Wednesday, June 8, 2016

IRS level-ups consumer security: the good, the bad, and the ugly

On June 7, the IRS launched an improved online authentication process, adding a degree of two-factor authentication. The IRS disabled online tax transcripts last spring after a rash of fraud - criminals obtained taxpayer information from external sources and used it to access a tax transcript; the transcript had ample information to completely impersonate the person and file fraudulent tax returns claiming huge refunds.

The new system requires two-factor authentication: in addition to your password you receive a code via text message; if an attacker doesn't have access to the device on which you receive that code, they cannot log in.

But here's the rub: in order to set up two-factor authentication, you still must have access to your account. Since the IRS disabled the tax transcript service last year, it requires you to prove your identity again. and guess what information is required to prove your identity? The same information that may have already been stolen in the past.

The result is what is known in the security world as a "race condition:" access is granted to whomever can "prove" your identity first.


What should you do?


Go to irs.gov right away and set up your online access, before a crook does it for you. Go to irs.gov, click the link to Get a Tax Transcript, and select Get Transcript Online.


What's the catch?


Well, there are a few catches. To begin with, if you had set up an account prior to the service being disabled last year, you might expect to be able to re-activate your account. And in fact, the online form does have a "returning users" option:


Ah, if only it were that simple. I entered the username I know I used before, and:


Oh bother. My previous username is not recognized. Let's try the Forgot Username link...


No problem, right?


That seemed easy. Too easy. I'm still waiting. I repeated this a few times, and 12 hours later, I have yet to receive any email. Yes, I checked my spam folder. Grr.

OK, so let's register as a first time user.


I can do this.


No problem.


Well, this leaves out young tax filers that don't yet have any debt, as well as die-hard Dave Ramsey followers, but for the rest of us it works...


This makes sense... although there's no check to ensure the phone number actually belongs to me.


Lovely. A plus sign is a perfectly acceptable character in an email address - and Gmail in particular has a very handy purpose. I can use my real email address (let's call it [email protected]), and add +anything, and it still comes to me. 

This is handy for creating mail filing rules, and as a security professional it has a different use. If I diligently use this everywhere ([email protected], [email protected], etc), then if when I receive unexpected spam email, I know where the spammer got my address from. Bother.

OK, so let's try again, using just my base email ([email protected], for example).


At this point I may have let a few unprofessional words slip out.

I'm sensing a glitch whereby accounts set up before the IRS shut down online access last year are now in a state of limbo. You cannot retrieve the existing account, but you cannot register a new account using the same email address. I have a few domains that I control, to which I can add email aliases at will ... for most people though, this is going to prove a real pain in the rear end.

Nonetheless, I set up an email alias for this purpose, and repeated the process:


OK, progress. Enter the code from my email, and:


Let's see ... I need my name. My date of birth. My social security number. My mailing address. The filing status for my most recent tax return. Most of these are not hard to come by; I assume by now that everyone's social security number has been stolen at least twice, and I can guess with a pretty good degree of confidence the filing status for most people.


OK ... this is slightly more difficult for a random adversary to obtain. Not impossible, but it takes a more targeted attack.

Just for kicks, I used a credit card number that I know to be compromised - and that I canceled a few months ago. It didn't work. Whatever database the IRS is using to verify identity, it is at least reasonably current - kudos for that.


Upon providing a phone number that can receive text messages, I get a one-time code and can successfully complete my account setup.


What's the verdict?


Setting up two-factor authentication to protect access to your information at the IRS is a royal pain, but it can be done.


The good:

  • Two-factor authentication means that a tax fraudster or identity thief cannot access your account unless they both know your password and have a way to steal a text message from your mobile device.
  • The database of financial records the IRS is using for authentication is reasonably current: a crook can't use an old, canceled account to prove they are you.

The bad:

  • Setting up two-factor authentication requires personal information that may have already been stolen. If a criminal re-establishes your account first, in the eyes of the IRS, they are you.

The ugly:

  • If you signed up for online IRS services in the past, it's a royal pain to re-register since you cannot re-activate the existing account, and you cannot reuse the same email address.