I received my tax refund as expected. Thankfully no one filed a fraudulent tax return using my Social Security Number.
I heard tax refund identity theft is becoming more rampant these days. You file your taxes only to hear that some criminals beat you to it. They make up some numbers and they get a large refund from the IRS or from the state. Now your tax refund is put on hold pending resolution of the fraud.
A popular suggestion is to file early. That’s not really a solution. You need to wait for the W-2 and 1099 forms. Criminals don’t. You can’t win that race. Making sure you owe instead of getting a refund only lessens the financial impact. It doesn’t save you from the paperwork hassle when you are informed that someone else already filed a return on you.
Points of Attack
I read the points of attack are often the online tax prep services. Criminals create fake accounts at the tax prep services, sometimes filing many fake returns under the same account. They also use stolen user names and passwords from elsewhere to log in to people’s online tax prep accounts because some people re-use their user name and password. The online tax prep services and their e-filing become the criminals’ super-efficient pipes to the IRS and to the states.
I read that the IRS and the tax prep industry met and agreed to set up three working groups to come up with ways to fight the fraud. That’s great. I have another idea. I think it will help cut down this type of fraud really fast.
The Root Cause
Before I get to the idea, let me first point out the root cause I’m trying to address. I believe the root cause is misalignment between information and motivation. The parties that have a lot of information lack motivation. The parties that have a lot of motivation lack information. Once information and motivation are aligned, the problem will be much easier to solve.
Online tax prep services have a lot of information. They know which account is filing this return. They know where it’s logging in from and what address is on the return. They know whether this account has filed returns for the same social security number in the past or not and where it logged in from in the past. They know whether the numbers were imported or typed in. They know how many other accounts were created or logged in from the same IP address or the same browser. They know how many sessions the users took before finalizing the return, how long each session lasted and which topics the user visited. They know where the refund is going to and how the user is paying for the tax prep fee.
The data points are numerous but the companies have very little incentive to use these data points. Instead, they adopt a zero tolerance policy on false positives.
The IRS and the states have a lot of motivation. They lose money to fraud, plus the added cost to deal with the legit taxpayers. However, by the time the returns come into the door through the tax prep companies’ pipes, all those fine-grained data points on how the returns were created are lost. There’s much less information to go by.
Chargeback
How do you shift the motivation to fight fraud to the parties with rich information? You borrow a proven effective practice from another industry: chargeback.
If a criminal steals your credit card number and makes an unauthorized purchase, you can dispute it with the bank and get it reversed. The bank will send a chargeback to the merchant. The merchant loses the merchandise. Merchants don’t want chargebacks. That’s why when you buy online you are usually asked to put in the 3-digit number on the back of your card as a security check. That’s why when your shipping address and your billing address don’t match, your order is sometimes put aside for extra screening.
Following that practice, if the IRS or the states pay a refund on a return which later is found to be fraudulent, they charge it back to the party that brought in that return. You bet now the online tax prep services will use all available data points to make sure the return is legit.
It also unleashes the power of competition. Right now one service says its anti-fraud effort doesn’t really help reduce overall fraud because fraud just goes somewhere else like squeezing a balloon. If they get chargebacks, they will do the best they can to push fraud somewhere else. When all companies push fraud somewhere else, fraud will have fewer places to go.
When information and motivation align, the problem will diminish. As long as they don’t align, the problem will stay with us.
Interim Measures
What can we the taxpayers do in the interim?
- Use installed tax software, not online. Don’t leave an account out there for criminals to take over.
- If you already created an online tax filing account, especially if you don’t use it any more, put a unique, super-long password on it.
- Freeze your credit. Many places let people create an account if they can answer questions drawn from your credit reports (such as your old addresses or the size of your mortgage payment). If you freeze your credit, they won’t be able to do so.
Say No To Management Fees
If you are paying an advisor a percentage of your assets, you are paying 5-10x too much. Learn how to find an independent advisor, pay for advice, and only the advice.
Anie schafer says
thoughtful and concise! Now, to get this idea into the hands of some folks who will do something about it???!….le sigh
Sam Seattle says
Great idea, Harry. In the meantime, though, what can we do to minimize this risk, besides filing early, as soon as you get all 1099 forms?
Also, how about setting up your witholding so you OWE the IRS, instead of getting a refund?
ameridan says
Another good reason to use the software version of your Tax prep program vs. the online version.
Sam Seattle says
I use the software/ CD version, but I did e-file, so I had to log online, too, right?
T. J. Allard says
I like Harry’s solution because it includes a financial motivator and the motivator doesn’t go away with time.
I believe a long-term solution may also have to include a unique personal identifier beyond a social security number and a date of birth. The IRS does issue a personal identification number (PIN), once an individual has been the victim of identity theft. If we were able to select a PIN prior to the occurrence of identity theft, it would mean a criminal would have to acquire an additional piece of protected information to file a return.
FinancialDave says
T.J.,
I like this solution of the possibility of getting our own PIN before the situation occurs. As pointed out this is an increasing problem that needs to be addressed.
Dave
JohnInIowa says
I agree that Harry’s suggested policy is good.
As for what we individuals can do, beyond minding one’s passwords, the IRS Identity Protection PIN does sound promising. I think that residents of FL GA and DC are eligible to opt-in, if they wish, during the pilot program.
I wonder what risk is posed by using Intuit’s “cloud” backup. When I finished filing TurboTax on my desktop computer, it recommended backing up the filing on this “cloud”, and I did. But now I wonder whether that poses the same risk as having an online filing account.
Harry Sit says
JohnInIowa – Backup by definition means you will be able to retrieve it if you don’t have your current copy. How they will authenticate before they give out the backup is the question. Lately on turbotax.com I see you need a code sent to your registered email address in addition to the user name and password. That’s better than just user name and password. I didn’t explore whether there is a “my email address changed” option.
JohnInIowa says
Harry, the authentication to download a backup tax file, stored on their “cloud” form the Mac version of the desktop TurboTax, is unfortunately just the intuit login ID and password. For this purpose, there is no second means of authentication such as the code sent to the registered email. I know that Intuit does require this second authentication in order to change a password, but it does not require it to download tax files from their “cloud.”
That’s what I found in a test yesterday. I used TurboTax for Mac, and from its main File menu I chose “Open from TurboTax Cloud”. A window pops up that says “Sign in to my Intuit account” and provides just two boxes: your email or user ID, and your Intuit password. Type in those two things, and a list of tax file appears. Click one of them, and the tax file opens.
If Intuit is recognizing my computer as a safe computer, and thereby no requiring another authentication, I suppose that’s okay. But I don’t have a way of testing if Intuit is doing that.
So if I’m right, that means that a bad guy with a desktop copy of TurboTax has just two things, your email address and your Intuit password, he will have ALL the tax returns that you have backed up onto Intuit’s “Cloud.” And these files make it very easy to find not just your social security number, but also your address, birthdate, name of employer, and lots of other personal information that would be a goldmine for an identity thief.
This all strikes me as a bad situation. Especially for the majority of customers who use the same password for multiple accounts. It seems to me that right now there are untold numbers of TurboTax customers who are very vulnerable right now.
Now I’d like to find a way to delete the files from my Intuit “Cloud” backup.
JohnInIowa says
To delete backup files from Intuit’s “cloud”, if they were stored using a desktop version of Turbotax, it is done from within the Turbotax application itself:
https://ttlc.intuit.com/questions/2802662-how-to-view-my-file-in-clouds-if-i-like-to-delete-the-file-in-clouds-how-shall-i-do-thanks
serbeer says
Like!
🙂
Money Beagle says
We owe money this year so if anybody has any ideas about stealing our identity, the least they could do is at least pay the darn things!
Matt says
After we submitted our return, we got a letter in the mail from our state (Ohio) department of taxation requiring us to go through additional identity confirmation steps before they would release our refund. The identity confirmation amounted to the typical questions pulled from your credit report for identity verification, as well as providing the reference number on the letter they sent and the requested refund amount. It was a very minor hassle for another barrier against our refund being stolen.
Jeanne Schmelzer says
We did the Ohio Quiz and then Ohio told us that they couldn’t find our name in their info. So I called to get assistance and I was the only one that got in and my husband didn’t. We filed jointly. So we had to make copies of everything: birth certificates, drivers license, tax returns, 1099 forms. It was quite a hassle. Others that I talked to were recognized without a hitch.
T. J. Allard says
Unfortunately, because the criminal makes-up the return, it doesn’t matter if you actually owe money or not. They make up the return so it results in a refund and submit it before you submit your legitimate return and that’s what the IRS processes.
60 Minutes did a story on this back in September. Here’s the link to the story: http://www.cbsnews.com/news/irs-scam-identity-tax-refund-fraud-60-minutes/.
Bruce says
Actually, it does matter if you owe money. If you owe taxes, the only problem with fraud is that you have to print out and mail your return. If you need a refund, it can be delayed six months. You are right that owing taxes does not prevent fraud. However, in the former case, the government is the victim; in the latter, you are.
Lynn says
Harry, I was wondering if you think this advice (http://krebsonsecurity.com/2015/03/sign-up-at-irs-gov-before-crooks-do-it-for-you/) is any good?
Harry Sit says
I’m certainly not an expert. I think if you are concerned about someone successfully answering the questions from credit reports, it’s more effective to just freeze your credit than pre-emptively creating accounts at places that use those questions to authenticate you. Otherwise you just never know where they will go next.
DonB says
It sounds like we have two actions available to us right now to deter this kind of fraud. 1) Use a different password on every web site. I suggest the PasswordMaker plugin for your web browser, and KeePassX in general. 2) Don’t use online services. Plenty of people actually read the directions and fill out the tax forms on paper (technically, fillable PDF and printed). You’ll probably understand your taxes better as well.
Caroline says
Good ideas and if you are going to use anything online, make sure your connection is as secure a it possibly can be. There are a lot of prying eyes out there. It’s amazing how many people do things like this sat on public wi-fi in a cafe or similar. A great place for people to steal your passwords and data.
Rod says
This is a good first step for up your tax filling security:
http://www.irs.gov/Individuals/Get-An-Identity-Protection-PIN
Chris says
I’m not certain that the IRS is highly motivated to stop this.
I was a victim several years ago and found the IRS not particularly helpful in resolving my case. I finally filed the IRS Form 911 (basically a request for IRS ombudsman review) and that got some attention and help.
No business could get away with such a sloppy, open-to-fraud system. They would have some PIN-based verification in place to protect their money. I wonder if Treasury considers fraudulent refunds as just another form of “stimulus” (?)
Bill says
As long as Intuit and other such companies spend big bucks on lobbyists and campaign contributions, chargeback will never happen.