The IRS has suggested that tax professionals should made use of multi-factor authentication to protect their systems and information in News Release IR-2020-32.[1]

Multi-factor authentication (MFA) requires the user to provide multiple, independent pieces of information or items to authenticate their right to access a system or information. Such a system would involve providing two or more of the following items:

• Something you know (username/password combination);

• Something you are (fingerprint);

• Something you have (a hardware token)

Information regarding methods being used to perpetrate tax refund frauds using preparer’s systems were discussed by IRS representatives at the New England IRS Representation Conference in North Haven, Connecticut, per a report published in Tax Notes Today Federal.[1]

One method, described by Margaret Romaniello, area manager, IRS stakeholder liaison division, is for intruders on the network to modify bank account information on returns that are awaiting transmission to the IRS for electronic filing.  The refund would end up being deposited somewhere other than where the taxpayer intended it to be deposited, such as a Green Dot prepaid debit card in the words of Romaniello.

As part of the continuing campaign to remind tax professionals of data protection and data security issues, the members of the Security Summit have announced a “Taxes-Together-Security Checklist” for tax professionals.[1]

The Government Accountability Office (GAO) turned out to have excellent timing, releasing its report on the overall security of components of the commercial tax preparation systems in the week when Wolters Kluwer took down its online systems used by tax preparers due to a discovery of malware in their network.  The report (IRS Needs to Improve Oversight of Third-Party Cybersecurity Practices, United States Government Accountability Office, GAO-19-340, May 2019) recommends generally that the IRS attempt to impose specific security rules on all participants (tax preparers, electronic return originators and software developers), but the IRS disagreed with the recommendation, primarily based on their view that they lack statutory authority to take the actions suggested.

It’s been a tough few days for users of Wolters Kluwer’s CCH tax products, especially for those using CCH Axcess.  Wolters Kluwers’ systems were affected by malware, per a company release issued the day after the outage triggered by the malware began.

The problem began early on Monday as users discovered CCH’s online systems were not accessible.  While those using the on-site version of CCH’s tax product (ProsystemFX) lost access to electronic filing and the ability to obtain additional single return licenses to run returns if the user ran out of already downloaded permissions, those on the hosted Axcess products lost access to all programs they had licensed on the platform.

In News Release IR-2018-175 warned tax professionals that a failure to prepare a written data security represents a violation of the FTC’s Safeguards Rules and the that the IRS may treat a violation of the FTC Safeguards Rule as a violation of the standards for authorized IRS e-file providers under Revenue Procedure 2007-40.

The IRS Electronic Tax Administration Advisory Committee (ETAAC) members noted in June that they believe fewer than half of all tax professionals are aware of the FTC rule and have written plans in compliance with the rule.

Image copyright badboo / 123RF Stock Photo

The IRS announced on their website page “e-Services - Online Tools for Tax Professionals”[1] that all access to e-Services beginning on December 10, 2017 requires the use of an account that was established using the IRS’s Secure Access authentication.  If a professional has not established an e-Services account by going through the more detailed process, the professional will be required to sign up again using the more detailed (and difficult to complete) process.

Secure Access is meant to make it more difficult for an individual to impersonate a taxpayer or professional.  As the IRS describes the program in their announcement made on December 8[2]:

Secure Access helps protect online tools in two ways: it has a more rigorous identity-proofing process which helps ensure the users are who they say they are, and it requires returning users to use a two-factor access process by entering their credentials (username and password) plus a security code sent as a text message to their mobile phone or a security code generated by the new IRS2Go app feature. This two-factor authentication process meets required federal standards for protecting information.

The IRS is technically correct that both methods are currently allowed under the National Institute of Science and Technology (NIST) standards, the use of SMS as the two-factor vehicle is less secure and the NIST has stated it is being deprecated and may no longer be acceptable at some point in the future.[3]  The NIST issued this statement over a year ago.

Image copyright pixelbrat / 123RF Stock Photo

The IRS stated in September of 2016 in News Release IR-2016-119 that the IRS had become aware of approximately two dozen cases of preparer’s systems taken over by identity thieves.  As the IRS described the issue:

Thieves are able to access tax professionals’ computers and use remote technology to take control, accessing client data and completing and e-filing tax returns but directing refunds to criminals’ own accounts.

Victims in the tax community learned of these thefts while reconciling e-file acknowledgements.

The IRS recommends specific steps that advisers should take to deal with this issue, in addition to the standard advice to run security scans and educate staff on phishing scams.

Image Copyright mikkolem / 123RF Stock Photo

The IRS issued a warning regarding attempts to trick tax professionals to install malware on their systems by clicking on an “update” link for their tax software.  [IR-2016-103]  Once clicked, the “update” will install a keystroke logger that will send all of the preparer’s keystrokes (which will likely include important client information) to a third party—and we can presume that party is planning to use that information for various nefarious purposes.

The use of email to trick users into installing malware is very common—because it’s very effective.  If the email fits the general context that users expect (email from the software provider we use for tax software that is formatted as expected) and the message itself seems reasonable (there’s an important software update—perhaps even an extremely important one to avoid having your systems compromised) we will often click through on the email and follow its instructions without a second thought.

Image Copyright pixelbrat / 123RF Stock Photo

The IRS has issued a warning to tax preparers regarding the risk posed to the preparers and their clients from data theft in News Release IR-2016-96 and Fact Sheet 2016-23. The notice follows on the IRS’ promise to get information out to tax preparers following the 2016 Security Summit as part of its Protect Your Clients; Protect Yourself campaign.

The news release directs preparers to the fact sheet and to the more detailed Publication 4557, Safeguarding Taxpayer Data, a 21 page PDF document.

Another security issue has arisen in the tax arena, this time targeted not at the IRS, but rather at tax preparers.  In Issue 2016-15 of e-News for Tax Professionals newsletter published by the IRS the agency warned of criminals targeting tax professionals to take control of their systems to file fraudulent returns using the client’s information and redirect the fraudulent refunds to accounts the criminals control.

The IRS web systems were again attacked using information that the perpetrators had acquired from other services.  In a statement the IRS described the attack on their system.

In this case the system under attack was the IRS’s Electronic Filing PIN web application used by some taxpayers to obtain a PIN to file a tax return when the taxpayers are not using a preparer and don’t have access to their tax year 2014 tax return information.

In Program Manager Technical Advice 2015-19 the IRS indicated how the agency should deal with situations that arise when there is identity theft that occurs against a business.  

While identity theft at the individual level has gotten much attention in the press, there also exist situations where a third party attempts to hijack a business’s tax identity for nefarious purposes.  For instance, the hijack can be use to create fictitious W2s that can be used to make it more difficult for the IRS to detect individual tax return refund fraud or simply to claim fraudulent refunds for the “business” in question. 

The IRS has reminded those participating in the electronic filing program about their responsibilities with regard to their EFIN number in Fact Sheet FS-2015-27.

The IRS has expressed concern about legitimate EFIN accounts being “hijacked” by those perpetrating tax refund fraud by filing fraudulent returns and has indicated that the agency expects EFIN holders to take actions to secure and monitor their accounts at IRS e-services.

The IRS, along with certain payroll services, will be testing a 16 character W-2 Verification Code for the 2015 filing season the IRS announced on their website at https://www.irs.gov/Individuals/IRS-Tests-W-2-Verification-Code.

An important fact to note is that the IRS initially will not be doing anything with this code except to “test-and-learn” to see if it is useful in determining the integrity of W-2 information.  Thus, to put it a bit differently, using or not using the code is not going to do anything for the moment to improve the chances that a taxpayer will not be subject to ID theft.

The IRS has provided information on how a victim of tax related identity theft may obtain a copy of the return filed by the other party at https://www.irs.gov/Individuals/Instructions-for-Requesting-Copy-of-Fraudulent-Returns.

The IRS issued a Fact Sheet (FS-2015-24) that discusses tax preparers and their obligations with regard to protecting their clients from data theft as well as generally securing taxpayer information.