Tax Prep Software Vendors Urged to Authenticate Tax Filers

Tax preparation software developers like Intuit are coming under pressure to do more to control security to safeguard their software from identity thieves.

That's especially important in the wake of revelations last month from tax authorities in several states who detected a large number of suspicious filings from TurboTax users, prompting Intuit to temporarily halt transmission of state tax returns (see Intuit Temporarily Halts State E-Filing Amid Fraud Concerns).

Two former employees claimed that Intuit knowingly processed returns filed by cybercriminals, which Intuit vigorously denied in a statement on its Web site (see Intuit Refutes Cyberfraud Allegations). However, Intuit has taken steps to improve the security of TurboTax, according to the Washington Post, including requiring customers to file both a federal and state tax return together to increase the chances of fraudulent tax returns being caught, as rivals H&R Block and TaxAct also do. It also now requires “multi-factor authentication,” so returning customers need to enter a specific code that is sent to them at either their email address or mobile phone before they can file.

However, at least one security expert says there are other steps that can be taken to authenticate users. Hemanshu Nigam, a former chief security officer for News Corporation and Microsoft security executive who has advised both the White House and the United Nations and is now chief strategist and director of online security for the Chicago-based technology company Verie, says he has a solution that companies like Intuit can implement.

“Identity theft, because of the way the hackers are operating, is going up exponentially,” he said in an interview last week. “Many companies keep extremely large databases of information on the people that they deal with, and that information can be pretty detailed, detailed enough to lead to some serious identity theft. You’re seeing that happening in all the tax fraud cases that are going on right now. If you look at the problem at its core, it’s this: when somebody is filing a tax return, if they have information that’s stolen, that belongs to somebody else, it’s very difficult for the tax agency to know who is actually submitting that information, who is the person behind the keyboard.”

He noted that the IRS has not yet come up with a reliable way of stopping identity theft before issuing a tax refund. “Oftentimes they’ll find out much later because the person who is in fact the owner of that information is submitting their own forms, and then a discrepancy at some point gets noticed by the IRS,” said Nigam. “That’s all because of one core issue, which is how do you know who’s punching in the data that’s getting submitted?”

Verie's technology aims to authenticate users. “What the Verie app is doing is it’s creating an environment that we call ‘just in time, just in place, and just on device,’ where you’re not allowed to use historical data, but actually take action in real time,” Nigam explained. “So it's either a video or photo of yourself in real time, and no use of historical data. Take a photo of your driver’s license in real time, front and back. Then we use our proprietary image recognition technology to determine whether there’s a match. It’s also geolocated into that particular device so it’s all tied together, and in essence we’ve created a virtual reality that mirrors the physical reality.”

Nigam hopes to convince tax prep software makers like Intuit, rather than the IRS, to use his company's technology.

“That’s where you can stop the fraud at the entry point rather than identifying it at the time of refund checks being issued and then some audit being done many, many months or years later,” he said.

Part of his business plan is to approach the tax prep software vendors, but in the meantime Verie is preparing to release its product for testing to several other organizations that also need to authenticate users.

“One of the things that we recognize fully is that security is not something you should be competing on,” said Nigam. “So if Intuit is doing it, many of the other competitors should be doing it. The industry needs to band together, find solutions that work, and implement them together. That's very different than competing on services, product, ease of use, and pricing. Those things, everyone should compete on, and everyone should try to offer the best they can. But when it comes to security, this is a time in our society in the digital century where we need to start working together and finding solutions together.”

Nigam believes it's important for security companies to always stay one step ahead of the identity thieves.

“The game will always continue, but if you've identified ways to get the upper hand as a business, it's one way to build customer trust,” he said. “It's also the way to avoid a government investigation, especially in the accounting industry.”