RealTime IT News

ID Theft a Taxing Question

Theft of their personal information and credit card numbers are key concerns for those who refuse to file their tax returns electronically, according to a study to be released next Monday.

This year, 30 percent of taxpayers said they would file online, and 55 percent said they would do so next year. A full 92 percent of online filers said they do it because they get their refunds faster. The survey of 2400 Internet users by TrustE, a non-profit privacy certification and education organization, and shopping comparison site BizRate.com, was completed the week of April 5.

The next largest segment in the survey, 27 percent, use accountants or tax professionals who file for them, while 21 percent said they preferred the hands-on paper approach. Fear of sending financial information over the Internet kept 18 percent from e-filing, with another 14 percent unwilling to risk identity theft.

Although some consumers say they're worried, actions speak louder than words. Electronic filing is growing. More than 300 million returns have been filed electronically since 1986, according to the Internal Revenue Service, and it expects more than 132 million e-files in 2004 alone, a 12 percent increase from last year. Convenience, it would appear, is a stronger motivator than fear.

Online tax preparation could also be ripe for scamming, mixing as it does two hot pockets of fraud: identity theft and the Internet.

Between January and December 2003, the Federal Trade Commission's complaint database received over half a million consumer fraud and identity theft complaints. Identity theft accounted for 42 percent of those gripes, up 2 percent from the previous year.

In September 2003 the FTC released a survey showing that 27.3 million Americans had been victims of identity theft in the previous five years -- 9.9 million people in 2002 alone. The FTC said ID theft cost businesses and financial institutions nearly $48 billion that year, while consumer victims suffered $5 billion in out-of-pocket expenses.

In another FTC survey, 6 percent of the victims said that the culprit was someone who worked at a company or financial institution that had access to the personal information.

The FTC also said Internet-related dodges accounted for 55 percent of all fraud in 2003, up from 45 percent the previous year. Meanwhile, the Anti-Phishing Working Group reported that financial services took the biggest hit from these scammers in February 2004, bearing the brunt of 9.7 different phishing attacks per day. While eBay was the subject of twice as many phishing expeditions as any other company, the group claimed that Citibank and Fleet Bank were among the top five business victims.

Although they refuse to go into details, Web-based tax prep and e-filing services said they maintain the utmost in security technology. "We use the highest level encryption and security precautions," a spokesman for H&R Block told internetnews.com. "Our security measures are comparable to those used in online banking and trading activity." The spokesman said the Free File Alliance, the IRS and at least two private third-party security consultants certify the company's online activities.

Mike Cavanaugh, executive director of the Free File Alliance, a consortium of 16 companies that offer free electronic filing to some taxpayers in addition to paid software and services, said all members are required to have security technology and certifications from organizations such as TrustE. Besides, he said, "Tax preparation is different than any other business because of the standards and legal requirements that have been imposed on them for decades. That's just as true in the electronic sphere as in the paper sphere."

Bob Meighan, vice president of consumer advocacy for Intuit's consumer tax division, said "the companies who take privacy and security seriously go out of their way to make sure they're protected in every way humanly or technologically possible." He wouldn't share any of Intuit's strategies or techniques, but in addition to those, he said, "We use quite a number of outside consultants and firms to validate what we do, because we know people are always trying to hack in."

While servers can be hacked, some privacy experts said e-filing is safer than storing your tax records in your desk or your desktop computer. Encrypted data on password-protected servers should be safe, as is sending information over the Internet using SSL encryption, according to Beth Givens, executive director of the Privacy Rights Clearinghouse. "I'm more concerned about the physical theft of the tax preparer's computer," she said.

Like it or not, universal e-filing is coming. The IRS has a mandate to get 80 percent of all taxpayers filing electronically by 2007, while many states already require commercial tax prep firms to get off the paper trail.

At least, consumer watchdogs have their eye on e-filing and online tax applications. "It's a huge area of concern," said Jessica Rich, assistant director of the FTC's Bureau of Consumer Protection. While the agency doesn't in the abstract condemn storing data, she said, "We encourage consumers and businesses to take many more actions to protect data." The FTC is bringing cases against companies that misrepresent the level of security they offer, and enforcing security mandates for financial institutions under the Graham-Leach-Bliley Act.

Consumers Union, which worked with other organizations to get Congress to prohibit tax software and e-filing providers from using their customers' information for marketing other products and services, worked with the California Department of consumer affairs to develop best practices for these vendors.

They include keeping customers' tax data on a separate server with limited employee access, storing it offline, so it's harder to get to, and physically locking up the storage hardware.

Consumers Union senior attorney Gail Hillebrand said that the prevalence of phishing expeditions in the financial services industry worries her -- and she isn't as confident in SSL as some people. "If there's anything we're learned about the Internet," she said, "it's that anything can happen."