The IRS says 2.7 million taxpayers had their identities stolen last year. The agency is now pledging to make the tax filing system more secure by 2016.
IRS Commissioner John Koskinen spoke before the Senate Finance Committee on Tuesday, saying the agency is teaming up with tax software companies and state governments to make it harder for fraudsters to steal tax refunds.
He was answering questions about how fraudsters managed to steal tax forms of 104,000 taxpayers using the IRS website.
Koskinen was short on details for the new plans. But he said that starting in 2016, the IRS will coordinate closer with private companies and state tax authorities to block identity thieves who file fraudulent returns in other people's names.
It's oddly simple to claim someone's tax refund. All it takes is their Social Security number -- a terrible personal identifier. Plus, the rising tide of computer system hacks and massive data breaches (like that of health insurers Anthem and Premera) have given identity thieves access to Social Security numbers and other personally identifying information for millions of Americans.
That's what hackers need to steal tax refunds.
Koskinen said that three months ago, he met with state tax officials and the CEOs of major tax software and tax preparation companies -- likely companies such as Intuit's ( TurboTax and )H&R Block (. They agreed to partner together for next year's tax season, sharing data and bolstering security. )
"The purpose of this meeting is to start a partnership where we work together to fight the battle," Koskinen said.
The IRS will release more details about this partnership next week, he said.
"Tax refund fraud exploded between 2010 and 2012," Koskinen said. And it's only gotten worse since then. Between 2011 and 2014, the IRS spotted and halted $63 billion worth of fraudulent tax refunds. But the IRS paid identity thieves $5.2 billion in 2011 alone.
U.S. Senator Bill Nelson of Florida mentioned how many Americans are actually affected by this kind of thing, noting 2.7 million taxpayers were identity theft victims last year.
Koskinen told senators why the IRS couldn't stop criminals from using a popular IRS website tool called "Get Transcript" to download U.S. taxpayers' prior years' tax documents. The tool already had security in place, requiring taxpayers to submit their Social Security number and answer several highly personal questions. But criminals -- who had already stolen this information from elsewhere -- knew it all.
Those questions are so difficult that 20% of people can't answer them correctly themselves, Koskinen said. But this episode shows that "we have to focus as much as we can on the security of the data," Koskinen said -- even if that means making the process much more burdensome.
Although the massive scheme started in February, it took the IRS until May to discover it because this data leak was hidden among the even more humongous volume of Internet traffic during this year's tax season. Once found, the IRS computer security team shut down the leak immediately.
The "Get Transcript" tool is no longer active online. And now the FBI and IRS are investigating the crime, which has been traced back to computer servers in Russia.
It's too early to tell how credible that is -- but if it is in that region, police will have a difficult time making any arrests. Cybermafias have a heavy presence in Eastern Europe and Russia precisely because they operate there with little fear of getting caught.
Russia and its neighbors don't agree to extradite their citizens for criminal trials in the United States -- frustrating FBI efforts to track down hackers and arrest them.
"As a general matter, we don't get a lot of cooperation," Koskinen told senators.