IRS Tool Designed To Protect Identity Theft Victims -- Exposes Users To Identity Theft

from the bang-up-job dept

...The trouble with this approach is that the IRS allows IP PIN recipients to retrieve their PIN via the agency’s Web site, after supplying the answers to four easy-to-guess questions from consumer credit bureau Equifax. These so-called knowledge-based authentication (KBA) or “out-of-wallet” questions focus on things such as previous address, loan amounts and dates and can be successfully enumerated with random guessing. In many cases, the answers can be found by consulting free online services, such as Zillow and Facebook.

Becky Wittrock, a certified public accountant (CPA) from Sioux Falls, S.D., said she received an IP PIN in 2014 after crooks tried to impersonate her to the IRS. Wittrock said she found out her IP PIN had been compromised by thieves this year after she tried to file her tax return on Feb. 25, 2016. Turns out, the crooks beat her to the punch by more than three weeks, filing a large refund request with the IRS on Feb. 2, 2016. “So, last year I was devastated by this,” Wittrock said, “But this year I’m just pissed.”

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community. Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis. While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Last year, the personal records of 100,000 taxpayers wound up in the hands of criminals, thanks to a flimsy authentication process in the agency's "Get Transcript" application. In short, the IRS used all-too-common static identifiers to verify taxpayer identity (information that could be found anywhere), allowing criminals to use the system to then obtain notably more sensitive taxpayer information and ultimately steal finances. At the time, the IRS breathlessly insisted it would be shoring up its security standards, though it failed to really detail how it would accomplish this.Tax return fraud has since become a burgeoning industry unto itself, with crooks consistently gaming IRS systems to fool the IRS into sending your money to a criminal's account, something victims only discover when they find their own, legitimate tax returns rejected. To protect these compromised users, the IRS has employed a system wherein it mails these victims a six-digit "Identity Protection (IP) PIN." That pin has been mailed to some 2.7 million victims, and must be entered into the following year's tax return. But not-too-surprisingly, this pin system is also notably easy to game, relying heavily on commonly available user data So yes, that's an agency already hit several times by fraud and internal scandals providing an identity theft tool -- that can be used to help steal your identity. A CPA by the name of Becky Wittrock, who had fallen victim to identity theft in 2014, notes she's now been a repeat victim after thieves impersonated her, then used the IRS's crappy pin system toAfter spending more time trying to prove her identity to the IRS than the thief apparently did, Wittrock was told that next year the IRS will be ditching the pin system for a murky system that may rely on users' driver's licenses. Granted, we do seem to enjoy gutting IRS funding, staffing, authority and overall resources , only to complain that the agency sucks at doing its job. Still, that's no excuse for not implementing some fundamental authentication common sense. Meanwhile, the IRS's repeated failures are troubling for a government that's intent on viewing itself as the foremost expert in cyber-warfare and security, yet still can't manage to keep wolves out of its own henhouse.

Filed Under: hack, identity theft, irs