Tax preparers are encountering new measures designed to protect taxpayer information from data breaches including software and application login processes and session timeouts that can reduce efficiency.
The frequency and severity of data breaches, identity theft and other types of electronic fraud, have been increasing at an alarming rate over the past two years. Cyber criminals have become more sophisticated and their attacks continue to expand in scope and adaptability.
Recent studies indicate that financial services, small businesses, and individuals are in substantial danger from data breaches, identity theft, and fraud.
- Tax ID Theft Is the Most Commonly Reported Type– Tax or wage related id theft is the most commonly reported type of id theft, accounting for 46% of reported incidents. (AllClearID, March 2016)
- In 2015 the largest segment of personal identity theft (49.2%) targeted government documents or benefits fraud. (http://www.iii.org/fact-statistic/identity-theft-and-cybercrime)
- 99% of computer users are vulnerable to software vulnerabilities. (Heimdal Security)
The Internal Revenue Service has joined with representatives of the software industry, tax preparation firms, payroll and tax financial product processors and state tax administrators to combat identity theft refund fraud to protect the nation’s taxpayers.
More info for you here: https://www.irs.gov/uac/security-summit
At the summit, and in the subsequent months, participants discussed, researched, and collaborated to identify solutions to protect the public from cyber criminals. As a result of their work, the IRS and its Security Summit Partners provided new security recommendations for software manufacturers affecting the 2017 filing year.
Recognizing the importance of protecting their users, tax software producers made voluntary changes to their products with their latest updates and new releases. Some software packages and web-based applications introduced new features which have increased the complexity of the login process in order to verify that a user is a flesh-and-blood tax professional.
Tax professionals have been used to logging into their tax software and work throughout the day without interruption. With the new security measures, the tax professional must log in as before, and then respond to a prompt—commonly known as “captcha” —which often involves correctly identifying portions of an image to confirm that the user is not a robot. This is known as “two-factor authentication” and is more time consuming than entering the username and password alone.
In addition to two-factor authentication, many software manufacturers built in another feature: session termination. This security feature makes the program (or application) log out a user if it is unused for thirty minutes, even if the computer is being used for other purposes.
John Sapp, VP of Strategic Development at Drake Software, likens this to an experience that consumers and preparers have already experienced.
“If someone is using online banking, and they’ve left the window open for some time without doing anything, the website will lock them out, and they’ll have to log in again.”
Mr. Sapp also shared the specific implementation of the security feature in both their software and web-based products:
“We do an ‘in place lockout’. We put up a screen requiring them to enter their login information. Where they were in the software remains visible in the background but inaccessible until they login.”
Drake’s system offers no warning of the impending logout on desktop software. Their web-based system departs from that by warning users of the approaching timeout, and in length of the session termination: twenty minutes.
Other tax preparation software providers have created their own variations on enhanced security protocols that differ from Drake’s implementation. CCH details their approach on this web page.
Second Vice President Brian Thompson explains Thompson Reuters approach and impact on his workflow.
“Thomson Reuters has now created a ‘single’ login which is used for their suite of software. The single login has made getting access and keeping access to the software a little easier and also does not have (related) programs time out because of inactivity. Unfortunately, when you first open up a program, let’s say the Fixed Asset program, where you’ve already “logged in” to the Ultra Tax program, the Fixed Asset program opens the ‘old faithful’ login window; it shows up on the desktop for about 4-5 seconds before going away…Thankfully with the single login, the other related programs do not time out as long as you are active in one of the programs associated with the login (is in use). Once I log back in, I’m back exactly where I left off.”
The National Society of Accountants has expressed concern that the session lock and two-factor authentication may adversely affect the workflow of accountants and tax professionals. Responding to the session lock requires more time by virtue of the two-factor authentication, and tax preparers are often working in a number of other applications during the day — spreadsheet, file folders and so on — that draw attention away from their tax software and other applications.
Brian Thompson foresees a similar result:
“Workflow will be affected some just because of the extra steps it takes to get access to the software initially, as well as when you have been automatically logged out because of inactivity. We use a suite of software and each individual software requires a separate login. I expect a lot of opportunities to log back in because one of the software pieces has been inactive.”
Considering the statistics and the tremendous damage caused by cyber crimes, fraud and identity theft, there is no doubt that increased security measures are necessary. The National Society of Accountants completely supports efforts protect practitioners and clients alike, but concern over the implementation of the IRS recommendations remains. Tax preparers’ workflow could be adversely affected by two-factor login and session timeout and it might impact how clients are served.
The NSA advocates the exploration of alternate security features that may be developed which preserve preparer and client safety, but impact workflow less. Only with further examination can modifications to the session termination feature— addressing security issues and the concerns of tax professionals—be proposed. The NSA intends to bring these topics to the attention of the IRS and IRS Security Summit partners, and work with them to develop effective verification and security recommendations that meet everyone’s needs.
About the Author
James Crawford is a Communications Manager with the National Society of Accountants