Even during this era of cyber-insecurity, here’s a chilling figure: 3.1 billion.

That’s the number of dollars the Internal Revenue Service (IRS) paid in bogus tax refunds in 2014 because of identity theft refund fraud, according to the Government Accountability Office.

The IRS has a Taxpayer Protection Program (TPP) that sounds like it should provide security. It does, but not enough to prevent IRS from paying $30 million to identity theft fraudsters in 2014, based on the 1.6 million screened by the program.  That’s just one of the ways Uncle Sam fights identity theft fraud. About 7,200 of them were bogus. In total, IRS processed more than 150 million individual tax returns in 2015.

Overall, the GAO report indicates the IRS does a decent job of detecting and stopping ID fraud, which is a big business. Crooks attempted to get $25.6 billion from bogus refunds in 2014. The IRS beat them most of the time, stopping or recovering the theft of $22.5 billion, 88 percent of the attempted pillage. But in the remaining cases, crooks got the $3.1 billion.

That could be a low-ball estimate, however. GAO says the IRS might have been beaten an unknown number of times for an undetermined amount of money by undetected cheating.

Regarding TPP authentication, IRS likely underestimated how many fraudulent returns it passed “because the agency did not include potential IDT [identity theft] returns that closely matched information returns provided by third parties, such as W-2s” said James R. McTigue, Jr., GAO’s director of strategic issues.

TPP is designed to reduce identity theft fraud by verifying the identities of suspicious tax filers. But it has some holes.

“TPP uses single-factor authentication procedures that incorporate one of the following authentication elements: ‘something you know,’ ‘something you have,’ or ‘something you are,’” GAO said. “TPP’s single-factor authentication procedures are at risk of exploitation because some fraudsters obtain the PII [personally identifiable information] necessary to pass the questions asked during authentication.”

Criminals can find answers to at least one of those “somethings” by searching the web or even purchasing information from vendors.

IRS did a risk assessment in 2012 and “determined that improper authentication through TPP posed low or moderate risks to both the agency and taxpayers, and therefore required no more than single-factor authentication.”

But things move quickly in the world of cybersecurity and that 2012 assessment is out of date. It “may not reflect the threat that IDT refund fraud currently poses,” according to GAO. Multi-factor authentication would require knowledge of at least two “somethings.”

“Strengthening TPP authentication could help IRS prevent millions of dollars from being paid to IDT fraudsters each filing season,” GAO said. IRS officials agreed with GAO’s recommendations for improvements to the Taxpayer Protection Program.

“We realize more work needs to be done regarding taxpayer authentication and agree an updated risk assessment should be conducted for the TPP,” John M. Dalrymple, a deputy IRS commissioner, wrote in the agency’s response to the report. IRS recently created a new position, he added, “to lead in the development of our service-wide approach to authentication.”

The GAO report was requested by four members of Congress, including Sen. Susan Collins (R-Maine), chairwoman of the Special Committee on Aging. “While the IRS has developed tools and programs to detect and prevent refund fraud due to identity theft,” she said in a statement, “GAO’s report shows that substantial improvement is still needed.”