720-891-1663

Best Practices, Security Practices

After Congress Dust-up, IRS Changes Rules – Sort Of

Leave a comment

Quietly, the IRS was trying to reduce the billions of dollars a year in fraud from people who pretend to be you and me and do things like steal tax refunds. They did this by making it harder to pretend to be someone you are not, including using biometrics.

Some people complained that people who need to get IDs don’t have smartphones (really, today, are there a significant number of people neither have their own, low-end, prepaid smartphone AND also do not have a friend that will let them use their phone to register with the IRS? It is possible, but I don’t think it is a large number).

Congress, looking for any reason to get 15 seconds of air time, jumped on this issue (remember, we still don’t have a federal budget, but clearly this is more important).

The IRS said “me bad” – because no one likes the IRS anyway.

Today they revealed their next attempt at this. One of the complaints was that you had to submit a selfie and the ID service was being run by a private company. Both of these are true, but the service has never had a breach and is currently being used by more than two dozen states.

Anyway, the IRS’s solution is that you can do a live video interview with the same company. I don’t know, but I bet, for legal reasons, they are going to record that interview, so I am not sure that this is much different that ID 1.0.

Some Congress people asked why the IRS wasn’t using the government’s existing single signon system called login.gov. Since most Congress people don’t know anything about security, that is a reasonable question. Turns out that Login.gov uses another, different private company, (LexusNexis) and actually doesn’t have any security features to stop fraud. Other than that, it is a perfect solution.

Now, the totally underfunded and understaffed Login.gov team is working with the IRS to see what security features might need to be added to Login.gov to make it, actually, secure. Perhaps they should have asked that question years ago when they were first implementing it. It turns out that security was not the purpose that Login.gov was created for. All they wanted to do is cut down the number of accounts that a citizen needed to access government services. One login ID would let you reserve a campsite at a national park and also, buy a ticket for a Washington monument. None of the uses required high security. At least one Congress person, Senator Ron Wyden, pointed out that the government has not funded it properly and the cost has been billions of dollars of fraud.

Maybe there will be some good news out of this. Maybe Login.gov will get the attention it needs and will ask that other private company, LexusNexis, to help them with a secure login solution. Stay tuned, because that won’t happen quickly. Credit: Brian Krebs

Facebooktwitterredditlinkedinmailby feather

Leave a Reply

Your email address will not be published. Required fields are marked *

Copyright © 2024 CyberCecurity, All rights reserved. Privacy Policy