The IRS has relaunched the “Get Transcript” online service with what the agency claims is a more rigorous process than the one that previously existed (News Release IR-2016-85). In May of 2015 the IRS announced that it had discovered there had been unauthorized access to taxpayer’s transcript via the “Get Transcript” online service. While the IRS initially estimated the unauthorized access to involve 100,000 taxpayers, by February of 2016 that estimate has ballooned to over 720,000 taxpayers.
While the unauthorized parties were able to access about ½ of the accounts they tried to break into, even under the old system many legitimate taxpayers were unable to complete the process. As would be expected, with the IRS tightening controls on who can get it, even more taxpayers will likely find themselves unable to answer the questions—and some will simply be barred from accessing the transcript online due to the new requirements.
The News Release Notes:
While some taxpayers may now find it more difficult to authenticate their identities with this strengthened process, the IRS is committed to making sure everyone accessing the site will be able to do so in a safe and secure way. The IRS continues to support multiple options for those taxpayers who may be unable to access online features or who prefer to obtain information in more traditional ways. These options currently include ordering transcripts online or by phone for receipt by mail, which typically are delivered to the address of record within five to 10 days. The IRS continues to look for ways to expand options for all taxpayers.
“More difficult” is, in reality, an understatement of the problem. As the IRS describes the process:
To access the new Get Transcript Online feature, taxpayers must have an email address, a text-enabled mobile phone and specific financial account information, such as a credit card number or certain loan numbers. Taxpayers who registered using the older process will need to re-register and strengthen their authentication in order to access the tool. As part of the new multi-factor process, the IRS will send verification, activation or security codes via email and text. The IRS warns taxpayers that it will not initiate contact via text or email asking for log-in information or personal data. The IRS texts and emails will only contain one-time codes.
Other media reports have indicated that the “text enabled” smartphone must be one registered on a post-paid plan, so that taxpayers that have a phone under a pre-paid plan would not eligible. The reason for that restriction is because carriers do verifications and credit checks on individuals obtaining post-paid plans, but do not do that level of investigation on prepaid plans. Thus it would be possible to obtain a prepaid (also referred to in slang as “burner”) phone plan in a mark’s name to receive the text message if the IRS allowed the prepaid plans phones to work.
Unfortunately, the changing nature of the mobile phone market has made it more likely that even those with stellar credit may turn to prepaid plans. As carriers generally no longer subsidize the purchase of a phone, but rather demand that customers pay the full price for the phone, there’s no longer the same incentive to sign up for a post-paid contract to obtain a high end phone at a low (apparent) cost.
And, as the IRS notes, the questions need to be made more difficult in order to (hopefully) remove the ability of the criminals to be able to uncover the answers through either legitimate or less savory sources.
Whether this will be sufficient to “lock down” the Get Transcript program remains to be seen. As the IRS admits in this news release:
“The incident with Get Transcript Online illustrates a wider truth about identity theft in general, which is that there are no perfect systems,” Koskinen said. “No one, either in the public or private sector, can give an absolute guarantee that a system will never be compromised. For that reason, we continue our comprehensive efforts to update the security of our systems, protect taxpayers and their data and investigate crimes related to stolen identity refund fraud.”