Few things make me feel less secure about my money than tax time.
Not because the Feds are taking some of it. I don’t mind paying my share of the bill for civilization, although the twisted logic of the tax code makes me think I’m losing a rigged game. No, it’s because tax prep reminds me of how weak security can be at many of the financial sites tax-prep services need to talk to.
Using your social-security number as a username? Sure! Allowing a password that uses six characters or fewer and hasn’t changed since you created it in 1999? OK!
But as with a lot of security issues, this situation is more complex than it looks.
Bad Security Is the Bank’s Problem, Not Yours
It’s true that getting a bank or mutual-fund login armored with security comparable to what you get on Web mail and social media sites is tough. Start with “two-step verification” to defend your account from a compromised password: Many financial sites will leave you frustrated.
A semi-canonical list of sites supporting two-step verification, Two Factor Auth, found this security measure available at only 20 of 45 banking sites and eight of 19 investment sites. In comparison, it reports that all but one of 25 cryptocurrency sites listed offer two-step verification.
But while there’s no Federal Reserve to protect your Bitcoin, things differ in the U.S. banking industry. Rules like the Fed’s Regulation E limit your liability to hacking — with the happy side effect that banks can’t make you do all the hard work of security.
In practice, that means they must watch for suspicious behavior on their own — as in when a credit-card issuer calls you about an unusual purchase.
“The big banks, I think, have done a very good job of detecting fraudulent activity, because they’re liable for it,” said Kathleen Day, a professor at the Johns Hopkins Carey School of Business and a veteran banking reporter.
“It’s the financial services organization that ends up paying the tab, not the consumer,” echoed Mark Nicholson, a principal in Deloitte’s cyber risk practice.
This alignment of responsibility and risk isn’t how things usually work in online security. But maybe it should be. As security researcher Bruce Schneier said: “What you want is the entity in a position to mitigate the risk be in charge of security.”
And for all the examples of weak security I’ve come across this tax season, the financial industry is getting better. The financial planning site Personal Capital has seen more sophisticated security at bank and brokerage sites, including more use of optional one-time passwords, chief technical officer Fritz Robbins said in a note forwarded by a publicist.
For what it’s worth, the bank holding our mortgage just made its login system sufficiently complex enough that Intuit’s Mint site can’t seem to check our balance.
Tax Refund Fraud Remains a Mess
If only other parties that use your financial information had the same straightforward incentives for fixing security problems. Instead, the costs their mistakes run up often get paid for with other people’s money.
Think about retailers whose sloppy security allows your credit card to be compromised and used for fraudulent purchases at different stores that have to eat those charges. Now consider the complicated machinery of tax preparation.
There, risks and responsibilities tumble across the map. The Internal Revenue Service can accept or reject returns, but it also works under a Congressional microscope: If it wrongly holds up a refund, taxpayers and their representatives will howl.
Furthermore, the IRS isn’t in the room when people do their taxes online — third-party services such as Intuit’s TurboTax have reserved that job. They have a better chance to verify whoever’s doing the return, but they have an even stronger incentive to err on the side of getting returns in so refunds go out.
An unsurprising result: In the 2013 tax year, the Government Accountability Office estimated that the IRS paid out $5.8 billion in fraudulent refunds to crooks impersonating real taxpayers. No bank could stay in business with that loss rate. (The IRS also prevented or recovered $24.2 billion in ID theft refunds,)
An IRS spokesperson noted, fairly enough, that the agency keeps getting less money to do that job — its funding fell from $12.15 billion in fiscal year 2010 to $10.9 billion in the current year. But that GAO report also chided the agency for not making such authentication options as Identity Protection PINs more widely available.
Intuit, the leading tax-prep company, doesn’t look too good either. Security reporter Brian Krebs reported in February that the company had dialed back some anti-fraud efforts, then called it out again in March for neglecting such basics as validating e-mail addresses used to open accounts.
Intuit said in a February post that it has been pushing the IRS to offer guidance to tax preparers about ID theft fraud. It has also been closing many of the holes observed by Krebs, something I’ve seen in my own experience with TurboTax this year. (Intuit representatives declined to elaborate beyond those earlier statements.)
Like data breaches, tax-return fraud is something we can’t do much about on our own — although the IRS’s warnings and advice are worth a read. Any more durable fix is above our pay grade, but I think it has to involve the people responsible for security paying when it fails.
“It is not an unsolvable problem,” said Schneier, suggesting that the IRS ought to eat those costs. “But in the context of the American political system, many things can’t be done.”