Skip to content
Naked Security Naked Security

US tax service says, “2FA is a must!”

We know it's an old drum, but we're not tired of beating it yet: 2FA is your friend.

The Beatles famously sang about The Taxman back in 1966, when Britain had much higher taxes on the rich than it does now:

    Let me tell you how it will be
       There's one for you, nineteen for me
    'Cause I'm the taxman, yeah, I'm the taxman
    Should five per cent appear too small
       Be thankful I don't take it all
    'Cause I'm the taxman, yeah, I'm the taxman
    If you drive a car, I'll tax the street
       If you try to sit, I'll tax your seat
    If you get too cold, I'll tax the heat
       If you take a walk, I'll tax your feet
    'Cause I'm the taxman, yeah, I'm the taxman

It was the era, if you like, where income tax boiled down to “you versus the Revenue”, the earner versus the government, the individual versus society.
How times have changed!
These days, there’s a very clear third player in the income tax game: cybercriminals.
Personal taxation now incudes a new sort of battleground, with taxpayers and the IRS as unexpected allies on one side of the fight, and cybercrooks on the other.
That’s because of what are known very descriptively as tax refund scams.


We’ve written about tax refund scams many times before on Naked Security, and the way they work is easily told.
Simply put, crooks figure out enough about you that they are in a position to submit a realistic looking tax return on your behalf…
…and then they do just that, except that they understate your income convincingly enough that the IRS pays out a refund, into a bank account provided by the crooks…
…who promptly run off with the money.
That means the crooks have stolen that money not just from you, not just from the government, but essentially from all of us – the refunded money gets drained out of the system and will never be seen again.
You end up with a fraudulent tax return filed against your name; the government ends up with a huge dent in its tax revenues; and the mess can take ages to sort out.

An unfair advantage

Annoyingly, the crooks have an unfair advantage here, just because of the way most of us – perfectly reasonably, and lawfully, and understandably – approach our tax returns.
Many countries give a fairly generous amount of time to submit tax returns, preferring slow but correct answers to hasty submissions that need constant revision, and many taxpayers (you know if you are one of them!) take a fairly generous amount of the available time to complete the paperwork.
As a result, tax refund scammers don’t have much trouble getting their fake returns in before real taxpayers submit their real ones.
Also, many if not most countries prefer you to file online these days, to reduce the cost of collecting taxes in the first place.
And many if not most taxpayers prefer to do just that, because it’s easier and less stressful than handling pages and pages of written forms as in the past.
As a result, tax refund scammers can scam in bulk and from afar- they don’t need to take the risk of visiting a tax office in person for each taxpayer they want to impersonate.
For example, the scammers will claim that they – which really means you, of course – were unable to work for a significant part of the year, for example due to injury or illness, and therefore that taxes witheld so far were greatly overpaid.
If the crooks can provide fake but believable documentation, tax offices in many countries will typically issue a refund automatically and fairly quickly.
After all, the tax office knows where you live, so they can and will prosecute you and claw the money back if you provide fake information, so an efficient refund system can be considered both fair and fairly safe.
Unless the money refunded is drained out of the system altogether, of course.

Plugging the leaks

Well, the IRS is determined to plug the leaks, especially during the coronavirus outbreak, where remote filing of everything has become the norm.
The IRS is currently in the middle of a five-step series called Working Virtually: Protecting Tax Data at Home and at Work, with help from government departments at state and federal level, taxation professionals and financial institutions.
Part 2 of the five-part series just came out and we can report that its primary advice is really simple:

Use multi-factor authentication to protect accounts.

Indeed, from 2021, the IRS will demand that all tax software vendors must offer multi-factor authentication, and expects all tax professionals preparing returns to make use of this feature:

Starting in 2021, all tax software providers will be required to offer multi-factor authentication options on their products that meet higher standards. Many already do so. A multi-factor or two-factor authentication offers an extra layer of protection for the username and password used by the tax professional. It often involves a security code sent via text.
Using multi-factor authentication is the second in a five-part series called Working Virtually: Protecting Tax Data at Home and at Work. The public awareness initiative by the IRS, state tax agencies and the private-sector tax industry – working together as the Security Summit – spotlights basic security steps for all practitioners, but especially those working remotely or social distancing in response to COVID-19.
[…]
Of the numerous data thefts reported to the IRS from tax professional offices this year, most could have been avoided had the practitioner used multi-factor authentication to protect tax software accounts.

What to do?

We know it’s an old drum, but we’re not tired of beating it yet: 2FA won’t sort out the problems of phishing and fraud, but it slows down cybercriminals significantly.
We know it’s an inconvenience: 2FA does add a bit of extra hassle to your online experience, but in return, you make things a lot harder for the crooks.
And we know there are plenty of excuses not to do it: your phone could get stolen; your SIM card could get swapped so that the crooks get your text messages instead; or you might lock yourself if you leave your phone at home.
But in most cases, your phone won’t get stolen (or if it does it will be passcode protected and inaccessible anyway); your SIM card won’t get swapped (and even if it does the crooks still need your password too); and you won’t lock yourself out (or at least not after the first time it happens).

Why it’s worth it

We’ve found 2FA to be a bit like seatbelts and bicycle helmets.
At first, they’re all kind of annoying to use, and you feel as bit as though they’re a vote of no confidence that assumes you will fail rather than backing you to succeed.
After a while, though, they don’t just feel acceptable but highly desirable – because the effort involved in using them is close to zero, and you start to feel naked without them.
Tax refund fraud isn’t just an injury to you, it’s an insult to everyone, so…
please don’t delay, adopt 2FA today!


14 Comments

Paul Ducklin writes: “…the scammers will claim that they – which really means you, of course – were unable to work for a significant part of the year, for example due to injury or illness, and therefore that taxes witheld so far were greatly overpaid.”
Is it really that simple? If so, shame on the IRS. They know the actual income for all taxpayers whose employers provide them with a W-2, which is also filed with the IRS. They also have prior year tax returns for most taxpayers. Any tax returns filed for the current year should be compared with the current year’s W-2 and prior year returns to identify anomalies and withhold refunds pending further investigation.

I don’t think it’s quite “that simple” – especially for full-time employees in countries where pay-as-you-earn tax contributions are handled automatically and you, your employer and your tax office can estimate with great certainty what tax you will need to pay when the current tax year starts. But many people – most, I suspect – have one had or will have or more years in their working lives where things just don’t go according to plan (2020 should be all the evidence you need for that). Illness, accident, bereavement, losing work, stopping work, changing jobs, having a child, losing a child, looking after someone else’s child, becoming a carer… there are lots of reasons why a taxpayer’s circumstances might suddenly change to reduce the amount of tax they owe.
Few people would create a complete lie about such things, especially if they knew full well that the paperwork would catch up with them… and, indeed, they don’t.
So I think it’s good to see the IRS trying to attack refund fraud by preventing fraudulent claims from being submitted in the first place, rather than by delaying everybody’s refunds and spending vast amounts tracking down “income anomalies” that are, in fact, not actually that unusual.

David B. was right on the mark, Duck. The title, image, and the text of the article itself are clearly referring to the United States federal government’s Internal Revenue Service (IRS). And the IRS does indeed get the same info via W-2s and 1099s that we are required to file along with our tax returns. In fact, the state governments’ tax agencies receive this data as well, and they all get it well ahead of those tax deadlines. Yes, fraudsters may fudge things, but the figures on those W2s and 1099s are hard facts, not estimations or might-happen numbers. Wages/interest received and taxes withheld are reported to the IRS or state equivalent and there is no reason whatsoever that they should disagree. Nor should it be difficult or take any extra time to match the numbers up… it’s all in the great computers.
Some factors could be manipulated by the crooks, to affect the bottom line on the return, but there should be no way to alter those income figures. Any attempt to do so should be cause for investigation as a fraudulent return.

I still strongly suspect there’s a race condition there… that an early request for a refund can easily beat the official figures into the IRS’s system. And if you really have had a shortfall in earnings, and are willing to go on the record to say so, I can see why you would want to file super-early. Also, there are plenty of people who have fairly simply tacx affairs but lots of different jobs, or intermittent contracts, or what the UK calls “zero-hour contracts” (which sounds like a contradiction in terms to me, but what do I know?).
So I agree that it ought to be “quite simple” to detect this sort of fraud, but with, what, 100s of 1,0000,000s of taxpayers, the crooks have a lot of holes to shoot for.

Steve, don’t forget that many businesses must pay once their paperwork is in–so they wait until just before the deadline to file.
Multitudes of individuals expect a refund, and those who really need it will sit at their mailboxes* and wait for that W-2 arrival.
* okay, maybe not literally

having a child, losing a child, looking after someone else’s child
Maybe I’ve been reading XKCD for too long, but this made me think that the next thing should be “losing someone else’s child when you were looking after them”.

Having worked in one of the big-banks in AUS and knowing people in the ATO (Australian Tax Office) the data matching and machine learning required to close these gaps isn’t there yet. It’s getting better, sure – but while we’re waiting we should probably protect ourselves.

Duck…
In referencing “you versus the Revenue,” this article (though well-written) just may draw heated criticisms not-quite-directly-related to your intended focus.
And I find the obligation of paying mind to such discussions rather taxing.
…I’ll see myself out.
:,)

Here is what is funny! The US government has a service for this called login.gov. Just that very few websites use login.gov!
But 100% agree!

This article missed one important issue about fraudulent tax claims. The IRS reported that hundreds and hundreds of tax refund checks were sent to the same addresses. CBS reported that, “A new audit-report from the Treasury Inspector General for Tax Administration (TIGTA) shows that the IRS sent at least 343 potentially fraudulent tax returns in 2011 to the same, single address in Shanghai, China, for a total of $156,533 in tax refunds.
The same report also shows that 655 potentially fraudulent tax refunds totaling $220,489 were sent to the same address in Kaunas, Lithuania. Other potentially fraudulent refunds, 580 of them, were sent to the same address in Orlando, Fla.; 355 to the same address in Lakewood, Colo; and another 291 to another single address in Orlando, Fla.
In total, those potentially fraudulent refunds totaled $2,715,391.”
How complex a program would it take to stop payments of refund checks when more than 10 are sent to the same address? This stupidity can easily be minimized by the IRS.

Good point – and seen in in print here, those numbers seem astonishingly high. 580 refunds to the same address? But in an operation at the scale of the IRS, I wonder just how much of an outlier that is? For example, how many legitimate refunds each year share the same address because it’s a care home, or a designated proxy, or a financial adviser with power of attorney, or a designated overseas bank that’s allowed to process foreign currency?
On average, those refunds to Shanghai come out under $500 each, so perhaps the crooks had happed upon a limit that they knew would avoid triggering deeper checking?
So although I agree with you, especially for expatriated funds that are truly leaving the system, I can also accept that the IRS really is dealing with more data each year than I shall probably ever see in my life, under complex and probably very byzantine regulations…

If you use a mobile for 2FA what opportunities does that give for data aggregators to assemble data about you from combining data about the different accounts that use the same phone number for 2FA?
Or do you get multiple “cheap SIMs” (presumably SIMS not on a contract are less liable to SIM swapping?) and multiple burner phones to keep all the 2FA “accounts” separate?

That’s an interesting point, perhaps more of an issue for pseudoanonymous accounts you open up on social media that end up tied to the same phone on a contract in your name. As you say, a prepaid SIM would probably do a neat end run around that issue.
The good news, if you’re worried about this, is that few of the services I use support 2FA only via phone numbers and SMSes – most also support the use of a code generator app, which isn’t tied to a phone number.
The IRS didn’t say which sorts of 2FA it expected tax software providers to support – although SMS-based 2FA was explicitly mentioned as an example that is “often” available. I suspect that many if most tax software companies will support authnenticator apps as well or instead, so if being aggregated by phone number is a concern for you, I’m guessing you will be able to choose your way out of SMS-based tax authentication if you want.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?