Are Selfies the Next Big Thing in the Fight Against ID Theft?

March 23, 2018

silohuettes of people

By Gerard H. Schreiber, Jr., CPA, Partner - Schreiber & Schreiber, CPAs and Valrie Chambers, Ph.D., CPA, Associate Professor – Taxation and Accounting and Interim Chair – M.E. Rinker, Sr. Institute for Tax and Accountancy, Stetson University

We are coming to the end of filing season, and many of us are finding the changes to the IRS authentication process taxing.

The IRS made updates to identity validation processes because of concerns arising from identity theft, massive data breaches, and other cybersecurity concerns. They are necessary changes, but they have affected practitioners’ use of IRS resources for obtaining client information.

Feature and process changes

The IRS made two significant changes that affect practitioners’ experience with validating IDs.

First, practitioners lost the ability to enter Forms 2848 online. The IRS discontinued this practice because of the excessive cost of re-tooling Disclosure Authorization (DA) and Electronic Account Resolution (EAR) leading the IRS to end its contract with its online software vendor. This had a huge effect on productivity as we no longer could get instantaneous access to client information to address tax matters immediately.

The second change came this year. The IRS implemented new authentication procedures for the Practitioner Priority Service (PPS) line. An update to the Internal Revenue Manual 21.3.3 took effect on Jan. 3, 2018, requiring IRS customer support representatives to obtain practitioners’ Social Security numbers and dates of birth. Because this was unannounced, it created a lot of inquiries to the AICPA, and the new procedure upset many members. The IRS has since indicated this was due to some Centralized Authorization File (CAF) numbers being compromised. The IRS also said they request personal information for security purposes.

Improvements to the process

Despite the changes, e-Services is a great tool for obtaining necessary information from the IRS. It has become the norm for obtaining client information necessary for filing returns, answering correspondence, and resolving other client matters.

Practitioners may be concerned with long call-wait times, but the IRS has added staff during filing season in an effort to assist practitioners in accessing assistance.

E-Services remains the fastest means of obtaining certain client information since it is available around the clock for those enrolled in the service and the PPS is widely used by practitioners who wish to speak to an IRS representative to resolve client matters or obtain client IRS information.

To further assist practitioners, the IRS added resources on the e-Services identity proofing process including a step-by-step video based on IRS webinars held last October. The IRS’s Secure Access information page and FAQs about Secure Access may also be helpful resources for practitioners.

The future of identity verification

What is left for identity verification? The IRS answered this question by indicating a virtual experience could be the way of the future. For instance, there have been discussions about Appeals conferences occurring by web conferencing (and the IRS piloted Appeals videoconferencing in 2017 to assess how satisfied taxpayers are with this new service and the technology). Is a virtual world the way of the future? If so, what does the resulting authentication process look like?

Two states, Alabama and Georgia, are using facial recognition to authenticate identities for state tax return purposes. Beginning in calendar year 2017, Alabama taxpayers with an iPhone could download a mobile application, scan their state-issued ID, and take a selfie. These two images are matched against their Alabama-issued driver’s license. Should the photos match, they would be used to register with the Alabama Department of Revenue.

After acceptance, registrants get a text asking for another selfie when a tax return is filed in their name. This photo authenticates the filing. If the client looks like their driver’s license photo – an assertion that is widely in dispute – this should work. Driver’s license pictures are less widely circulated than other identifiers, such as Social Security numbers, which are used for everything from rental agreements to credit card applications to health records.

But, it’s not all good news. The texts themselves are a double-edged sword. They are ripe for phishing attempts. Practitioners must educate clients on how to avoid these scams so identity theft can be addressed quickly. Visit the AICPA’s Tax Identity Theft Information and Tools page for more information.

It’s not all up to clients, however. The IRS offers a fact sheet with specific steps practitioners should take to strengthen their protection and a webpage devoted to resources that help practitioners protect their systems.

We have experienced all sorts of compromises with our personal information in the paper and cyber world. What happens if we move into the virtual world? The future of identity validation remains to be seen.