The IRS system for sending out Coronavirus relief payments is vulnerable to fraud, especially with regard to some of the nation's poorest people, according to tax and cybersecurity experts.
Because of the way the system is set up, fraudsters can obtain the Coronavirus payments of a certain segment of vulnerable Americans with just their date of birth, social security number and address — information that is easily available to criminals online.
Millions of Americans fall into this category of vulnerable people.
The $2 trillion Coronavirus aid package passed in late March includes some $300 billion for direct cash payments. Single Americans who earn less than $75,000 a year qualify for a one-time payout of $1,200.
Americans who make less than $12,200 per year do not have to file a tax return with the IRS, but still qualify for the direct payment. But the IRS typically uses information from prior tax returns to verify identities.
"That kind of information often serves as a backstop, as a way of sort of identifying people," says Janet Holtzblatt of the Urban-Brookings Tax Policy Center.
It's this category of people that are vulnerable to this type of fraud, because the IRS must then rely on simpler information to verify their identity.
"I was a little shocked to see that," Krebs told NPR. "There were a number of things that they requested, but very few things that were required. And the only thing that I could tell that were required were name, date of birth, social security number, address — and then you had to have a phone number... That was pretty scary to me."
A longtime reporter on computer security, Krebs says this information is readily available for fraudsters.
"It's information people think is confidential, is secret. It's available for sale on a significant portion of the US population, in a number of places in the underground," he says. "And in many cases, we're not even talking about the dark web. We're talking about just out on the internet. And it's a couple bucks — it's about what it costs for, you know, a caramel macchiato at Starbucks."
It is too soon to know for sure whether this kind of fraud is under way, and at what scale. But Mike Chapple, a professor of information technology at the University of Notre Dame, says it's a good bet that this kind of fraud is already happening.
He points to an incident in 2015 with an IRS system where people could obtain their previous tax return transcripts online. That system was more secure because it asked for more information in order to verify user identities.
"There were 390,000 cases that the IRS inspector general found of fraudulent access to that system," Chapple says. "So now fast forward five years and we're using an even weaker system to control access, not just to information, but to payments."
The IRS didn't address this specific vulnerability, but told NPR that it is actively working on combating scam artists, and is prioritizing investigations into those who prey on vulnerable taxpayers.
IRS Criminal Investigation Chief Don Fort said in a statement that they are tracking the dark web, following message boards and anticipating the schemes of criminals.
"There's always a trade-off between speed and security," says Mark Everson, the IRS Commissioner between 2003 and 2007.
He says that the IRS is doing the best it can under trying circumstances. A priority for the federal government is trying to get these direct payments out the door as quickly as possible, which is going to lead to some vulnerabilities, he says.
"They're limited in terms of the technical strength which has been devoted to getting the payments out...They have so many different things they're doing right now amidst what is still the filing season," Everson told NPR.
Everson, now with Alliantgroup, which provides specialty tax services, advises people who are seeking Coronavirus direct payments and are not familiar with computers to find help from someone they trust.