Skip to main content.

Can the Identity Ecosystem Help Reduce Identity Fraud at the IRS.....and Everywhere Else?

Inadequate methods of online identification and authentication have given rise to many instances of data breaches and other kinds of identity-related fraud. A recent example comes from the Internal Revenue Service (IRS). It’s been well-publicized that fraudulent tax returns claiming unwarranted tax refunds have been plaguing the IRS. Since all that’s required to file a bogus tax return and get that refund is a Social Security number (SSN) and self-reported personal information, it’s not surprising that this would happen. In addition, there’s the massive 2015 breach of over 700,000 taxpayer accounts that resulted because the IRS used Knowledge Based Authentication (KBA) to verify the identities of persons seeking access to those accounts. The KBA used by IRS was based on knowledge of personally identifiable information such as birthdates, SSNs, and street addresses. Such information is not hard to come by, given the frequent incidences of data breaches from corporate and government databases, as well as the use of social media that provides another avenue for disclosing personal information. Most disconcerting is that this kind of information is also available for purchase online.

The Root of the Problem

The root of this identity impersonation problem is the widespread use of personally identifiable information to authenticate someone’s identity. It may seem obvious, but just because someone happens to know your name, address, birth date and SSN doesn’t mean that person is you. The problem is that knowing this kind of personal information is exactly what’s used to verify people’s identities in far too many circumstances. The IRS, as well as other service providers, cannot assume that a person who can provide personal information about someone is necessarily that someone. The solution to identity impersonation is not just to prevent data breaches, but to focus on better ways of authenticating people’s identities, so that stolen personal information alone can’t be used for impersonation.

Can An Identity Ecosystem Help Reduce Fraud?

In July 2013, the National Institute of Standards and Technology (NIST) released the results of a study to estimate and compare the benefits and costs of deploying a proprietary identity management system versus an NSTIC[1]-aligned system within the IRS that could be used by individuals for identity verification when filing taxes and other purposes. That study (Economic Case Study: The Impact of NSTIC on the Internal Revenue Service) showed a cost benefit of an NSTIC-aligned solution over a proprietary solution of between $40M and $111M in upfront costs, and between $2M and $19M per year in ongoing costs. However, neither the proprietary nor NSTIC solution was determined to actually reduce the estimated $5B per year in losses that the IRS suffers as a result of identity fraud.

The report notes that identity fraud happens within the context of filing a tax return when an identity thief files a fraudulent tax return using someone else’s SSN, which acts as a Taxpayer Identification Number. If the thief files a tax return using a stolen SSN before the legitimate owner of that SSN files, the IRS will accept the bogus return and reject the legitimate return when it is eventually filed. In other words, the first tax return filed using a particular SSN is assumed to be legitimate, even if it uses a stolen SSN. 

As the report notes, any identity management system adopted by IRS for use by taxpayers will be voluntary, at least in the near-term. Taxpayers may choose to use it when filing an electronic tax return, or for other interactions with the IRS. Assuming that such an identity system does a good job of verifying people’s identities (and their SSNs) prior to issuing them credentials, the IRS would then have reasonable assurance that an electronic tax return is legitimate if it is filed by someone using said credential. But even if a taxpayer voluntarily chooses to use this credentialing system, it still will not prevent fraud if an identity thief files first, using the taxpayer’s stolen SSN. The system also does not provide assurance of identity if the taxpayer chooses to file on paper instead. The upshot is that while the IRS may be able to authenticate the tax returns of those voluntarily adopting NSTIC-aligned (or IRS proprietary) credentials, users of those credentials aren’t themselves protected against being impersonated by an identity thief who files first using stolen information.

Can An Identity Ecosystem Help Prevent Impersonation of Individuals?

This exposes a potential misalignment in the motivations for using an identity ecosystem. From the IRS point of view, the goal is to reduce overall fraud levels, which presumably will occur if the identity ecosystem provides the relying party (in this case, the IRS) with high assurance that it knows the identities of those filing tax returns. Achieving that goal will depend on widespread voluntary adoption and use of identity credentials. But as an individual taxpayer, I’m not nearly as concerned about helping IRS to reduce their fraud levels as I am in preventing myself from becoming a victim of impersonation. It’s therefore not unreasonable to expect that a voluntary identity ecosystem should also provide protections against impersonation to people who opt in.

The NSTIC itself addresses several motivations for adoption and use of an identity ecosystem.  These motivations tend to focus on convenience, security, and ease-of-use of NSTIC-aligned credentials.  And of course there’s the potential that consumers will be able to enjoy new and better online services if NSTIC engenders greater trust in online transactions. But no identity credentials are required today in order to file tax returns. So voluntary adoption of something not now required when filing a tax return, namely the use of some form of identity credential, must address additional concerns that individuals may have. What might those be?

As a result of the constant barrage of news about data breaches, people are realizing that their stolen personal information puts them at risk of becoming victims of identity fraud. Credit bureaus are only too happy to provide credit monitoring services to help deal with this risk. But putting the burden on individuals to monitor their credit reports does not prevent this problem. It may well turn out that one of the prime motivators for individuals to adopt and use NSTIC-aligned credentials for filing tax returns, as well as for other kinds of high risk transactions, will hinge on their ability to provide individuals with heightened assurance against becoming victims of identity impersonation. But that can only happen if the identity ecosystem is designed with this in mind.

To help prevent an imposter from filing a tax return using someone else’s identity, the NIST report suggests that “adopting strong authentication solutions may make this type of identity theft and fraud more difficult online, especially if the taxpayer has the option to only allow tax filing with strong credentials.” The report appears to recognize that, in order to prevent someone who opts into an identity management system (whether IRS proprietary or NSTIC-aligned) from becoming a victim of impersonation, there needs to be a way for such people to say to the IRS, “Hey, don’t let anyone file a tax return using my SSN unless you first authenticate the return by means of my credential.”

Authentication of SSN Ownership on Tax Returns

The easiest way to do this in the near-term is probably for taxpayers to obtain a password or PIN that’s associated with their Social Security Number.  A tax return could be authenticated by requiring the PIN or password when submitting a tax return electronically, or entered on paper tax forms when filing on paper.  But relying only on PINs and passwords provides weak security against impersonation.   And as an individual taxpayer and consumer, I don’t just want to be protected from impersonation at the IRS, but in other kinds of online transactions as well.  Asking taxpayers to opt into a proprietary identity system just for the IRS seems impractical.

What seems most reasonable is an NSTIC-aligned identity ecosystem that not only allows people to authenticate to service providers using some kind of interoperable credential(s), but that also provides individuals with some degree of assurance against impersonation by those attempting to claim their identities using stolen identity information.  Instead of passwords, such an identity ecosystem could take advantage of advances in strong authentication implementations that are being made by the FIDO Alliance.   Instead of a password associated with my SSN, what if I could have a cryptographic public / private key pair associated with my SSN, and provisioned on an electronic device I own?   So anyone who wants to use my SSN for any reason, including filing a tax return, would need to authenticate the use of that SSN with the private key resident on my device. 

As long as participation in an identity ecosystem remains voluntary, which is one of the guiding principles of NSTIC, the ability to protect one’s SSN (and identity) against fraudulent use by imposters would require some way for the identity ecosystem to recognize whether personally identifiable information such as a SSN is being used by someone to assert the identity of a person who possesses an NSTIC-aligned credential.  If so, that someone would have to authenticate ownership of that SSN before it could be accepted as a legitimate identifier.

What Additional Functionality Is Needed To Prevent Impersonation?

At this time, the Identity Ecosystem Framework version 1.0 specifies some of the functionality needed to provide assurance against impersonation. As we look forward to specifying future versions of IDEG, additional functionality would include    

Near-Term vs Long-Term Solutions

What’s described here might be considered a near-term solution to the problem of impersonation. It assumes that relying parties such as IRS will not require high assurance identity authentication of people filing tax returns, and that tax returns using only self-asserted personally identifiable information will still be accepted. Only those people who voluntarily take steps to participate in a properly-designed identity ecosystem will be protected from impersonation.  If taxpayers can choose to have their SSNs “protected” by opting into an identity ecosystem and having that SSN associated with some sort of authentication token, a near-term solution might look like this:
  1. IRS receives tax return and checks to see if the SSN on the return is protected.
  2. If not protected, process return as usual.
  3. If SSN is protected, request authentication of SSN using the appropriate authentication token, whether a password or PIN, or cryptographic private key
  4. If authentication fails (such as due to fraud), tax return is rejected and taxpayer is notified.

Since many people file their taxes electronically, using commercially available software, it would be advantageous if a public / private key pair associated with a person’s SSN, as advocated here, could be more closely integrated into electronic tax software.  So a longer-term solution would allow a taxpayer who files electronically to cryptographically sign the tax return with a private key associated with their SSN.  Of course, the IRS would still need to check the SSNs on each return it receives to ensure that those SSNs that have opted into the identity ecosystem are properly authenticated by means of a digital signature.

[1] NSTIC, the National Strategy for Trusted Identities in Cyberspace, was issued by the federal government in 2011 to provide a vision of an online identity ecosystem that would make online identity and authentication more usable, more secure, and more trustworthy than current methods.

September 2016
[Click here to download a pdf of this article.]