Identity quizzes are a hot topic among fraud fighters, and particularly so among tax administrators. A quick web search finds that a lot of state tax agencies use quizzes to fight refund fraud, including Indiana, Louisiana, and Ohio. Even the IRS has gotten into the game.
In reading the press releases from these states – as well as the marketing materials from the vendors who pitch them – you would think that tax agencies have developed a secret weapon to stop all tax fraud. “The identity protection program is a way the Department of Revenue is proactively protecting the identities and refunds” of taxpayers, trumpets one state tax agency.
All of this hoopla begs the question, “What’s all the fuss about identity quizzes?”
For those of you who are unfamiliar with them, identity quizzes are a way to verify someone’s identity called “knowledge based authentication”. It’s a simple concept. If you aren’t sure about someone’s identity, ask them a few questions that only they should know the answers to. Get the answers right? We trust you. Get ‘em wrong? You must be a con artist who is trying to cheat the system.
The trick in making this concept work is to find a good source of information for the questions. Turns out that the data collected by credit reporting agencies – previous addresses, car registration data, mortgage amounts – can be an easy and mostly-reliable source for questions. Combine that data with information from previous tax returns (think “prior year adjusted gross income”), and you’ve got a foolproof way of stopping tax fraud. Right?
As Lee Corso from ESPN’s College Game Day likes to say, “Not so fast, my friend!”
Relying solely on identity quizzes to stop tax fraud is a flawed strategy. Here are three reasons why:
- Fraudsters have figured out how to get around them. The most sophisticated bad guys have figured out ways to pass the quiz! How? Similar to what credit reporting agencies do, fraudsters have started to collect data for commonly-asked questions – previous addresses, car registration data, and others. Often, this stolen data comes from data breaches, such as the recent Office of Personnel Management breach. Ask the fraudster to take a quiz, and he will gladly oblige.
- Quizzes solve only a sliver of the fraud problem. Tax fraud is massive and complex, with hundreds of various schemes that can be perpetrated. But, tax administrators use identity quizzes to stop only a single scheme – one known as “stolen identity refund fraud”. That must be a massive part of tax fraud, right? Wrong. Stolen identity refund fraud accounts for less than 2% of all tax fraud and non-compliance.
- Quiz questions can be (ridiculously) wrong. Just ask an Ohio woman who recently took an identity quiz. She was asked which address she shared with another woman.“That is my ex-husband’s third wife,” she said. “Clearly, I did not share an address with her ever. So I answered ‘none of the above,’ which apparently was incorrect.” Saving someone from being a victim of refund fraud by making them a victim of bad questions? That makes no sense at all.
It’s pretty clear that identity quizzes have big limitations in fighting fraud. So what’s the take-away?
ID quizzes can be used to stop some kinds of fraud, but only when they are part of a much larger arsenal of fraud-fighting weapons. Before you fall for the hype, ask tough questions about what scheme(s) an identity quiz will stop… and about whether they will continue to be relevant as fraudsters develop ways to evade them.
2 Comments
Mr. Barry provides an excellent reminder that a sure thing often delivers a result that does not measure up to our hopes and expectations. As fraud becomes more complex, and data breaches larger and more frequent, attention to the new criminal trends and tools must be increased, and top talent and thinking applied to stem the tide.
Mr. Fuller, thanks for your comments!
You bring up an interesting point... applying "top talent" is a very effective strategy in mitigating fraud. The question becomes, though, what kind of "talent" is needed? Clearly, having sharp auditors and/or certified fraud examiners is essential. I would also argue that you need three (3) other types of "talent":
1. Data experts - You need people who know and understand your data intimately. They need to know what your data means, your data quality (good, bad, and ugly), and the hidden land mines buried throughout.
2. Data scientists - You need people who understand how to use analytics to build behavior models.
3. Fraud Champion - All the smart technical resources in the world are for naught... unless you have a leader who is willing to strongly support innovation. Someone who will break down internal barriers to change. Someone who is willing to take risks.