Tag Archives: government accountability office

IRS Is Stepping Up Anti-Fraud Measures

The Internal Revenue Service is taking as long as 21 days to review tax returns, according to research from fraud prevention vendor iovation, a clear sign that Uncle Sam has stepped up anti-fraud measures.

Even so, tax return scams that pivot off stolen identity data continue to rise for the third consecutive tax season. The latest twist: Tax scammers are increasingly targeting vulnerable populations—low-income, children, seniors and homeless—as well as prisoners, overseas military personnel and the deceased, according to an FBI alert.

Complimentary webinar: How identity theft protection has become a must-have employee benefit

And criminals have gotten very creative about conducting phishing campaigns to fool individual consumers—and key employees at targeted companies—into handing over personal tax-related information, useful for filing fake returns.

Tax software vulnerable

The FBI also says criminals often use online tax software to commit the fraud. That’s particularly troubling, considering what the Online Trust Alliance found in a recent audit of free e-filing services approved by the IRS. Of the 13 services audited, about half failed somewhat basic security protocols, such as email authentication and SSL configurations.

craig
Craig Spiezle, Online Trust Alliance executive director

Craig Spiezle, executive director of Online Trust Alliance, says some of the vulnerabilities, such as unsecure sites, are obvious to the casual person, let alone criminals.

“These sites are such high targets, you’d expect 100% of these to be like Fort Knox,” he says. “There’s no perfect security, but you would expect not to see (simple) vulnerabilities.”

Some e-filing sites, for example, had simple server misconfigurations or didn’t have current secure protocols; one provider failed to adopt an extended validation (EV) SSL certificate, leaving it open to spoofing.

Although not everyone is eligible for the free e-filing services that OTA audited, Spiezle says many of the paid e-filing services are run by some of the same parent companies, and thus use much of the same lightly protected infrastructure. He says it would be fair to assume that many of the paid e-filing sites would have the same 46% failure rate as the free e-filing services audited by OTA.

Personal information trades on black market

Even if cyber criminals don’t use stolen tax-related data for filing fraudulent returns, that information is highly valuable on the black market. Spiezle points out that it’s the only place where this type of rich information—such as income, employer, number of dependents, Social Security numbers and even bank accounts—is available all in one swoop.

“All that data that’s amassed is a treasure chest,” he says. “If you want to create a persona of someone’s identity, you have all the data in one place.”

The IRS expects that, this year, 80% of the estimated 150 million individual tax returns will be prepared with tax software and e-filed—and that’s music to fraudsters’ ears.

One typical avenue for cyber thieves is to file returns as early as possible, claiming refunds as large as $1,000 to $4,000 on untraceable prepaid debit cards. They can fly under the radar by filing very generic returns, and those multiple refunds turn into a lucrative operation.

“They have immediate access to that cash, as opposed to credit card fraud where the value is not as high and the delivery is through a retailer, so they have to figure out what to do with those goods,” says Scott Olson, vice president of product at iovation, a provider of device authentication and mobile security solutions.

Phishing, malware skyrocket

According to the Government Accountability Office, the IRS prevented $24 billion in fraudulent tax refunds related to identity theft in 2013, while paying out $5.8 billion in fraudulent refunds that it didn’t discover until a year later. And the number of fraud attempts is on the rise: As of March 25, the IRS reported a 400% increase in phishing and malware incidents related to the 2016 tax season.

Email phishing campaigns include links to web pages requesting personal information, useful for filing fake returns.

These fake pages often imitate an official-looking website, such as IRS.gov or an e-filing service, and also may carry malware, which can turn over control of the victim’s computer to the attacker. This January alone, the IRS counted 1,026 email-related fraud incidents, compared with 254 a year earlier.

Phishing scams also are targeting employers—because criminals know that’s where they can find large caches of income-related information. One growing trend is the so-called business email compromise (also known as “CEO fraud”), a variation of spear phishing. The phisher does deep research on a targeted company, then impersonates a senior executive to get a subordinate to do something.

vidur

Vidur Apparao, chief technology officer at Agari, which offers an email security platform, says malicious attachments and URLs compromised the bulk of spear phishing emails in the past. But what his company is seeing now is phishing ruses aimed at specific employees that leverage trust to get the recipient to take a specific action. Such attacks do not carry any viral attachments or bad URLs that can be detected. Yet they have proven to be very effective at duping the recipient into forwarding files containing employees’ W2 forms.

“Criminals are leveraging the cloud at three separate points, in ways they couldn’t before: developing social engineering content, sending out spear phishing attacks and getting back a response,” he says.

Basic security helps

According to the OTA, 92% of the publicly reported breaches in 2015 could have been prevented. Take email authentication. It’s almost a basic security tool that prevents emails from being spoofed. Those OTA-audited e-filing services that didn’t use it are contributing to the breaches.

“The lack of email authentication or the slow adoption in some cases has led to the prevalence of this easy type of attack,” Apparao says.

Spiezle says people need to be aware that emails and other tactics are becoming more sophisticated, and protect themselves accordingly.

“The problem is that we are all moving so fast, and we have all these devices and desktops—we are multitasking,” he says. “And the criminals play off that, and they’re getting more precise.”

This article was written by Third Certainty’s Rodika Tollefsen.

Social Security Numbers Are Dead

I am a senior citizen. While this distinction entitles me to a variety of perks like discounted movies and bus fare – as well as the occasional free doughnut (seriously) — it’s also a ticket to the identity theft lottery.

Turning 50 gets you an invitation to AARP, and turning 65 gets you a Medicare card. What’s this have to do with identity theft? Take a close look at a Medicare card. The identification number? It’s a combination of the cardholder’s Social Security number and one or two letters.

Health insurers no longer include Social Security numbers on the cards they issue to people. The concern was that using SSNs needlessly increased the risk of identity theft, which was, and continues to be, rising exponentially. When health insurers made the change, they stopped being co-conspirators in what has become a national epidemic.

According an article by reporter Robert Pear in the New York Times, private insurers under contract with Medicare are not permitted to use SSNs on insurance cards when providing medical or prescription drug benefits. But in a serious case of “Do as I say, not as I do,” Medicare has used Social Security numbers on more than 50 million benefit cards, heedless of the warnings of privacy advocates, consumer protection officials, federal auditors and investigators working on identity theft cases.

Section 501 of the Medicare Access and CHIP Reauthorization Act of 2015, a bipartisan provision written by Rep. Sam Johnson (R-TX) and Rep. Lloyd Doggett (D-TX), signed into law recently by President Obama, finally mandates the removal of Social Security numbers from our Medicare cards. (Well, let’s just say it begins the process — and, like all processes in Washington, let’s hope it actually gets done before my toddler is eligible for Medicare.) The new law is clear: Social Security numbers must not be “displayed, coded or embedded on the Medicare card.”

More than 4,500 of my fellow seniors enroll in Medicare every day. It is estimated that over the next 10 years, some 18 million more of us are projected to qualify, which will bring the total Medicare enrollment to 74 million by 2025.

What Lit the Fire?

After years of begging, cajoling and warning to no avail, what finally forced both parties in Washington to get off their butts and get it right?

Pear speculates that is wasn’t one thing but a set of circumstances starting with the nearly universal digitization of medical records and, of course, ending with a culture plagued by highly effective hackers. Consider that in just the first quarter of 2015 more than 91 million Social Security numbers were exposed to unauthorized persons in just two data compromises: Anthem and Premera.

What the new system will look like is still anyone’s guess. Here’s what we know, according to the New York Times article: SSNs will be replaced by a “randomly generated Medicare beneficiary identifier.” Additionally, Medicare officials have eight years to get the new system completely up and running—four years to issue cards to new beneficiaries and four more years to reissue cards to existing beneficiaries. It was unclear whether those two four-year items were to happen simultaneously, but since we’re talking about a government timeline there is an argument for erring on the side of forever.

Like all major government initiatives, this will be no small feat. But it is a critical one if we are to stop hearing the pitter-patter of scammer feet tap dancing on the finances of senior citizens.

Why did it take so long? Why does the IRS still require SSNs? Because we’re talking about the government.

The record speaks for itself:

  • 2004 – The Government Accountability Office warns we must reduce our dependence on Social Security numbers as individual identifiers.
  • 2007 – The White House Office of Management and Budget directs federal agencies to “eliminate the unnecessary collection and use of Social Security numbers” within two years.
  • 2008 – The inspector general of Social Security calls for the immediate removal of Social Security numbers from Medicare cards. The departments of Defense and Veterans Affairs launch major initiatives to delete Social Security numbers from their identification cards.

How about the Department of Health and Human Services, which supervises the Medicare program? Well, let’s just say that according to the Times, the GAO felt that HHS was moving—shall we say—glacially and that it really was all about money. (Forget the fact that identity theft costs America and Americans billions annually.)

The Medicare agency is no small operation. It pays close to 1 billion claims from 1.5 million healthcare providers every year. While I understand that the HHS has considerable budgetary and logistical issues when dealing with the identification quagmire, it is nothing compared with the expense and uproar caused by identity theft in the lives of the people HHS serves. That’s a long way of saying that this identification card “modification” is long overdue.

In the meantime, what can you do if you’re concerned that your Social Security number is in the wrong hands? Because the number can be used to perpetrate many types of crimes, not just credit-related, the problem can be difficult to track. But it’s still important to check your credit reports regularly for signs of fraud — like new accounts you didn’t authorize. You can get your free annual credit reports from AnnualCreditReport.com, and you can get a free credit report summary, updated every month on Credit.com, to watch for changes.

That said, we are not living in a “So it is written, so it is done” age. Congress has to sit on the HHS to get 100% compliance with the law as it was passed. And we have to sit on Congress. And while we are sitting on our favorite 535 federal lawmakers, perhaps they can ask the IRS what’s taking it so long to make some changes — including killing the SSN as identifier — so Americans can stop being such sitting ducks in the sights of miscreants.

TRIA Non-Renewal: Effect on P&C?

Losses stemming from the destruction of the World Trade Center and other buildings by terrorists on Sept. 11, 2001, totaled about $31.6 billion, including commercial liability and group life insurance claims — not adjusted for inflation — or $42.1 billion in 2012 dollars. About two-thirds of these losses were paid for by reinsurers, companies that provide insurance for insurers.

Concerned about the limited availability of terrorism coverage in high-risk areas and its impact on the economy, Congress passed the Terrorism Risk Insurance Act (TRIA). The act provides a temporary program that, in the event of major terrorist attack, allows the insurance industry and federal government to share losses according to a specific formula. TRIA was signed into law on Nov. 26, 2002, and renewed for two years in December 2005. Passage of TRIA enabled a market for terrorism insurance to begin to develop because the federal backstop effectively limits insurers’ losses, greatly simplifying the underwriting process. TRIA was extended for seven years to 2014 in December 2007. The new law is known as the Terrorism Risk Insurance Program Reauthorization Act (TRIPRA) of 2007.

This week, Congress failed to reauthorize TRIA before members adjourned for the holiday recess. Now, with the expiration of the law on Dec. 31, some businesses may be left without insurance coverage in the event of a terrorist attack on the U.S. Both houses of Congress have been discussing legislation that would set out the federal government’s involvement in funding potential terrorism losses, but bills proposed by the two houses earlier this year differed, and no extension was passed.

A report from the Wharton Risk Management and Decision Processes Center found that, under the current TRIA program, some insurers have already reached a level of exposure to losses from a terrorist attack that could jeopardize their ability to pay claims, based on a critical measure of solvency: the ratio of an insurer’s TRIA deductible amount in relation to its surplus. The report, “TRIA After 2014: Examining Risk Sharing Under Current and Alternative Designs,” found that as the deductible percentage rises, as it does under the Senate bill and proposals put forward in the House, more insurers have a deductible-to-surplus ratio that is above an acceptable level. The report also sets out in detail the amount the American taxpayer and federal government would have to pay under differing scenarios.

A RAND Corp. study published in April 2014 found that in a terrorist attack with losses of as much as $50 billion, the federal government would spend more dealing with the losses than if it had continued to support a national terrorism risk insurance program, because it would likely pay out more in disaster assistance.

A report by the President’s Working Group on Financial Markets made public in April 2014 generally supports the insurance industry’s view that the expiration of TRIA would make terrorism coverage more expensive and difficult to obtain.

The insurance broker Marsh released its annual study of the market, “2014 Terrorism Risk Insurance Report,” in April. Among its many findings is that uncertainty surrounding the potential expiration of TRIA significantly affected the property/casualty insurance market. Some employers with large concentrations of workers and companies with property exposures in major U.S. cities found that terrorism insurance capacity was limited and prices higher, and some could not obtain coverage at all. If the law is allowed to expire or is significantly changed, the market is likely to become more volatile with higher prices and limited coverage, the study concludes.

Before Sept. 11, 2001, insurers provided terrorism coverage to their commercial insurance customers essentially free of charge because the chance of property damage from terrorist acts was considered remote. After Sept. 11, insurers began to reassess the risk. For a while, terrorism coverage was scarce. Reinsurers were unwilling to reinsure policies in urban areas perceived to be vulnerable to attack. Primary insurers filed requests with their state insurance departments for permission to exclude terrorism coverage from their commercial policies.

From an insurance viewpoint, terrorism risk is very different from the kind of risks typically insured. To be readily insurable, risks have to have certain characteristics.

The risk must be measurable. Insurers must be able to determine the possible or probable number of events (frequency) likely to result in claims and the maximum size or cost (severity) of these events. For example, insurers know from experience about how many car crashes to expect per 100,000 miles driven for any geographic area and what these crashes are likely to cost. As a result, they can charge a premium equal to the risk they are assuming in issuing an auto insurance policy.

A large number of people or businesses must be exposed to the risk of loss, but only a few must actually experience one, so that the premiums of those that do not file claims can fund the losses of those who do.

Losses must be random as regards time, location and magnitude.

Insofar as acts of terrorism are intentional, terrorism risk doesn’t have these characteristics. In addition, no one knows what the worst-case scenario might be. There have been few terrorist attacks, so there is little data on which to base estimates of future losses, either in terms of frequency or severity. Terrorism losses are also likely to be concentrated geographically, since terrorism is usually targeted to produce a significant economic or psychological impact. This leads to a situation known in the insurance industry as adverse selection, where only the people most at risk purchase coverage, the same people who are likely to file claims. Moreover, terrorism losses are never random. They are carefully planned and often coordinated.

To underwrite terrorism insurance — to decide whether to offer coverage and what price to charge — insurers must be able to quantify the risk: the likelihood of an event and the amount of damage it would cause. Increasingly, they are using sophisticated modeling tools to assess this risk. According to the modeling firm AIR Worldwide, the way terrorism risk is measured is not much different from assessments of natural disaster risk, except that the data used for terrorism are more subject to uncertainty. It is easier to project the risk of damage in a particular location from an earthquake of a given intensity or a Category 5 hurricane than a terrorist attack because insurers have had so much more experience with natural disasters than with terrorist attacks, and therefore the data to incorporate into models are readily available.

One problem insurers face is the accumulation of risk. They need to know not only the likelihood and extent of damage to a particular building but also the company’s accumulated risk from insuring multiple buildings within a given geographical area, including the implications of fire following a terrorist attack. In addition, in the U.S., workers’ compensation insurers face concentrations of risk from injuries to workers caused by terrorism attacks. Workers’ compensation policies provide coverage for loss of income and medical and rehabilitation treatment from “first dollar,” that is, without deductibles.

Extending the Terrorism Risk Insurance Act (TRIA):

There is general agreement that TRIA has helped insurance companies provide terrorism coverage because the federal government’s involvement offers a measure of certainty as to the maximum size of losses insurers would have to pay and allows them to plan for the future. However, when the act came up for renewal in 2005 and in 2007, there were some who believed that market forces should be allowed to deal with the problem. Both the U.S. Government Accountability Office and the President’s Working Group on Financial Markets published reports on terrorism insurance in September 2006. The two reports essentially supported the insurance industry in its evaluation of nuclear, biological, chemical and radiological (NBCR) risk — that it is uninsurable — but the President’s Working Group said that the existence of TRIA had inhibited the development of a more robust market for terrorism insurance, a point on which the industry disagrees. TRIA is the reason that coverage is available, insurers say. The structure of the program has encouraged the development of reinsurance for the layers of risk that insurers must bear themselves — deductible amounts and coinsurance — which in turn allows primary insurers to provide coverage. Without TRIA, there would be no private market for terrorism insurance.

Studies by various organizations have supported a temporary continuation of the program in some form, including the University of Pennsylvania’s Wharton School, the RAND Corp. and the Organization of Economic Cooperation and Development (OECD), an organization of 30 member countries, many of which have addressed the risk of terrorism through a public/private partnership. The OECD said in an analysis that financial markets have shown very little appetite for terrorism risk because of the enormousness and unpredictability of the exposure. RAND argued not only that TRIA should be extended but also that Congress should act to increase the business community’s purchase of terrorism insurance and lower its price. RAND also advocated mandatory coverage for some “vital systems,” establishing an oversight board and increasing efforts to mitigate the risks.

For the full report from which this is excerpted, click here.

A Private Sector Healthcare Solution That We Can Smile About

In 2012, Illinois Governor Pat Quinn decided to cut $1.6 billion from the state’s Medicaid program to help get the state’s finances under control. Among the benefits slashed was dental coverage for adults.

The Land of Lincoln was only the latest cash-strapped state to scrap dental coverage under Medicaid, joining the likes of Pennsylvania, Massachusetts, California, and Washington.

States must do something to prevent Medicaid from taking over their budgets entirely. But these cuts in dental benefits may only deliver temporary fiscal relief — and end up costing states more in the long run.

Fortunately, there’s a way out of this conundrum. It’s called a “dental service organization” (DSO). The Pacific Research Institute recently released a study by Wayne Winegarden and Donna Arduin entitled “The Benefits Created by Dental Service Organizations” that illustrates how dental service organizations are leveraging the power of market competition to deliver dental benefits cost-effectively now — with an eye on avoiding even more expensive dental and medical procedures later.

In most states, low-income Americans have little to no access to dental care. Only about half of state Medicaid programs cover anything beyond treatment of dental pain and emergency room visits for their poor.

In states where Medicaid does cover trips to the dentist, many beneficiaries can’t find a doctor who will see them, thanks to the program’s absurdly low reimbursement rates.

According to a Pew Research Center study, Medicaid pays dentists around 60 cents on the dollar in 26 states. Just one state paid dentists 100 percent of their normal fees, while 14 paid less than half.

As a result, only a third of dentists will treat Medicaid patients. A Government Accountability Office (GAO) report found that in many states, most dentists “treat few or no Medicaid patients.”

So the poor don’t get many check-ups. According to the Agency for Healthcare Research and Quality, only one-third of poor children saw a dentist in 2008. In contrast, nearly two-thirds of those from high-income families did so. A Pew Center study found that one in five poor children — 17 million in total — go without dental care each year.

This has serious long-term consequences. The GAO found that one in three children had untreated tooth decay — twice the rate of those covered by private insurance — and one in nine had untreated decay in three or more teeth.

“Dental disease remains a significant problem for children aged 2 through 18 in Medicaid,” it concluded.

The Pew study notes that “a ‘simple cavity’ can escalate through their childhoods and well into their adult lives, from missing significant numbers of school days to risk of serious health problems and difficulty finding a job.”

And it’s these significant health problems that can quickly erase any savings a state thinks it generates by eliminating dental coverage under Medicaid.

As the Children’s Dental Health Project explains, when the poor go without routine dental care, they often end up in emergency rooms. A three-year comparison found that treating dental problems in emergency rooms cost 10 times more than preventive treatment provided in a dentist’s office.

States could simply pay dentists more. One study found that dentists’ participation increased by at least a third, and sometimes more than doubled, in states that boosted Medicaid payments.

But the reality is that they can’t afford to do so — as their strained budgets have caused them to cut dental coverage in the first place.

Enter the dental service organization. Starting in the late 1990s, dentists began banding together under dental service organizations, taking advantage of economies of scale in order to cut overhead costs and provide quality service at much lower prices. The dental service organization handles marketing, human resource support, accounting and billing, spreading costs efficiently across several practices.

Today there are more than 3,500 dental service organizations in operation, according to the Dental Group Practice Association. And according to a 2012 study by Laffer Associates, the cost per patient among dental service organizations operating in Texas was almost half that of traditional dental offices — $484, versus $712. At one dental service organization, Kool Smiles, the per-patient cost was just $345.

Because dental service organizations can operate more efficiently than a single dentist office, they can cope with Medicaid’s low reimbursement rates and heavy paperwork requirements, providing care for the poor without losing money on each patient they see.

And they’re starting to make an impact. The Children’s Dental Health Project has found that over the past decade, the share of poor children who’ve seen a dentist has climbed, and it attributed 20 percent of that increase to the expansion of dental service organizations.

Dental service organizations stand out as an excellent example of private-sector innovation that can help solve a serious public health problem — while saving taxpayers money.

That’s something to smile about.