To meet new threats, IRS might need an old tool

In the wake of a massive breach, the IRS says it can stay one step ahead with more money -- and a special hiring authority.

Image from Shutterstock.

The bad news: In the age of Facebook, Google and widespread data breaches, your personal information cannot be kept safe.

The better news: If they get the right people, the IRS says it can try to stay one step ahead of hackers.

In a pair of hearings on Capitol Hill on the heels of a breach involving roughly 104,500 taxpayers, the Senate Finance and Homeland Security and Governmental Affairs committees heard IRS Commissioner John Koskinen extoll the merits of streamlined critical pay, even as he and others admitted there is no “silver bullet” to protect data.

Scope of breach

Koskinen offered a breakdown of the 104,500 figure:

  • 35,000 of the affected taxpayers had already filed 2014 income tax returns, meaning their most recent refunds were safe but they could face future problems.
  • For another 33,000 cases of stolen info, there simply is no tax return for the past year (some of the SSNs, for instance, are associated with children).
  • 23,500 unsuccessful, probably fraudulent returns.
  • 13,000 suspect returns filed and $39 million in refunds issued.

“It’s not 104,000 new stolen identities,” he noted, stressing that the personal information of the affected taxpayers had apparently been compromised prior to the IRS breach — personal information is how hackers got through the IRS’ knowledge-based authentication system, after all.

Hackers breaking into the “Get Transcript” application had to answer four multiple-choice questions, the answers for which were easily Googleable.

Making matters worse, the IRS’s second factor of authentication was an email — sent to the email address the fraudster had just supplied.

The IRS wasn’t checking to ensure that the same email address wasn’t used for multiple taxpayer accounts.

“They didn’t have to be [separate emails],” said IRS CTO Terry Millholland. “That’s one of the design flaws.”

Fraudulent pulls only became clearly visible to the IRS -- “shrouded” as they had been in the “huge volume” of legitimate “Get Transcript” requests -- when tax-filing season ended but hackers continued making large numbers of transcript requests as legitimate taxpayers stopped making them.

Lots of fixes, none of them perfect

An IP PIN?

It’s great “as long you don’t lose it,” Koskinen said.

IRS Identity Protection Personal Identification Numbers are available only to identity theft victims and residents of Florida, Georgia and D.C. though as another piece of identifying info, they could help cut down on fraud.

But the IRS can’t just start offering them willy-nilly Koskinen said, because they’d be one more piece of complexity and citizens might questions why “big brother” needs another piece of data on them.

Even if IP PINs were only offered to people who wanted them, that could pose a problem.

“If you give PINs to 50 million people and half of them lose them, [the ensuing chaos] would create lots of background noise” as the IRS wrangled replacement PINs, Koskinen noted.

Koskinen also advocated limiting the number of companies producing W-2 forms, to make it easier for the IRS to detect sketchy forms, and masking Social Security numbers on those forms to help protect data.

Sen. Johnny Isakson (R-Ga.) suggested eliminating the personal income tax altogether, replacing it with a national sales tax, which Koskinen had to agree would, “by definition,” kill the threat that personal information is stolen from the IRS.

Streamlined critical pay

Assuming his agency continues to exist, however, Koskinen said what the IRS needs most is talent.

Restoring the IRS’s streamlined critical pay authority -- a special category that the agency can use to fill posts that "require expertise of an extremely high level" and "are critical to the Internal Revenue Service’s successful accomplishment of an important mission." -- could prove crucial in the fight to keep taxpayer information safe.

Koskinen estimated implementing streamlined critical pay would cost the government between $400,000 and $500,000, in the form of hiring a handful of highly qualified tech people.

Those 30 or so hires could help the IRS combat tens of millions of dollars’ worth of fraud, Koskinen and Treasury Inspector General for Tax Administration Russell George said.

George wouldn’t give an overall savings dollar figure when prompted, but he affirmed that the streamlined critical pay program at the IRS seemed to have been a well-managed program until its expiration in September 2013.

While the authority would enable the IRS to pay more, Koskinen said that money isn’t always the issue with tech talent.

Many highly skilled individuals simply don’t want to go through the government’s months-long hiring process, and streamlined critical pay authority would enable the IRS to bypass that for top tech talent.

“We can find somebody, make them an offer, they accept it and we start immediately,” Koskinen said, noting that many key roles at the IRS — including CTO Millholland’s — are currently filled by people hired under the prior special authority.

A never-ending battle

Fraud will never disappear, and as personal data becomes ever-less private, the old methods of security just won’t fly.

Two-factor identification seems a likely wave of the future.

“Perhaps use of biometrics, perhaps Connect.gov,” speculated Millholland.

And as the struggle to stay ahead of hackers continues, the familiar debate over IRS funding will continue as well.

Koskinen stressed that he did not want to make the hearings “a budget issue,” though he noted the IRS’s budget has been trimmed in recent years.

On the other hand, as he heard the IRS had not implemented a number of inspector general suggestions, Sen. Tim Scott (R-S.C.) was struck by the same thought that has occurred to government watchdogs.

“These do not sound like resource issues, these sound like management issues,” he said.

“I agree sir,” said George. “I agree.”

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.