While tax season is still producing eye twitches around the nation, it’s time to face the music about tax-related identity theft. Experts project the 2014 tax year will be a bad one. The Anthem breach alone exposed 80 million Social Security numbers, and then was quickly followed by the Premera breach that exposed yet another 11 million Americans’ SSNs. The question now: Why are we still using Social Security numbers to identify taxpayers?
From April 2011 through the fourth quarter of 2014, the IRS stopped 19 million suspicious tax returns and protected more than $63 billion in fraudulent refunds. Still, $5.8 billion in tax refunds were paid out to fraudsters. That is the equivalent of Chad’s national GDP, and it’s expected to get worse. How much worse? In 2012, the Treasury Inspector General for Tax Administration projected that fraudsters would net $26 billion into 2017.
While e-filing and a lackluster IRS fraud screening process are the openings that thieves exploited, and continue to exploit, the IRS has improved its thief-nabbing game. It now catches a lot more fraud before the fact. This is so much the case that many fraudsters migrated to state taxes this most recent filing season because they stood a better chance of slipping fraudulent returns through undetected. Intuit even had to temporarily shut down e-filing in several states earlier this year for this reason. While the above issues are both real and really difficult to solve, the IRS would have fewer tax fraud problems if it kicked its addiction to Social Security numbers and found a new way for taxpayers to identify themselves.
Naysayers will point to the need for better data practices. Tax-related fraud wouldn’t be a problem either if our data were more secure. Certainly this is true. But given the non-stop parade of mega-breaches, it also seems reasonable to say that ship has sailed. No one’s data is safe.
Identity thieves are so successful when it comes to stealing tax refunds (and all stripe of unclaimed cash and credit) because stolen Social Security numbers are so plentiful. Whether they are purchased on the dark web where the quarry of many a data breach is sold to all-comers or they are phished by clever email scams doesn’t really matter.
In a widely publicized 2009 study, researchers from Carnegie Mellon had an astonishingly high success rate in figuring out the first five digits for Social Security numbers, especially ones assigned after 1988, when they applied an algorithm to names from the Death Master File. (The Social Security Administration changed the way they assigned SSNs in 2011.) In smaller states where patterns were easier to discern the success rate was astonishing — 90% in Vermont. Why? Because SSNs were not designed to be secure identifiers.
That’s right: Social Security numbers were not intended for identification. They were made to track how much money people made to figure out benefit levels. That’s it. Before 1972, the cards issued by the Social Security Administration even said, “For Social Security purposes. Not for Identification.” The numbers only started being used for identification in the 1960s when the first big computers made that doable. They were first used to identify federal employees in 1961, and then a year later the IRS adopted the method. Banks and other institutions followed suit. And the rest is history.
In fact, according to a Javelin Research study last year, 80% of the top 25 banks and 96% of the top credit card issuers provide account access to a person if they give the correct Social Security number.
There are moves to fix related fraud problems elsewhere in the world, in particular India where, in 2010, there was an attempt to get all 1.2 billion of that nation’s citizens to use biometrics as a form of identification. The program was designed to reduce welfare fraud, and according to Marketwatch, 160 similar biometric ID programs have been instituted in other developing nations.
In 2011, President Obama initiated the National Strategy for Trusted Identities in Cyberspace, a program that partnered with private sector players to create an online user authentication system that would become an Internet ID that people could use to perform multiple tasks and aid interactions with the federal and state governments. There may be a solution there — but not yet.
The first Social Security card was designed in 1936 by Frederick Happel. He got $60 for it. It was good enough for what it had to do (and was clear that the card wasn’t a valid form of identification). That is no longer the case. That card is nowhere near good enough. Perhaps one solution is a new card design — one with chip-and-PIN technology. Just how something like that might work — i.e., where readers would be located, who would store the information & support authentication, etc. — would have to be a discussion for another day.
The point is, we need to do something.