The Washington PostDemocracy Dies in Darkness

Why the IRS’s efforts to help identity theft victims are likely to fall short

(Andrew Harrer/Bloomberg)

The 104,000 people who had their most sensitive tax information stolen by hackers as part of the latest cyber-attack on the Internal Revenue Service are getting free credit monitoring services, courtesy of the agency.

However, there’s one major way that the protection might fall short: Much of the identity theft these consumers are vulnerable to now will not show up anywhere on their credit reports. Armed with more sensitive information from the tax records, criminals can now attempt to fraudulently claim government benefits such as unemployment insurance, Medicare and food stamps, none of which are tracked in people’s credit histories, security experts say.

“The big money to be made with that information is not in getting credit in your name or a car loan in your name,” says Frank Abagnale, who was convicted of fraud-related crimes when he was younger and now works as a security consultant. “The criminals have started to realize that where the big money is is the government — federal, county and state.”

The criminals who stole old tax refunds through the “Get Transcript” tool on the IRS Web site already had personal information such as names, Social Security numbers, home addresses and birthdays. But after accessing the tax records, they now know a lot more about the people they are pretending to be.

[Criminals want your tax returns. Here’s what you can do about it.]

The tax returns stolen can include information as sensitive as children’s names and Social Security numbers, how much money the victims made and what their tax refund was last year. Armed with those details about a person’s family, criminals can pose as the victims to claim government benefits, or sell the information to other people who do.

Credit monitoring, a solution commonly turned to by companies and health-care providers that have experienced a security hack, can help consumers look out for identity thieves attempting to open credit cards, take out loans or apply for jobs in their name. But the close surveillance would need to last much longer than the year or so of protection that is typically offered, consultants say. Victims need to guard their identities for the rest of their lives.

“There’s not too much they can do,” says Gavin Reid, vice president of threat intelligence for Lancope, a firm that helps companies detect hacks. “They can’t change who they’ve been. They can’t change their Social Security numbers.”

The IRS is flagging the identities of the people whose transcripts were stolen so that it can be extra cautious when processing their returns at tax time. But the best thing agencies and companies with access to personal information can do to protect consumers is to reduce the chances that personal information can get stolen in the first place.

That highlights a broader vulnerability that many criminals are exploiting.  Many companies and even government agencies are relying on information from people’s credit histories to verify their identities — just as that information is getting easier to find.

The “Get Transcript” tool, for example, asked people to enter “out of wallet” questions such as the size of a person’s car payment. The rise of sharing on social media sites, combined with a proliferation of Web sites that make it easier for people to look up records that may contain sensitive information, is making it easier for criminals to overcome those security measures and access accounts, security pros say. “They’ve really got to consider are those types of questions enough?” Reid says.

[How the breach of IRS tax returns is part of a much bigger problem facing taxpayers]

The IRS might consider using some of the fraud detection programs being used by some banks and retailers, which study consumers’ behavior to notice activity that seems out of the ordinary, says Michael Sussmann, a partner in the privacy and data security practice at Perkins Coie. For instance, some banks will text consumers when they make a purchase that seems larger than usual or from a location they haven’t been to before.  “A company may scrutinize more about where you’re logging in, how you’re logging in,” Sussmann says.

Tax-related identity theft is ramping up at a time when deep budget cuts are leaving the IRS with fewer resources to fight that fraud. A spokesperson pointed out that this year the agency requested an additional $82 million to improve its identity-theft efforts, deal with a backlog of cases and invest in technology that can help it protect taxpayer information. Meanwhile, its annual budget has been cut to $10.9 billion this year from $12.15 billion in 2010.

Read More:

Hackers stole personal information from 104,000 taxpayers, IRS says

Congress to question IRS officials about how data was stolen

What to do if your tax refund is stolen