Tax theft is a $20 billion a year industry, and one company things it can do something about that. Thanks to a new app from security firm MorphoTrust, taxpayers might now be able to secure their returns by using a selfie.
It's an idea that might save them, and the government, a lot of time and money.
Every year identity thieves steal taxpayers' information at both the federal and state level. These criminals file using stolen credentials such as Social Security numbers and W-2s picked up during phishing schemes and, if there's a refund due, take the money for themselves. With more than 80% of taxpayers getting money back from the government, and the average refund around $3,100, it's a pretty lucrative scheme.
It's also one that has become increasingly and incredibly easy with the advent of online tax processing and e-filing. It's the classic story that all IT security struggles with: making a system easier to use also makes it easier to hack. Well, those same systems which auto-crunch the numbers and let taxpayers dodge post office lines have made it seamless and easy to monetize identity theft.
"It's been frustrating for years," said Julie Magee, commissioner of the Alabama Department of Revenue. According to her, one of the biggest frustrations of her job over the past several years has been keeping the lid on an explosion in tax-related identity theft.
"We're really behind compared to banks and credit card companies and mortgage companies in preventing other people's pii [personally identifiable information] from being used to file fraudulent tax returns," she said.
"Any government that accepts an income tax return, we [are] being taken advantage of and wasting billions of dollars in funding criminal activity," she added. "It was happening on a small scale prior to 2011, but in 2011, that's when we saw just an explosion in identity theft, and we think it has to do with pushing people to file electronic returns rather than paper returns."
By moving the tax system online, Magee said, the government made it far easier for taxpayers to do their civic duty as well as for the government to process it. (She estimates that Alabama alone spends approximately $1.90 to process each paper return compared to the next-to-nothing costs of an electronic one.)
Yet the same systems that increase ease of use for individuals do the same thing for criminals. Reduced barriers have made it possible to submit hundreds or even thousands of illegitimate filings, making the scheme profitable even if the government rejects all but a relative few.
Locking down those systems, though, proves incredibly difficult in an era where personal IDs are an increasingly marketplace commodity.
Most government systems use more or less the same set of information to prove a user's identity: Social Security numbers, driver's license numbers, home addresses both past and present, etc. Particularly in the case of a social security number people try to keep this information private, but there's no such thing as bulletproof security. Device theft, hacks, scams and phishing schemes and any of a dozen other vectors can spill someone's personal information onto the internet.
And there's no unringing that bell. Data, once out in the wild, is out there for good. Anyone can copy it and use it again and again on any system.
For government agencies, though, how else can they prove that this email address and account number belong to the right person? That's the problem which Boston-based security firm MorphoTrust is taking on with its eID smartphone app.
The solution? Selfies.
"It's a way for you to represent yourself in line that's equivalent to standing in front of somebody in line with your driver's license," said Mark DiFraia with MorphoTrust. "Whenever someone opens the app it uses facial recognition, so that if you leave the phone on a bench or something like that no one can present themselves as you to that website."
It's actually a little more sophisticated than it sounds.
The government's problem is quite well-known in the tech world. For virtually any organization, login credentials are a security bottleneck. Something like a username or password copies far too easily to be fully secure. While particularly acute on government systems (users can change their passwords, citizens rarely can do so with their social security numbers), this basic notion of relying on secret phrases to get into a secured system has long been considered insufficient.
Instead, most security experts support what's called multifactor authentication. The idea is that a secured system should rely on a combination of three factors:
- What you know: Passwords, Social Security numbers or other presumably secret information entered at a login screen.
- What you have: Login credentials broadcast from or received by a device on the user's person.
- Who you are: Some form of biometric or otherwise personally unique identifier used to access the system.
For example, in the movies, it's common to see characters access secured areas by punching in a key code then swiping their access card. This would be an example of what you know and what you have authentication. The user knows the code and has the card.
MorphoTrust's eID app works the same way.
When someone logs on to a tax, or any other, website which the company hopes will adopt its system, it sends a request for permission to that user's smartphone. The user opens the eID app through its selfie function (who you are) and then gives permission to access the website (what you have).
Taxes will be further secured by having the return itself require this same permission structure. If someone has created an eID account, whenever a return gets filed with their name and social security number the app will pop up a request for authorization. Basically, DiFraia said, the goal is to create a centralized set of permissions when it comes to your personal information.
"I think the context is online today information is used constantly and we never know where," he said. "What this product is trying to do is give people an anchor point in the online world… If they need or want information from you, you're always get notified from the app and you can approve of that, so you're always in control of the data."
The eID app and its tax program are currently in the early stages. Alabama will test it for the first time this year and MorphoTrust hopes that the system will prove successful with users.
If it works, if eID is able to both provide effective security and attract consumers, it may mark the first real move toward multifactor authentication on the mainstream internet.