Reducing costs and efficiently serving customers online is an objective of most organizations. This is also true for most federal agencies, but since the first website was created, federal agencies have faced the constant challenge of verifying the identities of their online users. Large-scale breaches have put citizens’ personally identifiable information (PII) up for sale on the dark web, increasing the challenges of identity verification. How can you be certain who is accessing a website and transacting business?
Identity verification and the GAO reports
In June 2018, the Government Accountability Office (GAO) published a report entitled, “Identity Theft - IRS Needs to Strengthen Taxpayer Authentication Efforts”. As noted in the report, “In May 2015, [the] IRS temporarily suspended its Get Transcript service after fraudsters used personal information obtained from sources outside IRS to pose as legitimate taxpayers and access tax return information from up to 724,000 accounts.” This breach is highlighted by GAO along with the 2015 Office of Personnel Management (OPM) breach that affected over 22 million current and former employees and contractors as well as the 2018 Equifax breach that affected 145 million Americans.
GAO also highlighted that the IRS estimates there were attempts to steal at least $12.2 billion through identity theft (IDT) tax refund fraud in 2016. However, it estimates that it prevented the theft of at least $10.5 billion of that amount. That means that at least $1.6 billion was paid out to fraudsters. I’ll repeat, $1.6 billion in taxpayer dollars paid to criminals.
The sheer volume of PII available to fraudsters warrants alternative approaches to the common practices of verifying identities online. Knowledge-based verification (KBV) typically challenges online users with questions from their credit report that only they should know. Today, there is a strong likelihood that fraudsters know that information, too.
Challenges in verifying identities securely are not limited to the IRS. The reality is most federal agencies do not have high confidence in the persons interfacing with them online. This garnered the attention of Congress and tasked GAO to examine online identity verification processes deployed at six federal agencies that routinely interface with citizens online, including the Centers for Medicare and Medicaid Services (CMS), General Services Administration (GSA), IRS, SSA, USPS and the Department of Veterans Affairs (VA).
Some agencies not moving off knowledge-based verification
In May 2019, GAO released “Data Protection - Federal Agencies Need to Strengthen Online Identity Verification Processes.” The good news is that some, including the IRS, no longer exclusively rely on KBV, while surprisingly, others including CMS have no plans to move on. GAO reported that, “Several officials cited reasons for not adopting alternative methods, including high costs and implementation challenges for certain segments of the public. For example, mobile device verification may not always be viable because not all applicants possess mobile devices that can be used to verify their identities. Nevertheless, until these agencies take steps to eliminate their use of knowledge-based verification, the individuals they serve will remain at increased risk of identity fraud.”
As I read the report, I thought of how we can legally open a bank account and even apply for a mortgage using our mobile phones. The argument regarding the viability of mobile device verification held a lot more water a few years ago than it does now. It is true that not every American possesses a smartphone. Sad to say, not every American has running water or electricity, either. However, doesn’t it make sense to solve a problem to meet the needs of the overwhelming majority of Americans – and develop alternative solutions for the remainder?
According to the Pew Research Center, 81% of Americans own a smartphone. This follows the 80/20 rule almost exactly. It is unfortunate that a federal agency hosting vulnerable PII on American citizens will not deploy better identity verification technologies and processes, because 19% of Americans don’t have a smartphone.
Modernizing the IRS and the Taxpayer First Act
On July 1, 2019, the Taxpayer First Act (H.R. 1957) was signed into law. The Act modernizes the IRS in several key areas including its:
- Organizational structure
- Enforcement procedures
- Customer service
- Management of information technology
- Cybersecurity and identity protection
- Use of electronic systems
The Act also includes technological provisions including establishing requirements for cybersecurity and identity protection, providing notification to taxpayers of suspected identity theft, expanding electronic filing of tax returns, adopting uniform standards, and procedures for accepting electronic signature technology.
As the IRS modernizes how it does business by driving more activity to the web, it is imperative that there is high confidence that the person logging in is who they claim they are, regardless of whether they are in the role of a tax professional or taxpayer.
In regards to tackling potential fraud under the Act (including identity theft refund fraud), by January 1, 2020, the Secretary of the Treasury “shall verify the identity of any individual (tax professionals) opening an e-Services account with the Internal Revenue Service before such individual is able to use the e-Services tools”. Although the law does not specify how identity verification shall be performed, I suspect it will follow the updated path of the “Get Transcript” service.
The May 2019 GAO report details the IRS’s revamped identity verification process for Get Transcript:
“The individual submits a phone number, which IRS verifies through a CRA [credit rating agency] that checks phone company records to determine whether the phone number belongs to the individual. The IRS then confirms possession of that phone number by sending a one-time PIN via a text message. The individual then enters the PIN into the Get Transcript application. For individuals who cannot be verified this way, IRS attempts to confirm the individual’s street address by sending the confirmation PIN via postal mail.”
Sending SMS text messages can be quite expensive, especially for an agency with over 250 million potential users. From a security and potential cost savings standpoint, having a verified user use an official, shielded IRS mobile application to generate and access a one-time PIN during an encrypted session would be an enhancement to the current process.
To expand electronic filing of tax returns, the Act directs the Secretary of Treasury to publish guidance to establish uniform standards and procedures for the acceptance of taxpayers’ e-signatures. This includes any request for a disclosure of the user’s tax return, return information sent to a practitioner, as well as any power of attorney granted to a practitioner by the taxpayer.
When it comes to tax returns, in addition to the person’s identity being verified, document integrity is of the utmost importance. I expect that a digital signature and tamper-seal be applied after each individual e-signs, since tax returns are often signed by multiple parties – and it is critical to be able detect if changes were made between signers.
Additionally, the IRS should be armed with a robust audit trail of the entire signing event, should a return be deemed suspicious and warrant further investigation. A thorough audit trail should have the capability to reproduce each and every screen presented to the user, as well as all legal disclosures and documents that were presented, and how long the signing parties took at each step.
Expanding to other agencies
Implementing strong authentication is critical for the federal government to secure and extend e-government services. As the IRS implements the provisions in the Act, other agencies have already begun to strengthen their identity verification and authentication processes as they modernize services for external users.
In a June 2019 webinar hosted by the FIDO Alliance, the GSA discussed their recently added support for the FIDO’s FIDO2 authentication standard for its login.gov portal, which will enable near frictionless strong authentication for users to securely access and transact with supporting federal agencies.
The GSA noted that they are evaluating an enhanced remote identity proofing process for login.gov which other agencies could leverage. To register for a login.gov account, the applicant (user) would take a picture of a government-issued ID such as a driver license. The driver license is checked to verify the authenticity of the document itself. That would include a record check with the state DMV to verify that ID is valid and the number on the ID matches the information displayed on the ID. The person’s address would be checked after using the USPS’s database.
This process has been embraced by the banking industry for digital account opening combined with electronic signatures to sign required forms, thereby negating the need for customers to travel to a branch while reducing costs. It is exciting to see that the federal government is utilizing what is working in the private sector while reducing reliance on PII that fraudsters can easily obtain on the dark web.
Disclosure: My employer, OneSpan is a provider of identity verification, authentication, mobile application security and electronic signature solutions. I also serve as co-chair of the FIDO Alliance’s Government Deployment Working Group and represent OneSpan on the board of directors of the Electronic Signature and Records Association.