There was some good news and some bad for taxpayers at Tuesday’s Senate Finance Committee hearing on Cybersecurity and Protecting Taxpayer Information just days away from this year’s tax filing deadline on April 18.
On the plus side, IRS Commissioner John Koskinen testified that the tax-collecting agency had stopped identity thieves from filing 1.4 million fake returns and collecting $8.7 billion in fraudulent refunds, and that number may even be higher. A report from the Government Accountability Office presented at the hearing said the IRS had estimated $22.5 billion in refunds from fake returns were thwarted, but that an estimated $3.1 billion in fake refunds were paid out by the agency.
“The reality is criminals are becoming increasingly sophisticated and are gathering vast amounts of personal information as the result of data breaches at sources outside the IRS,” said IRS Commissioner John Koskinen. “To fully protect taxpayers and the tax system, the IRS must not only keep pace with, but also get ahead of, criminals and criminal organizations, as they improve their efforts to obtain personal taxpayer information.”
And that has not necessarily happened.
Russell George, Treasury Inspector General for the Tax Administration (TIGTA) at the U.S.Treasury testified that “IRS processes and procedures to authenticate individuals requesting online access to IRS services” don’t always comply with government standards.
Authentication for users of its Get Transcript application, which allows taxpayers to request copies of old tax returns of users, and for its Identity Protection personal ID numbers (IP PIN), for example, required only single-factor authentication, such as a single password, when government standards require multifactor authentication for such high-risk applications, said George. And even the single-factor framework didn’t comply with government standards, he said.
As a result, hackers obtained access to an estimated 334,000 taxpayer accounts, according to the IRS, but George said an additional 390,000 accounts were hacked. The agency suspended Get Transcript but reactivated the use of IP PIN earlier this year even after TIGTA recommended against that before suspending it in March.