It’s Not You, It’s “Me”: How Identity Thieves are Exploiting Secure Authentication Channels

Feb 25, 2019

As fraud protections become more effective at preventing and stopping fraud, schemes must become increasingly sophisticated in order to be successful. Widespread data breaches, such as those at Target, Equifax, and most recently, Marriott, have created opportunities for fraudsters to acquire and use customer information to commit fraud. With this information in the hands of an identity thief, previous measures implemented to curb fraud, such as authentication based on personal information, are no longer effective.

The tax industry, which relies on multiple authentication channels to verify taxpayer identities, is just one example of an industry that is vulnerable to fraud attempts by those with access to taxpayers’ personal information. The Internal Revenue Service (IRS) estimates that in 2016, fraudsters attempted to claim up to $12.2 billion in fraudulent tax refunds. Although $10.5 billion in refunds were stopped by the IRS before being paid out, the remaining $1.6 billion were paid to fraudsters before being identified as fraud. There are currently four authentication channels used by the IRS to identify taxpayers.

  • Online Service – The most common channel with 16.5 million users. Once considered to be the most secure channel, in the age of widespread identity theft, this service could now be one of the more vulnerable authentication processes.
  • Telephone Service – The second most utilized channel with 7.2 million users, is used nearly half as much as the online service. Similar to the online authentication service, the lack of face-to-face interaction and reliance on personal information that may already be in the possession of an identity thief places this channel at risk for fraud.
  • Correspondence Service – The third most used channel with 3.9 million users is based on written correspondence. Correspondence, much like the online and telephone services, remains vulnerable to abuse.
  • In-person Service – The least used method with 945K users is likely the most secure, as hurdles such as photo identification requirements would most likely deter a fraudster from attempting to exploit this channel.

All a fraudster needs to begin treading the waters of authentication channels is the social security number (SSN) of the person whose identity they have stolen. Equipped with this information, the fraudster can easily call or visit the IRS online, provide the taxpayer’s name, SSN, & filing status – often an easy guess, based on what they already know about the stolen identity – and acquire the taxpayer’s prior year Federal Adjusted Gross Income which is required to submit an electronic tax return. This is just one example of how a fraudster can use stolen personal information to circumvent the authentication protections used by revenue agencies.

To rectify this, new solutions to combat fraud are constantly evolving at the federal and state levels as the battle between what is real and what is fraud plays out. Advanced analytic techniques can be used to detect high risk activity that falls under suspicion thresholds by cross-channeling behavior analytics. Revenue agencies must continue to seek out innovative methods to improve authentication processes, while balancing these efforts with the reality that not all users have equal technology access to utilize some more sophisticated methods.