Identity Theft: Strengthening Taxpayer Authentication Efforts Could Help Protect IRS Against Fraudsters
Fast Facts
IRS estimated that criminals used stolen identities to try to claim $12.2 billion in refunds in 2016. IRS protected $10.5 billion but paid at least $1.6 billion. To help address this issue, which we added to our High Risk list in 2015, IRS checks whether millions of taxpayers are who they say they are.
We testified that IRS has improved its taxpayer authentication efforts, but should take additional actions to stay ahead of fraudsters.
In our related report, we made 11 recommendations, including that IRS prioritize its authentication initiatives and develop a process to evaluate potential authentication technologies.
Photo of a person at a computer screen looking at a page on IRS.gov and holding a Social Security card and other forms of ID.
Highlights
What GAO Found
The Internal Revenue Service (IRS) has identified over 100 interactions requiring taxpayer authentication based on potential risks to IRS and individuals. IRS authenticates millions of taxpayers each year via telephone, online, in person, and correspondence to ensure that it is interacting with legitimate taxpayers. IRS's estimated costs to authenticate taxpayers vary by channel.
Taxpayers Authenticated for Selected IRS Programs, 2017
Notes: Numbers are rounded to the nearest hundred and represent successful authentications. Cost information is rounded to the nearest dollar unless otherwise noted. Data are for IRS's Taxpayer Protection Program, Get Transcript, Identity Protection Personal Identification Number, and taxpayer online accounts.
IRS has made progress on monitoring and improving authentication, including developing an authentication strategy with high-level strategic efforts. However, it has not prioritized the initiatives supporting its strategy nor identified the resources required to complete them, consistent with program management leading practices. Doing so would help IRS clarify relationships between its authentication efforts and articulate resource needs relative to expected benefits. Further, while IRS regularly assesses risks to and monitors its online authentication applications, it has not established equally rigorous internal controls for its telephone, in-person, and correspondence channels, including mechanisms to collect reliable, useful data to monitor authentication outcomes. As a result, IRS may not identify current or emerging threats to the tax system.
IRS can further strengthen authentication to stay ahead of fraudsters. While IRS has taken preliminary steps to implement National Institute of Standards and Technology's (NIST) new guidance for secure digital authentication, it does not have clear plans and timelines to fully implement it by June 2018, as required by the Office of Management and Budget. As a result, IRS may not be positioned to address its most vulnerable authentication areas in a timely manner. Further, IRS lacks a comprehensive process to evaluate potential new authentication technologies. Industry representatives, financial institutions, and government officials told GAO that the best authentication approach relies on multiple strategies and sources of information, while giving taxpayers options for actively protecting their identity. Evaluating alternatives for taxpayer authentication will help IRS avoid missing opportunities for improving authentication.
Why GAO Did This Study
This testimony summarizes the information contained in GAO's June 2018 report, entitled Identity Theft: IRS Needs to Strengthen Taxpayer Authentication Efforts (GAO-18-418).
For more information, contact James R. McTigue, Jr. at (202) 512-9110 or mctiguej@gao.gov.