The U.S. Internal Revenue Service (IRS) today sharply revised previous estimates on the number of citizens that had their tax data stolen since 2014 thanks to a security weakness in the IRS’s own Web site. According to the IRS, at least 724,000 citizens had their personal and tax data stolen after crooks figured out how to abuse a (now defunct) IRS Web site feature called “Get Transcript” to steal victim’s prior tax data.

The number is more than double the figures the IRS released in August 2015, when it said some 334,000 taxpayers had their data stolen via authentication weaknesses in the agency’s Get Transcript feature.

Turns out, those August 2015 estimates were more than tripled from May 2015, when the IRS shut down its Get Transcript feature and announced it thought crooks had abused the Get Transcript feature to pull previous year’s tax data on just 110,000 citizens.

In a statement released today, the IRS said a more comprehensive, nine-month review of the Get Transcript feature since its inception in January 2014 identified the “potential access of approximately 390,000 additional taxpayer accounts during the period from January 2014 through May 2015.”

The IRS said an additional 295,000 taxpayer transcripts were targeted but access was not successful, and that mailings notifying these taxpayers will start February 29. The agency said it also is offering free credit monitoring through Equifax for affected consumers, and placing extra scrutiny on tax returns from citizens with affected SSNs.

The criminal Get Transcript requests fuel refund fraud, which involves crooks claiming a large refund in the name of someone else and intercepting the payment. Victims usually first learn of the crime after having their returns rejected because scammers beat them to it. Even those who are not required to file a return can be victims of refund fraud, as can those who are not actually due a refund from the IRS.

As I warned in March 2015, the flawed Get Transcript function at issue required taxpayers who wished to obtain a copy of their most recent tax transcript had to provide the IRS’s site with the following information: The applicant’s name, date of birth, Social Security number and filing status. After that data was successfully supplied, the IRS used a service from credit bureau Equifax that asks four so-called “knowledge-based authentication” (KBA) questions. Anyone who succeeds in supplying the correct answers could see the applicant’s full tax transcript, including prior W2s, current W2s and more or less everything one would need to fraudulently file for a tax refund.

These KBA questions — which involve multiple choice, “out of wallet” questions such as previous address, loan amounts and dates — can be successfully enumerated with random guessing. But in practice it is far easier, as we can see from the fact that thieves were successfully able to navigate the multiple questions more than half of the times they tried. The IRS said it identified some 1.3 million attempts to abuse the Get Transcript service since its inception in January 2014; in 724,000 of those cases the thieves succeeded in answering the KBA questions correctly.

The IRS’s answer to tax refund victims — the Identity Protection (IP) PIN — is just as flawed as the now defunct Get Transcript system. These IP PINS, which the IRS has already mailed to some 2.7 million tax ID theft victims, must be supplied on the following year’s tax application before the IRS will accept the return.

The only problem with this approach is that the IRS allows IP PIN recipients to retrieve their PIN via the agency’s Web site, after supplying the answers to the same type of KBA questions from Equifax that opened the Get Transcript feature to exploitation by fraudsters. These KBA questions focus on things such as previous address, loan amounts and dates and can be successfully enumerated with random guessing. In many cases, the answers can be found by consulting free online services, such as Zillow and Facebook.

ID thieves understand this all to well, and even a relatively unsophisticated gang engaged in this activity can make millions via tax refund fraud. Last week, a federal grand jury in Oregon unsealed indictments against three men accused of using the IRS’s Get Transcript feature to obtain 1,200 taxpayers transcripts. In total, the authorities allege the men filed over 2,900 false federal tax returns seeking over $25 million in fraudulent refunds. The IRS says it rejected most of those claims, but that the gang managed to successfully obtain $4.7 million in illegal refunds.

HOW BAD WAS IT OVERALL IN 2015?

The IRS hasn’t officially released numbers on how much tax refund fraud it saw overall in 2015, but in response to questions from KrebsOnSecurity it offered figures on how many fraudulent returns it detected and blocked last year.

“In calendar year 2015, the IRS rejected or suspended the processing of 4.8 million suspicious returns. The IRS stopped 1.4 million confirmed identity theft returns, totaling $8.7 billion,” the agency said in a statement. “Additionally, in calendar year 2015, the IRS stopped $3.1 billion worth of refunds in other types of fraud. That’s a total of $11.8 billion in confirmed fraudulent refunds protected.”

Again, these numbers do not reflect how many fraudulent refunds were paid out in calendar year 2015 due to ID theft, and as we can see with the numbers tied to the Get Transcript fiasco these numbers have a way of changing upward over time significantly. I mention that because something about these numbers doesn’t seem to square with figures previously released by the Government Accountability Office and the Federal Trade Commission.

Last month, the FTC said it saw an almost 50 percent spike in ID theft claims in 2015, a jump that was thanks largely to a huge uptick in consumer reports of tax refund fraud. Likewise, a report by the IRS last year indicates that between Jan. 1, 2015 and Sept. 30, 2015, the IRS saw more than 600,000 incidents of ID tax-related ID theft, up more than 50 percent over 2014, and 30 percent over 2013.

According to a January 2015 GAO report (PDF), the IRS estimated it prevented $24.2 billion in fraudulent identity theft refunds in 2013. Unfortunately, the IRS also paid $5.8 billion that year for refund requests later determined to be fraud. The GAO noted that because of the difficulties in knowing the amount of undetected fraud, the actual amount could far exceed those estimates.

The best way to avoid becoming a victim of tax refund fraud is to file your taxes before the fraudsters can. See Don’t Be A Victim of Tax Refund Fraud in ’16 for more tips on avoiding this ID theft headache.

Tags: Equifax, Federal Trade Commission, GAO, Get Transcript breach, Government Accountability Office, IP PIN, irs, KBA, knowledge-based authentication, tax refund fraud