The Internal Revenue Service has restored the Get Transcript online application that it took down last year, adding improved multi-factor authentication processes to safeguard the program from being exploited by identity thieves.
The IRS removed the app last year after it discovered criminals were using it to access transcripts of hundreds of thousands of old tax returns (see IRS Finds ‘Get Transcript’ Data Breach Was More Widespread). This past tax season, taxpayers and tax professionals could only use the online service to order tax transcripts that would be sent to them by mail, instead of being able to view and print the tax transcripts directly online. However, the IRS has since been working to restore the app while also making sure it can authenticate users who are authorized to access the transcripts (see IRS Working to Restore ‘Get Transcript’ App).
The IRS said Tuesday the relaunch was made possible with the help of digital experts from the U.S. Digital Service and other security authorities.
The new, more rigorous e-authentication process is expected to significantly increase protection against identity thieves who try to impersonate taxpayers to access their tax return information. The enhanced authentication process will also provide a foundation for additional IRS self-help services in the future, the IRS noted.
After being disabled last year, Get Transcript Online is now available for all users to access a copy of their tax transcripts and similar documents that summarize tax return information. The formal relaunch Tuesday relies on a more secure access framework that requires a two-step authentication process.
“The IRS is committed to the protection of taxpayer information and the security of our systems,” said IRS Commissioner John Koskinen in a statement. “Criminals are becoming increasingly sophisticated and continue to gather vast amounts of personal information as the result of data breaches at sources outside the IRS. In the face of that threat, we must provide the strongest possible authentication processes, while trying to enhance the ability of taxpayers to legitimately access their data and use IRS services online. We recognize that enhanced security will increase the challenge for taxpayers accessing our on-line services.”
Some taxpayers may now find it more difficult to authenticate their identities with this strengthened process, the IRS acknowledged, but the agency said it is committed to making sure everyone accessing the site will be able to do so in a safe and secure way. The IRS is going to continue to support multiple options for those taxpayers who may be unable to access online features or who prefer to obtain the information in more traditional ways. These options currently include ordering transcripts online or by phone for receipt by mail, which typically are delivered to the address of record within five to 10 days. The IRS is continuing to look for ways to expand options for all taxpayers.
“The incident with Get Transcript Online illustrates a wider truth about identity theft in general, which is that there are no perfect systems,” said Koskinen. “No one, either in the public or private sector, can give an absolute guarantee that a system will never be compromised. For that reason, we continue our comprehensive efforts to update the security of our systems, protect taxpayers and their data and investigate crimes related to stolen identity refund fraud.”
Tax transcripts are summaries of tax returns. Transcripts often are used for non-tax purposes, such as income validation for mortgages or student loans. Taxpayers also can use transcripts to obtain their prior-year adjusted gross income (AGI), which they need in order to e-file their tax returns.
Starting last year, the IRS began working with the U.S. Digital Service to create a new e-authentication platform for Get Transcript and other IRS.gov tools. U.S. Digital Service is a branch of the Office of Management and Budget that brings some of the private sector’s best tech experts into government to resolve complex issues facing federal agencies. The new secure access process meets the security standards set by the National Institute of Standards and Technology and the OMB.
To access the new Get Transcript Online feature, taxpayers must have an email address, a text-enabled mobile phone and specific financial account information, such as a credit card number or certain loan numbers. Taxpayers who registered using the older process will need to re-register and strengthen their authentication in order to access the tool.
As part of the new multifactor process, the IRS will send verification, activation or security codes via email and text. The IRS is warning taxpayers it will not initiate contact via text or email asking for log-in information or personal data. The IRS texts and emails will only contain one-time codes. Fact Sheet 2016-20 provides further details on what is needed to successfully access Get Transcript Online.
New features also allow taxpayers to see the date and time when the Get Transcript Online page was last accessed. Returning users will always need to receive and enter a text code before they can obtain access.
The IRS is maintaining a multipronged, strategic approach to combating identity theft and helping taxpayers who become victims. Last year, the IRS, state tax agencies and the tax industry joined forces for a Security Summit Initiative that identified and enacted new security safeguards for taxpayers in 2016. The Security Summit partners are currently exploring further safeguards for next year.