Voicemod

Voicemod

Real-time voice changer that works with any application and comes equipped with an extensive collection of voices and ambient effects

FULL VERSION + CRACK
Flvto Youtube Downloader

Flvto Youtube Downloader

With this simple and intuitive application, you can swiftly download all your favorite online videos to your computer, in just a couple of moves

FULL VERSION + CRACK
iMyFone LockWiper

iMyFone LockWiper

Helps you bypass the iPhone passcode in case you forgot it and the device became unusable or you have to wait for a long time before attempting to unlock it again

FULL VERSION + CRACK
Logic Pro X

Logic Pro X

A fully-featured recoding studio that provides a complete set of tools for musicians who need to write, record, edit and mix music

FULL VERSION + CRACK
Internet Download Manager (IDM)

Internet Download Manager (IDM)

Push your Internet connection to the limits and cleverly organize or synchronize download processes with this powerful application

FULL VERSION + CRACK

IT News

Sep 20
Decommissioning a data center is lot more complicated than shutting down servers and switches. Here's what you should keep in mind.
Sep 20
The world's fourth-largest bank said cryptocurrency will allow near real-time money movement and cut out settlement middlemen, thus reducing costs from fees.
Sep 20
Researchers gained access to a Smominru command-and-control server to get details on compromised devices and scope of the attack.
Sep 19
Researchers were able to achieve amplification rates of up to 15,300%. Some mitigations are possible.
Sep 18
France and Germany are the latest nations to come out against cryptocurrencies, saying they will block Facebook's Libra as it poses a risk to consumers and "the monetary sovereignty" of European nations.
Sep 18
During its OpenWorld event this week, the company also unveiled plans to have its Digital Assistant integrate with Microsoft's Teams collaboration platform.
Sep 18
Oracle adds more automation, business networking, recruitment tools and a plethora of digital assistants to its cloud apps.

Categories

Taxpayer First Act: Improving identity verification and modernizing the IRS

Reducing costs and efficiently serving customers online is an objective of most organizations. This is also true for most federal agencies, but since the first website was created, federal agencies have faced the constant challenge of verifying the identities of their online users. Large-scale breaches have put citizens' personally identifiable information (PII) up for sale on the dark web, increasing the challenges of identity verification. How can you be certain who is accessing a website and transacting business?

Identity verification and the GAO reports

In June 2018, the Government Accountability Office (GAO) published a report entitled, "Identity Theft - IRS Needs to Strengthen Taxpayer Authentication Efforts". As noted in the report, "In May 2015, [the] IRS temporarily suspended its Get Transcript service after fraudsters used personal information obtained from sources outside IRS to pose as legitimate taxpayers and access tax return information from up to 724,000 accounts." This breach is highlighted by GAO along with the 2015 Office of Personnel Management (OPM) breach that affected over 22 million current and former employees and contractors as well as the 2018 Equifax breach that affected 145 million Americans.

GAO also highlighted that the IRS estimates there were attempts to steal at least $12.2 billion through identity theft (IDT) tax refund fraud in 2016. However, it estimates that it prevented the theft of at least $10.5 billion of that amount. That means that at least $1.6 billion was paid out to fraudsters. I'll repeat, $1.6 billion in taxpayer dollars paid to criminals.

The sheer volume of PII available to fraudsters warrants alternative approaches to the common practices of verifying identities online. Knowledge-based verification (KBV) typically challenges online users with questions from their credit report that only they should know. Today, there is a strong likelihood that fraudsters know that information, too.

Challenges in verifying identities securely are not limited to the IRS. The reality is most federal agencies do not have high confidence in the persons interfacing with them online. This garnered the attention of Congress and tasked GAO to examine online identity verification processes deployed at six federal agencies that routinely interface with citizens online, including the Centers for Medicare and Medicaid Services (CMS), General Services Administration (GSA), IRS, SSA, USPS and the Department of Veterans Affairs (VA).

Some agencies not moving off knowledge-based verification

In May 2019, GAO released "Data Protection - Federal Agencies Need to Strengthen Online Identity Verification Processes." The good news is that some, including the IRS, no longer exclusively rely on KBV, while surprisingly, others including CMS have no plans to move on. GAO reported that, "Several officials cited reasons for not adopting alternative methods, including high costs and implementation challenges for certain segments of the public. For example, mobile device verification may not always be viable because not all applicants possess mobile devices that can be used to verify their identities. Nevertheless, until these agencies take steps to eliminate their use of knowledge-based verification, the individuals they serve will remain at increased risk of identity fraud."

As I read the report, I thought of how we can legally open a bank account and even apply for a mortgage using our mobile phones. The argument regarding the viability of mobile device verification held a lot more water a few years ago than it does now. It is true that not every American possesses a smartphone. Sad to say, not every American has running water or electricity, either. However, doesn't it make sense to solve a problem to meet the needs of the overwhelming majority of Americans - and develop alternative solutions for the remainder?

According to the Pew Research Center, 81% of Americans own a smartphone. This follows the 80/20 rule almost exactly. It is unfortunate that a federal agency hosting vulnerable PII on American citizens will not deploy better identity verification technologies and processes, because 19% of Americans don't have a smartphone.

Modernizing the IRS and the Taxpayer First Act

On July 1, 2019, the Taxpayer First Act (H.R. 1957) was signed into law. The Act modernizes the IRS in several key areas including its:

The Act also includes technological provisions including establishing requirements for cybersecurity and identity protection, providing notification to taxpayers of suspected identity theft, expanding electronic filing of tax returns, adopting uniform standards, and procedures for accepting electronic signature technology.

As the IRS modernizes how it does business by driving more activity to the web, it is imperative that there is high confidence that the person logging in is who they claim they are, regardless of whether they are in the role of a tax professional or taxpayer.

In regards to tackling potential fraud under the Act (including identity theft refund fraud), by January 1, 2020, the Secretary of the Treasury "shall verify the identity of any individual (tax professionals) opening an e-Services account with the Internal Revenue Service before such individual is able to use the e-Services tools". Although the law does not specify how identity verification shall be performed, I suspect it will follow the updated path of the "Get Transcript" service.

The May 2019 GAO report details the IRS's revamped identity verification process for Get Transcript:

Sending SMS text messages can be quite expensive, especially for an agency with over 250 million potential users. From a security and potential cost savings standpoint, having a verified user use an official, shielded IRS mobile application to generate and access a one-time PIN during an encrypted session would be an enhancement to the current process.

To expand electronic filing of tax returns, the Act directs the Secretary of Treasury to publish guidance to establish uniform standards and procedures for the acceptance of taxpayers' e-signatures. This includes any request for a disclosure of the user's tax return, return information sent to a practitioner, as well as any power of attorney granted to a practitioner by the taxpayer.

When it comes to tax returns, in addition to the person's identity being verified, document integrity is of the utmost importance. I expect that a digital signature and tamper-seal be applied after each individual e-signs, since tax returns are often signed by multiple parties - and it is critical to be able detect if changes were made between signers.

Additionally, the IRS should be armed with a robust audit trail of the entire signing event, should a return be deemed suspicious and warrant further investigation. A thorough audit trail should have the capability to reproduce each and every screen presented to the user, as well as all legal disclosures and documents that were presented, and how long the signing parties took at each step.

Expanding to other agencies

Implementing strong authentication is critical for the federal government to secure and extend e-government services. As the IRS implements the provisions in the Act, other agencies have already begun to strengthen their identity verification and authentication processes as they modernize services for external users.

In a June 2019 webinar hosted by the FIDO Alliance, the GSA discussed their recently added support for the FIDO's FIDO2 authentication standard for its login.gov portal, which will enable near frictionless strong authentication for users to securely access and transact with supporting federal agencies.

The GSA noted that they are evaluating an enhanced remote identity proofing process for login.gov which other agencies could leverage. To register for a login.gov account, the applicant (user) would take a picture of a government-issued ID such as a driver license. The driver license is checked to verify the authenticity of the document itself. That would include a record check with the state DMV to verify that ID is valid and the number on the ID matches the information displayed on the ID. The person's address would be checked after using the USPS's database.

This process has been embraced by the banking industry for digital account opening combined with electronic signatures to sign required forms, thereby negating the need for customers to travel to a branch while reducing costs. It is exciting to see that the federal government is utilizing what is working in the private sector while reducing reliance on PII that fraudsters can easily obtain on the dark web.

Disclosure: My employer, OneSpan is a provider of identity verification, authentication, mobile application security and electronic signature solutions. I also serve as co-chair of the FIDO Alliance's Government Deployment Working Group and represent OneSpan on the board of directors of the Electronic Signature and Records Association.

This story, "Taxpayer First Act: Improving identity verification and modernizing the IRS" was originally published by CSO.