delayed and Invasive Protection Actions

On-demand VPN tunneling, blocking access to corporate resources, quarantining risky apps, and several other advanced protection actions are the subject of a new Symantec white paper that highlights what protections organizations can leverage to get the most value from their MTD solution. The paper argues that the most effective form of MTD today includes advanced actions that are:

  • On-device: This allows them to be faster and provides constant protection, even when devices are disconnected from the Internet.
  • Real-time: They can proactively thwart attacks, immediately and automatically when a threat is detected.
  • Smart: They target the exact threat without impacting other resources or processes on a device; and they are activated on-demand (and turned off when not necessary).

As in a castle-and-jail security approach, many advanced protection actions can be used to either isolate (jail) threats on a device so they don’t persist and harm other resources, or to protect (castle) sensitive corporate resources from breaches or leakage. This approach helps organizations achieve a balance between security and productivity needs, something that has been challenging in a mobile security ecosystem that, as mentioned, has been largely confined by mobile OS structures.

Compared to the limited, reactive, and invasive actions utilized by most MTD solutions, advanced protection actions proactively and instantly defend against a broad range of mobile threats, from malicious apps and mobile phishing, to risky networks and MiTM attacks. They can protect corporate data without sacrificing user productivity and privacy, and without requiring an Internet connection. As shown in our example, advanced protection actions can also be layered, enabling organizations to effectively adapt their MTD to their security and privacy policies.