From the U.S. Government Accountability Office, www.gao.gov Transcript for: IRS Taxpayer Authentication Efforts Description: In the wake of well-publicized, large-scale data breaches, hacks, and cyberattacks affecting private and government organizations alike, we discuss what the IRS is doing to ensure they can authenticate taxpayers' identities and stay current in a changing cyber environment. Related GAO Work: GAO-18-418: Identity Theft: IRS Needs to Strengthen Taxpayer Authentication Efforts. Released: July 2018 [ Background Music ] [Jay McTigue:] IRS lacks the comprehensive process to evaluate potential new authentication technologies. [Matt Oldham:] Welcome to GAO's Watchdog Report, your source for news and information from the U.S. Government Accountability Office. I'm Matt Oldham. The IRS handles billions of dollars each year. Whether taking payments or giving refunds, the IRS needs to authenticate taxpayers in an environment with an increasing risk of fraud, stolen identities, and cyberattacks. I'm with Jay McTigue. He's a director on our Strategic Issues team, and we're going to talk about a GAO report that explored the IRS's taxpayer authentication efforts. Thanks for taking the time to speak with me, Jay. [Jay McTigue:] Oh, thanks for having me. [Matt Oldham:] So what did your report find? How is the IRS doing in their authentication efforts? [Jay McTigue:] We found that the IRS has taken some very productive steps, have made progress on the authentication front. And basically, authentication is the process that IRS uses or any financial institution or place you're doing business with to verify that the person you're actually talking with are who they claim to be. In the context of IRS, authentication is performed in person, over the phone, online, and, in some cases, even through the mail, through correspondence. The IRS, in 2016, identified over 100 interactions that they have with taxpayers in which they have to authenticate who they're speaking with. And those range from very low-risk interactions, such as a taxpayer wanting to make a payment to the IRS, to very high-risk interactions where a taxpayer or someone pretending to be a taxpayer is trying to get taxpayer information or a refund from the federal government [Matt Oldham:] So Jay, are there some authentication methods that are more problematic for the IRS? [Jay McTigue:] Sure. What we found is that, while IRS regularly assess risks to and monitors its online authentication application, it really has not established rigorous controls for its telephone, in-person, and correspondence channels. And because of this, IRS may not be identifying current or emerging threats to the tax system. IRS lacks the comprehensive process to evaluate potential new authentication technologies. This is particularly important because fraudsters, thieves are constantly coming up with new schemes to get around the latest defenses that IRS has put in place. Experts that we talked to suggest that the best authentication approach relies on multiple strategies and sources of information. [ Background Music ] [Matt Oldham:] So it sounds like the IRS has taken some steps to bolster their taxpayer authentication efforts, but they could improve their policies and practices to identify current and emerging threats. So Jay, what recommendations did your team have? [Jay McTigue:] We actually made 11 recommendations that are focused in 4 areas. The first is IRS needs to estimate resources for and prioritize its authentication initiatives. Second, it needs to complete risk assessment and improve the monitoring of authentication across all different types of interactions with taxpayers. Not just the online, but also telephone, in person, and via the mail. Third, it needs to develop a plan to fully implement the new NIST, National Institute of Standards and Technology, guidance on secure digital authentication. And then, finally, IRS should develop a process to regularly evaluate potential authentication technologies that are in use, you know, new technologies or other approaches that are being used in industry and at other federal agencies. [Matt Oldham:] So what do you believe is the bottom line of your report? [Jay McTigue:] I think the bottom line is IRS's ability to continually monitor and improve taxpayer authentication is a critical step in protecting sensitive taxpayer information as well as billions of dollars in refunds and treasury dollars. [ Background Music ] [Matt Oldham:] Jay McTigue is a director in our Strategic Issues team, and he was talking about a GAO report on the IRS's efforts to authenticate taxpayers. Thank you for your time, Jay. [Jay McTigue:] Oh, thank you for having me. [ Background Music ] [ Matt Oldham: ] And thank you for listening to the Watchdog Report. To hear more podcasts, subscribe to us on Apple Podcasts. [ Background Music ] [ Matt Oldham: ] For more from the congressional watchdog, the U.S. Government Accountability Office, visit us at gao.gov.