Schneier on Security
A blog covering security and security technology.
« Bar Code Switching |
| The Vulnerabilities Market and the Future of Security »
May 31, 2012
Tax Return Identity Theft
I wrote about this sort of thing in 2006 in the UK, but it's even bigger business here:
The criminals, some of them former drug dealers, outwit the Internal Revenue Service by filing a return before the legitimate taxpayer files. Then the criminals receive the refund, sometimes by check but more often though a convenient but hard-to-trace prepaid debit card.
The government-approved cards, intended to help people who have no bank accounts, are widely available in many places, including tax preparation companies. Some of them are mailed, and the swindlers often provide addresses for vacant houses, even buying mailboxes for them, and then collect the refunds there.
The fraud, which has spread around the country, is costing taxpayers hundreds of millions of dollars annually, federal and state officials say. The I.R.S. sometimes, in effect, pays two refunds instead of one: first to the criminal who gets a claim approved, and then a second to the legitimate taxpayer, who might have to wait as long as a year while the agency verifies the second claim.
J. Russell George, the Treasury inspector general for tax administration, testified before Congress this month that the I.R.S. detected 940,000 fake returns for 2010 in which identity thieves would have received $6.5 billion in refunds. But Mr. George said the agency missed an additional 1.5 million returns with possibly fraudulent refunds worth more than $5.2 billion.
The problem is that it doesn't take much identity information to file a tax return with the IRS, and the agency automatically corrects your mistakes if you make them -- and does the calculations for you if you don't want to do them yourself. So it's pretty easy to file a fake return for someone. And the IRS has no way to check if the taxpayer's address is real, so it sends refunds out to whatever address or account you give them.
Posted on May 31, 2012 at 1:19 PM
• 39 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
The misuses of the Internet are even worse in India.
I think that requiring more stringent identification for people that file early and also want to get an early refund would take care of a large percentage of this kind of fraud. And if you don't want your money early, then you don't need to supply advanced identification.
For example, a notarized signed authorization (where photo id was required, perhaps attaching a photo copy of the photo id). Certainly that wouldn't stop all fraud, but I think it would make a big dent in this particular scheme.
Also, if the IRS receives 2 returns for the same person on or around April 15th, that would be a red flag. And, certainly their fraud detection unit would have a fighting chance then.
Or, they could stop taking out more than they are owed in the first place and eleminate the tax refunds altogether.
Instead err on the other side, where you are expected to send a check to the govt on April 15th for the difference between what they took out, and what they owe, not the other way around.
IMHO, the really fascinating part of the article is near the end, where it describes criminals apparently converting en masse to tax fraud from more violent crimes. I'd love to see some hard numbers on just how much violent crime has dropped (if it really has) as tax fraud has risen.
The real problem is that congress keeps pushing the IRS to process the returns faster to keep the economy humming (most are processed in under 24 hours). The majority of these fraudulent returns are processed long before the IRS has the information from employers. If they would simply wait for the companies tax information, this would eliminate most of this kind of fraud, but that would require some sanity from congress which is highly unlikely.
@Bob Frank: I wonder how much notary fraud there is. It's not like the IRS can take the time to check with the notary noted in the notarization with whether this note to the IRS is or is not legitimate for every filed return. Since the thief isn't sticking around they're not going to go showing the notarized form around where it can undergo further scrutiny.
As for photocopies of IDs go, those would be entirely trivial to fake up, plain and simple. Again, unless the IRS investigates every single one.
So yeah, the number of frauds perpetrated would go down but the total dollar loss probably wouldn't go down much since those who do high volume fraud would probably fraudulently notarize the forms.
And yeah, if you get two forms on April 15th that'd be a red flag, but the criminals aren't filing on April 15th. They're filing closer to January 31st, so they'll have three and a half months to get away with the cash first.
I think Nate's got the better idea. The IRS has /all/ of the information on me. Is it that hard for them to take out exactly what I owe each paycheck instead of making a bad estimate at the beginning of the year? I understand that for more difficult returns this could be problematic but those more difficult returns usually go through attorneys or CPAs, right? And those attorneys and CPAs can be more strongly vetted. If you reduce the cross-section of attack enough it might get lost in the noise instead.
If I'm reading that correctly the IRS issued over 64 million checks averaging ~$3K each, for a total of 193 Billion dollars.
The citizens are using it as a short term savings account, and favoring the security of the IRS owening them money rather than the fear of not having enough money to cover what they might owe at the end of the year.
Seriously though, If you wan't to loan the govt money, buy a bond.
In fact if the IRS issued refunds in the forms of bonds that took a year or more to mature to the refund ammount it might mitigate the real problem and encourage people to fill out their W4's.
@No One: Yes it is hard for the IRS to take out exactly what you owe each paycheck because the premise of our tax system is the basis of voluntary taxation. The IRS, lawfully, cannot begin taking out what it believes you owe because the tax is not a "direct tax"; if it were a DT it could do it. Instead the IRS must first receive an affidavitt from you the payer attesting to what you owe. It is our attestation that creates the contract and completes the contract where we agree to pay.
So that is the problem that the IRS faces with this issue. It will only become more and more difficult.
On a whim, I tried to figure out if the "losses" were accurate. After all, they could be overstated.
$6.5 (109) in fraudulent refunds, over 9.4 (105) in fraudulent filers gives ~ $6.9 (103) return per fraudulent filer.
The larger set of potential frauds contains another $5.2 (109) over 1.5 (106) gives $3.46(103) per potential-fraudulent-filer.
This doesn't trip my absurdly-large-numbers sensor, as I assume returns between $3500 and $7000 occur regularly.
One piece of advice for individual filers: use this link
to help reduce your withholding to the minimum amount necessary. Thus, any attempt by others to fraudulently file for you produces a very small return for them.
However, you lose the feeling of Big Bonus From The Tax Filing that some people get.
However, you lose the feeling of Big Bonus From The Tax Filing that some people get.
This, I suspect, is the greater reason the IRS does not withhold more accurately. People are annoyed enough already having to file their taxes. The "refund" is the opiate of choice to prevent the populace from getting fed up with the system. In a sense, the refund is the "reward" for putting up with a broken system.
It's all incentives. The IRS is brilliant, in a way, in using one's OWN money, taken as an interest-free loan, to encourage certain feelings or behavior.
Of course, if the pain level from fraudulent returns ever rose above the level from annoyed taxpayers, then naturally withholding would start to be calculated more accurately. (Or at least the attempt would be made. Whether or not a government agency could actually get it right is up for debate.)
An ACH (inter-bank Automated Clearing House) transaction for identity verification would be useful, not only for the IRS but for other people like PayPal who now make trivial deposits to verify account numbers.
The new/expanded ACH transaction signals a transfer of funds to an account and includes sundry information like account holder name, social security number, minimum age of account, maybe even address. It includes match requirements for what info is to be checked, and how much drift (e.g. middle name missing) is allowed.
When there is insufficient match, the queried bank responds on the next cycle (day) similar to the current transaction rejects due to closed account, etc.
It's difficult for a consumer to open a checking account without identify verification at the bank. Just supplying a SSN/EID and name with the direct deposit would kill most mule fraud.
Deposits from the IRS into state run debit cards (used for public assistance, unemployment, etc.) can also be account owner verified since the state collects/verifies information when enrolling the receiver.
I'd also like to see a legal requirement that any bank accept/open a no-fee holding account for government generated payments, accessible via a card. This is basically the same system widely used for public aid payments, and should be expanded as a way to provide basic bank service to
The refundee picks the bank location, the IRS gives them the money to hold, and the bank opens the account/verifies ID on first withdrawal. The bank should think of it as cashing a check written against one of their depositor's accounts (something that should be legally no-fee to the check payee), giving cash or loading a no-fee debit card.
Or, how about we do away with tax deductions and refunds altogether and just take a graduated percentage of every payroll check so that nobody has to file any return in the first place?
Not all taxable income is in the form of paychecks
People who receive 1099-style income already have to report it as income and make tax payments either annually or quarterly depending on the amount of money you're talking about, so the only change there is the simplification of the tax rate and the removal of deductions.
I'm self employed in California and having to do taxes is an expensive nightmare. I have to make estimated payments which means in the first quarter of the year I have to accurately predict my income for the whole year. There are fines for predicting wrong. And in California you have to front load your payments - ie pay almost half the total estimated for the whole year within the first quarter (it made the books look better temporarily once). Heck I even have to do things like pay taxes on money clients latter stiffed me on. And of course I have to pay someone almost $400 a year to prepare my taxes because of the complexity. (Note I am sole proprietor, don't have employees or anything in the way of complications.)
The US tax system is insane. The billions spent each year (over $12b I saw in one report) is wasted money.
When I lived in the UK I didn't have to do a return most years (they already had all the information and if an adjustment was necessary they just changed your tax code for the next year). When I did have to fill them out it only took a few minutes.
In some countries tax dept.don't even allow you
Tax code if you don't posses permanent local residence address. officially speaking no one would suggest you for bribe. This is a security blog. Hope Bruce would suggest your tax dept. look into your pain.
"security is beyond fear"
UK to US..what about UAE..no tax!!
Be advised that our political heroes use the tax refund as a preferred form of wealth redistribution here in the States. The Earned Income Tax Credit (EITC) says, in essence, if you don't make enough money, at tax time we will give you back all we withheld plus we'll throw in some extra. So if I file as the head of household making 40k a year with a wife and three kids at home, I get all my withholding back plus an extra 5k. And if I file with someone else's ID and make all those numbers up, the same thing happens.
"Over here - the free money line!"
I'm not a huge fan of the Canadian Revenue Service, but they do two simple things that would appear to eliminate a lot of the US problems:
1. A 4 digit PIN is mailed to the address where your previous year's tax return was filed. You cannot file online without the PIN.
2. If your address has changed, you cannot file a tax return online.
And the IRS has no way to check if the taxpayer's address is real, so it sends refunds out to whatever address or account you give them.
WTF? Isn't there an official register of all people living in the US? Why not send all mail to this address?
The solution to this problem is pretty easy, actually:
a) Made every person:
1) Register his/her address;
2) Present his/her tax report in person
3) Present government issued papers to prove every line in his/her report
b) When a person present his/her tax report, check his/her photo ID, fingerprint, DNA. Then compare all the information with the central database.
These two steps should eliminate most of the fraud.
@allotria, NZ: The US federal government does not and is not authorized to hold a general roll of all citizens and their addresses. (If they tried they could /probably/ make it stick under general welfare or commerce clauses but it's not cut-and-dried.)
State governments can and do have laws requiring you to keep them updated as to permanent address. Massachusetts, for instance, requires you to have a state government issued form of identification as an adult.
The reason the federal government is not allowed to, however, is a freedom argument. If I'm not doing anything that the government has the right to regulate, making no income, for example, they have no right to come sniffing around. Also, I'm allowed to live wherever I please (and can pay) and being on some sort of listing of my address is inviting such things as easy oppression of minorities.
TL;DR: No general registry stems from the desire Americans have of keeping the government out of their business as much as possible.
due to the fact that the United States is a Federal Government containing various States, information on who lives where is distributed.
Every City (and most Counties, and some States) keep track of who owns property taxes for a particular address.
Most StateGov's keep track of what address is listed as Residence for people who obtain Driving Licenses. Those StateGov's that collect Income Tax track the residence listed on the forms submitted by the Employer.
The FedGov's Dept. of Treasury keeps track of the same data. Various other FedGov agencies keep track of people that they handle paperwork for. (Investigate, license, support, have chats with, etc.)
However, the process mostly depends on the honesty of the people who fill out the forms.
Having filled out my tax return forms in Germany just recently, I wonder how these look in the US..? I had to fill out so many values (sometimes up to cent-precision and quite a few ID numbers) that I find it hard to believe that anyone could create a plausible forgery of that. Plus, many of the values are already known to the tax office and/or very unlikely to change over the years so that they can to extensive validations.
Do you really just have to write a letter "I am Jon Snow, working at The Wall, please send my tax return cheque to this address: ..."?
In line with your thinking on security:
Do you think the problem of individual criminals getting "hundreds of millions" in fake returns is worse that outright and open theft at the top of the tax brackets, often through similar, deliberate navigations around tax law for personal gain?
I would assume that number is in the hundreds of billions, but I can only base that assumption on editorial content I find in news articles.
In my opinion, concern over individual small-time fraud should be a low priority compared to larger tax evasion and tax code problems.
Often we are treated to the security theater of "busting" these fake income tax rings. I recall one on a major US network about a ring run from a prison.
How shocking. (Clutches pearls).
I suppose news about white collar evasion and circumvention fails to pass for sweeps week content.
Seems a simple solution would be that any early filings where the mailing address is different from the previous year get flagged.
All flagged returns are delayed until the April 15th deadline, these are then all checked for duplicates, the non-duplicate ones are then sent.
U.S. Tax forms are similar.
The filer gets a Form W2 from employers (and Form 1099 from people/firms who hired the filer as a contractor). The IRS receives the same data.
The filer then fills out Form 1040 with Name/Address-of-Residence/SSN, and values from Forms 1099/W2. Typically, all values are rounded to the dollar.
(Caveat: more complex tax situations require more forms. I'm describing the process as seen by the majority of filers.)
However, the IRS has to process ~150 million copies of form 1040 every year.
The form of fraud described above requires a name, an SSN, and a W2 form that looks official. The fraudulent filer gives name/SSN/false-address, and false Form W2 at a level that indicates the filer should get a refund. (As I computed above, the refunds likely fall into the range of $5000, a range common for U.S. Tax Refunds.)
The IRS may or may not suspect fraud, depending on how carefully they check the submitted form against submitted W2 data from the employer. I'm not even sure how carefully they check the name/SSN pair on the 1040 for validity, let alone the name/SSN/Address triplet.
And the IRS have to allow for the fact that the person may have changed address between the time the W2/1099 was generated and the time the 1040 was filled out. Thus, they have to be able to handle honest 1040s which have a different address for sending Refund to than is seen on the W2/1099 forms.
(About SSN: I'm know that the Social Security Administration, which is not part of the Dept. of Treasury, has a list of valid Name/SSN combinations. I'm not sure how easy it is for SSA to share this list with the IRS...)
If the IRS does discover potential fraud before a Refund is mailed, I'm not sure how they resolve the issue of Address to correspond with.
The fraudster (depending on his ability to monitor the mailbox and intercept items placed in it) may even have the fraudulent refund sent to the address of the person he is impersonating.
So it's hard, but the level of hardness is not insurmountable.
I would guess that fraudulent tax filing is as easy as fraudulently obtaining a credit card in someone else's name. Both rely on the same identifying data (name/address/SSN). Both can be done easily if the false-applicant has Name/SSN, and claims to have recently moved.
the government will never implement that method.
It makes too much sense.
(And someone will complain loudly when they file from their legitimate new address on January 31 and don't get their refund until April...)
Seems like you can protect yourself by making sure your estimated taxes are close to reality. Of course, that's not always possible (mid-year job loss, or whatnot), but it reduces exposure.
most with-holding is an attempt to take the graduated percentage of every payroll check.
However the tax system also covers investments, gifts, inheritances, dividends, interest earnings, interest paid, etc.
All of those alter the amount owed, AND the FedGov has an incentive to overdo the withholding and then give a refund with a majority of tax filings.
The incentives are (A) the FedGov gets an interest-free loan, (B) most taxpayers are incentivised to file and get a refund over the strategy of not-filing and getting lost in the shuffle.
> The I.R.S. sometimes, in effect, pays two refunds instead of one: first to the criminal who gets a claim approved, and then a second to the legitimate taxpayer, who might have to wait as long as a year while the agency verifies the second claim.
Did anyone else read that as almost an invitation to get two tax returns yourself?
File your tax return in a way that looks like the fraudulent claims, then file normal later. When the IRS raises a concern, claim the first one was fraudulent. Even if their review process doesn't approve the second return, you still at least got the first one. And you don't have to do any research on anyone else to do it.
It would seem a simple matter in this electronic age to change the IRS form from having boxes for the totals of income received to requiring the data from each W-2, 1099 etc. Since the issuers of these are also obligated to provide copies to the IRS, then the IRS can make a pretty good check that the filed return was made by the actual tax payer.
Of course if the bad guys steal all your mail from mid-January to late February when these are being mailed out - then the crooks have all the information.
Another solution would be to push the burden of tax collection down to the states, and the states roll the taxes up to the federal level.
(It kinda shoulda been implemented this way in the first place, but thats a different matter)
Each state would naturally perform the taxation its own way, and have unique holes and attack vectors.
However, tax-fraud like this would be a localized event, likely easier to track down at this level than from a federal level.
In Isreal tax refunds are done by crediting your bank account, rather than by check, and the responsibility for checking the identity is shared with the bank who are obliged to check your identity when you open the account. This makes this kind of fraud much more difficult.
I just asked myself "What would Stalin do?"
Wait, how do they go about getting somebody else's W-2? Except in rare cases (like when somebody has moved out of state), your employer *hands* that to you, in person. When you file, you attach it to your 1040 with a paperclip. The IRS also gets a copy, and while they might not notice a forgery that is basically a copy, they should EASILY be able to tell if you try to use one you just made up out of whole cloth. How do the crooks get around this?
> Or, they could stop taking out more
> than they are owed in the first place
> and eleminate the tax refunds altogether.
They keep trying to do that, and everyone panics and changes their W-4. Back in the eighties all people had to do to ensure that enough money would be withheld was not claim themselves as dependents on the W-4, and then when filing they'd claim themselves. In the nineties the IRS changed the withholding rates again, and again in the naughties, so these days everyone has to use the "plus also, hold out an extra $n per paycheck" line item (which was originally just intended for exceptional cases, like people with multiple employers that would put them in a higher tax bracket than any individual employer would calculate). If the IRS finds a way to thwart that, people will find another way, like maybe using estimated prepayments (which currently almost nobody uses).
This is a huge problem in Florida, and I can't seem to find accurate details on why Florida is more problematic than many other states...
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.