Posts Tagged: NBPCA

Jun 15

Firms Could Be Forced to Disgorge Profits from Tax Refund Fraud

Last week, KrebsOnSecurity ran an interview with Julie Magee, Alabama’s chief tax administrator, to examine what the states are doing in tandem with the IRS and others to make it harder for ID thieves to commit tax refund fraud — a $6 billion a year problem. Today we’ll hear from John Valentine, chair of Utah’s State Tax Commission, about the challenges his state faced this year, as well as the prospect that tax preparation firms could be forced return to the U.S. Treasury any profits they make from processing fraudulent tax refunds.

The Growing Tax Fraud MenaceValentine was a tax attorney before being appointed the chair of Utah’s tax commission, so he’s familiar with the challenges facing both the tax preparation industry as well as the tax agencies.

“I came out of the private sector and spent nearly 40 years suing the state tax commission and the IRS,” Valentine said. “Now I am that.”

Utah is actively engaged in an IRS task force made up of state, federal and industry tax experts trying to quash refund fraud. Like Alabama’s deputy tax commissioner Joe Garrett — who had a $7,700 fraudulent refund filed in his name — several of Utah’s senior tax administration officials also were victimized by ID thieves this year.

“We’ve had some of our senior people who had tax returns filed on their behalf,” Valentine said. “Of course, they had not filed them yet and we knew that they were more than a little suspicious.”

Among the steps the task force is considering is whether to mail all taxpayers an Identity Protection Personal Identification Number (IP PIN) that is tied to each taxpayer and must be included in each tax return. The IRS issues the IP PINs to taxpayers who have suffered tax return fraud. Additionally, consumers willing to swear they have been victims of identity theft can apply for a filing PIN, however the IRS is picky about granting those requests.

Even if the IRS were to switch to issuing IP PINs to all taxpayers, the agency would still run up against the thorny problem of how to verify consumers’ identity (no doubt, that challenge would be exacerbated by millions of taxpayers phoning the IRS after losing or misplacing their assigned PINs). A major focus of the working groups attention is finding better ways to authenticate people beyond merely requesting static identifiers (Social Security numbers, dates of birth) and other data that is frequently exposed in data breaches and is readily for sale on underground markets.

“They’re going to have to switch to a 2-factor authentication system, where they really strengthen the front-end of that authentication,” Valentine said of the tax preparation firms like TurboTax, which briefly shut down all state tax filing this year after a massive spike in phony refund requests put through its systems via hijacked and fraudulently created TurboTax accounts.

Valentine also made the decision to halt all Utah tax refunds around that same time.

“When we installed our [anti-fraud] analytics program, we thought we were getting a lot of false positives, so we did a bunch of back checking,” he said “While we were doing that, I made a decision to stop all refunds. For a period of two weeks Utah gave no refunds while we worked through the analytics to make sure we’d identified the nature and extent of the fraud. It turned out to be much more extensive than we’ve ever seen.”

In fact, ten times as much as any year prior, according to Valentine.

“We’ve always seen fraud where a tax practitioner will file a whole bunch of fraudulent returns, or we’ll see ID theft targeting a large employer. But this fraud wave was a little tougher, because it went across spectrum of employers, across the entire demographic of taxpayers, high low and middle income. Also, the fraud wasn’t regionalized — it was across the whole state — and [the fraudsters] didn’t seem to be selective as to who they hit. They got people of notoriety and people nobody knew. In the end, it appeared that the common factor among all of them was how you filed in 2013,” because the phony 2014 returns all included nearly identical information as the victim’s 2013 returns.

“What we saw in Utah was a population of the same information in the 2013 return into the 2014 return, with the exception of bank routing and bank account number,” Valentine said. “That’s a different fraud that we’d just never seen before.”

TurboTax’s lax security around authentication for new and existing accounts played a well-documented role in the type of fraud described by Valentine this year. But ID thieves also got help directly from the IRS this year. Late last month, the agency suspended the “get transcript” function that previously allowed taxpayers to order a copy of their previous year’s W2 information, among other data; turns out, crooks had used the service to pull tax data on more than 100,000 citizens, stealing tens of millions from the U.S. Treasury in the process. Continue reading →

Sep 13

Crooks Hijack Retirement Funds Via SSA Portal

If you receive direct deposits from the Social Security Administration but haven’t yet registered at the agency’s new online account management portal, now would be a good time take care of that: The SSA and financial institutions say they are tracking a rise in cases wherein identity thieves register an account at the SSA’s portal using a retiree’s personal information and have that retiree’s benefits diverted to prepaid debit cards that the crooks control.

The SSA's "my Social Security" portal.

The SSA’s “my Social Security” portal.

Traditional SSA fraud involves identity thieves tricking the beneficiary’s bank into diverting the payments to another account, either through Social Security’s 800 number or through a financial institution, or through Treasury’s Direct Express program. The newer version of this fraud involves the abuse of the SSA’s my Social Security Web portal, which opened last year and allows individuals to create online accounts with the SSA to check their earnings and otherwise interact with the agency relative to their accounts.

Jonathan Lasher, assistant inspector general for external relations at the SSA’s Office of Inspector General, said that for several years the agency was receiving about 50 such allegations a day, though those numbers have begun to decline. But thieves didn’t go away: They just changed tactics. The trouble really began earlier this year, when the Treasury started requiring that almost all beneficiaries receive payments through direct deposit (though the SSA says paper checks are still available to some beneficiaries under limited circumstances).

At the same time, the SSA added the ability to change direct deposit information via their my Social Security Web portal. Shortly thereafter, the agency began receiving complaints that identity thieves were using the portal to hijack the benefits of individuals who had not yet created an account at the site. According to Lasher, as of August 23, 2013, the SSA has received 18,417 allegations of possibly fraudulent mySocialSecurity account activity. Lasher said while some of the complaints are the result of unsuccessful attempts to open an account fraudulently, some are indeed fraud.

“Social Security has already improved security over this online feature, and we continue to work with them to make additional improvements, while also investigating allegations we receive,” Lasher said. “While it’s an issue we’re taking very seriously, it’s important to keep in mind that about 62 million people receive some type of payment from SSA every month, so the likelihood of becoming a victim is very small, particularly if you’re careful about protecting your personal information.”

Because it’s possible to create just one my Social Security account per Social Security number, registering an account on the portal is one basic way that consumers can avoid becoming victims of this scam. Lasher said in the SSA’s systems, every record is tied to the SSN rather than a person’s name, since there are so many duplicate names.

“Of course, the one way to ensure that no one opens an account in your name is to open one yourself,” Lasher said. “Given the nature of other articles on your site, I think it’s important that I point out that there is no suggestion that SSA’s systems have been compromised; this is an identity theft scheme aimed at redirecting existing benefits, often to prepaid debit cards.”

Continue reading →