Many companies featured on Money advertise with us. Opinions are our own, but compensation and
in-depth research determine where and how companies may appear. Learn more about how we make money.

Advertiser Disclosure

The purpose of this disclosure is to explain how we make money without charging you for our content.

Our mission is to help people at any stage of life make smart financial decisions through research, reporting, reviews, recommendations, and tools.

Earning your trust is essential to our success, and we believe transparency is critical to creating that trust. To that end, you should know that many or all of the companies featured here are partners who advertise with us.

Our content is free because our partners pay us a referral fee if you click on links or call any of the phone numbers on our site. If you choose to interact with the content on our site, we will likely receive compensation. If you don't, we will not be compensated. Ultimately the choice is yours.

Opinions are our own and our editors and staff writers are instructed to maintain editorial integrity, but compensation along with in-depth research will determine where, how, and in what order they appear on the page.

To find out more about our editorial process and how we make money, click here.

By Kerri Anne Renzulli
March 2, 2016
Andrew Harrer—Bloomberg via Getty Images

The IRS seems to be falling short on shielding taxpayers from tax return fraud.

To protect previous victims of falsified returns and data breaches — such as the IRS’s own 2015 hacking, which resulted in 724,000 stolen taxpayer records, according to the agency’s most recent investigation — the IRS assigns them an “Identity Protection PIN.” That’s a six-digit code that acts as a second form of verification and must be included on all tax forms.

But at least one of the these IP PINs has itself been compromised, according to security researcher and journalist Brian Krebs. South Dakota accountant Becky Wittrock told Krebs she was assigned a PIN in 2014, after becoming a victim of fraud, and that when she went to file her tax return this year, the agency told her that PIN had already been used.

‘A Big Problem’

Thieves had beat her to filing by more than three weeks, and filed a large refund request. When she called the agency, she said, they told her that the fraudulent use of IP PINs was “a big problem for them this year.”

It’s possible, of course, that this is an isolated case. The IRS has released no statement on how widespread the problem is, and the press office did not respond immediately to a question about the matter.

But Krebs points out that one key issue with the IP PIN system is that codes can be retrieved using the same technology that the thieves hacked last year. This technology, known as knowledge-based authentication (sometimes called KBA), asks taxpayers four multiple-choice questions about their credit history — such as “On which of the following streets have you lived?”

And these questions can be easily answered with random guessing or answers found through searching Zillow or Facebook, Krebs writes.

Just as Vulnerable?

The hackers who successfully stole past tax transcripts through the agency’s “Get Transcript” program between January 2014 and May 2015 figured out how to correctly answer these questions. And even though the agency took down that tool, Krebs argues that, by using the same KBA system, the IP PIN anti-theft measure will be just as vulnerable to abuse.

This shouldn’t come as a surprise to the IRS. A 2015 Government Accountability Office report on the authorization process noted that, in an IRS analysis, “some likely identity thieves were able to correctly answer authentication questions while some legitimate taxpayers were not.”

The IRS told Quartz that “most taxpayers receive their IP PIN via mail and never use the tool,” and that, “unlike Get Transcript, the IP PIN tool is available to a limited number of taxpayers who must have special markers on their tax accounts.” It did tell Quartz, however, that it is already reviewing the authentication process for IP PIN retrieval.

Advertiser Disclosure

The purpose of this disclosure is to explain how we make money without charging you for our content.

Our mission is to help people at any stage of life make smart financial decisions through research, reporting, reviews, recommendations, and tools.

Earning your trust is essential to our success, and we believe transparency is critical to creating that trust. To that end, you should know that many or all of the companies featured here are partners who advertise with us.

Our content is free because our partners pay us a referral fee if you click on links or call any of the phone numbers on our site. If you choose to interact with the content on our site, we will likely receive compensation. If you don't, we will not be compensated. Ultimately the choice is yours.

Opinions are our own and our editors and staff writers are instructed to maintain editorial integrity, but compensation along with in-depth research will determine where, how, and in what order they appear on the page.

To find out more about our editorial process and how we make money, click here.

EDIT POST