In 2016, criminals stole $1.6 billion from the Internal Revenue Service (IRS) by using false identities to claim fraudulent tax refunds, according to IRS estimates. In a report released today, the Government Accountability Office (GAO) zeroes in on IRS’ authentication efforts as a way to reduce fraud and save tax payer dollars, and offers 11 recommendations for IRS consideration.
Authenticating taxpayer identities is a multi-channel effort at the IRS, with identities being authenticated via telephone, online, in person, and through mail correspondence. According to the
GAO report, IRS has identified more than 100 interactions requiring taxpayer authentication based on potential risks to IRS and individuals. Authentication doesn’t come cheap, either. For an agency that authenticates millions of taxpayer identities each year, IRS pays between 20 cents to $89 per authentication, depending on the channel – making reliable and cost-effective authentication not only important from a cybersecurity perspective but also a financial one.
GAO found that IRS is strengthening its authentication efforts, although it still has more to do.
“IRS has made progress on monitoring and improving authentication, including developing an authentication strategy with high-level strategic efforts,” the report says. “However, it has not prioritized the initiatives supporting its strategy nor identified the resources required to complete them, consistent with program management leading practices.”
Identifying resources needed to complete initiatives is essential because it would, “help IRS clarify relationships between its authentication efforts and articulate resource needs relative to expected benefits.”
Additionally, while GAO lauded the IRS’ efforts to regularly assess risks to and monitor its online authentication applications, it lamented that the IRS hasn’t established equally rigorous internal controls for telephone, in-person, and correspondence communication channels. While online is obviously the most popular way of communicating with the IRS, based on the chart above, the IRS still authenticates more than 10 million identities via correspondence and telephone channels alone. Because the IRS doesn’t have a mechanism to collect data and monitor authentication outcomes for more non-online channels, GAO says the IRS may not identify current or emerging threats to the tax system.
The report also discusses how the IRS can stay further ahead of fraudsters and raises concerns that IRS won’t be able to meet government timelines for improving its authentication efforts.
“While IRS has taken preliminary steps to implement National Institute of Standards and Technology’s (NIST) new guidance for secure digital authentication, it does not have clear plans and timelines to fully implement it by June 2018, as required by the Office of Management and Budget,” the report explains. “As a result, IRS may not be positioned to address its most vulnerable authentication areas in a timely manner.”
When it comes to adopting new technologies, it’s not just a plug-and-play process. Rather, IRS needs to carefully evaluate which technologies best meet its mission goals and budget, the government watchdog said.
GAO reports that IRS lacks a “comprehensive process” to evaluate potential authentication solutions and services, and turned to industry representatives, financial institutions, and government officials for guidance on how the IRS should approach adopting new technologies and what to look for in authentication solutions. GAO reports that “that the best authentication approach relies on multiple strategies and sources of information, while giving taxpayers options for actively protecting their identity.”
GAO offered 11 recommendations to the IRS, including generating an estimate of resources required to complete authentication initiatives, establishing a policy for conducting risk assessments for telephone, in-person, and correspondence channels for authentication, developing a plan to make IRS systems consistent with NIST guidance, and creating a process to identify and evaluate new authentication technologies. GAO reports that IRS agreed with its recommendations and is taking action to address all recommendations.
