IRS System Meant to Protect ID Theft Victims Seems to Have Been Hacked
The IRS seems to be falling short on shielding taxpayers from tax return fraud.
To protect previous victims of falsified returns and data breaches -- such as the IRS's own 2015 hacking, which resulted in 724,000 stolen taxpayer records, according to the agency's most recent investigation -- the IRS assigns them an “Identity Protection PIN." That's a six-digit code that acts as a second form of verification and must be included on all tax forms.
But at least one of the these IP PINs has itself been compromised, according to security researcher and journalist Brian Krebs. South Dakota accountant Becky Wittrock told Krebs she was assigned a PIN in 2014, after becoming a victim of fraud, and that when she went to file her tax return this year, the agency told her that PIN had already been used.
'A Big Problem'
Thieves had beat her to filing by more than three weeks, and filed a large refund request. When she called the agency, she said, they told her that the fraudulent use of IP PINs was "a big problem for them this year."
It's possible, of course, that this is an isolated case. The IRS has released no statement on how widespread the problem is, and the press office did not respond immediately to a question about the matter.
But Krebs points out that one key issue with the IP PIN system is that codes can be retrieved using the same technology that the thieves hacked last year. This technology, known as knowledge-based authentication (sometimes called KBA), asks taxpayers four multiple-choice questions about their credit history -- such as "On which of the following streets have you lived?”
And these questions can be easily answered with random guessing or answers found through searching Zillow or Facebook, Krebs writes.
Just as Vulnerable?
The hackers who successfully stole past tax transcripts through the agency's "Get Transcript" program between January 2014 and May 2015 figured out how to correctly answer these questions. And even though the agency took down that tool, Krebs argues that, by using the same KBA system, the IP PIN anti-theft measure will be just as vulnerable to abuse.
This shouldn't come as a surprise to the IRS. A 2015 Government Accountability Office report on the authorization process noted that, in an IRS analysis, "some likely identity thieves were able to correctly answer authentication questions while some legitimate taxpayers were not."
The IRS told Quartz that “most taxpayers receive their IP PIN via mail and never use the tool,” and that, “unlike Get Transcript, the IP PIN tool is available to a limited number of taxpayers who must have special markers on their tax accounts.” It did tell Quartz, however, that it is already reviewing the authentication process for IP PIN retrieval.