IRS Suspends Insecure Get IP PIN Feature
By Brian Krebs
Citing ongoing security concerns, the Internal Revenue Service (IRS) has suspended a service offered via its Web site that allowed taxpayers to retrieve so-called IP Protection PIN's (IP PIN's), codes that the IRS has mailed to some 2.7 million taxpayers to help prevent those individuals from becoming victims of tax refund fraud two years in a row. The move comes just days after KrebsOnSecurity first exposed how ID thieves were abusing the service to revisit tax refund on innocent taxpayers two years running.
Last week, this blog told the story of Becky Wittrock, a certified public accountant (CPA) from Sioux Falls, S.D., who received an IP PIN in 2014 after crooks tried to impersonate her to the IRS. Wittrock said she found out her IP PIN had been compromised by thieves this year after she tried to file her tax return on Feb. 25, 2016. Turns out, the crooks beat her to the punch by more than three weeks, filing a large refund request with the IRS on Feb. 2, 2016.
The problem, as Wittrock’s case made clear, is that IRS allows IP PIN recipients to retrieve their PIN via the agency’s Web site, after supplying the answers to four easy-to-guess questions from consumer credit bureau Equifax. These so-called knowledge-based authentication (KBA) or “out-of-wallet” questions focus on things such as previous address, loan amounts and dates and can be successfully enumerated with random guessing. In many cases, the answers can be found by consulting free online services, such as Zillow and Facebook.
In a statement issued Monday evening, the IRS said that as part of its ongoing security review, the agency was temporarily suspending the Identity Protection PIN tool on IRS.gov.
“The IRS is conducting a further review of the application that allows taxpayers to retrieve their IP PIN's online and is looking at further strengthening the security features on the tool,” the agency said.
According to the IRS, of the 2.7 million IP PINs sent to taxpayers by mail for the current filing season, about 5 percent of those – approximately 130,000 – used the online tool to try retrieving a lost or forgotten IP PIN. The agency said that through the end of February 2016, the IRS had confirmed and stopped 800 fraudulent returns using an IP PIN.
“For taxpayers retrieving a lost IP PIN, the IRS emphasizes it has put strengthened processes and filters in place for this tax season to review these tax returns,” the statement continued. “These strengthened review procedures – which are invisible to taxpayers – have helped detect potential identity theft and stopped refund fraud. Taxpayers who have been issued an IP PIN should continue to file their tax returns as they normally would. The online tool is primarily used by taxpayers who have lost their IP PIN's and need to retrieve their numbers. Most taxpayers receive their IP PIN via mail and never use the online tool.”
Eight hundred taxpayers may not seem like a lot of folks impacted by this security weakness, but then again the IRS doesn’t release stats on fraud it may have missed. Also, the agency has a history of significantly revising the victim numbers upwards in incidents like these.
For example, the very same weakness caused the IRS last year to disable online access to its “Get Transcript” feature (the IRS disabled access to the Get Transcript tool in May 2015). The IRS originally said a little over 100,000 people were impacted by the Get Transcript weakness, a number it later revised to 340,000 and last month more than doubled again to more than 700,000 taxpayers.
Announcement
Collapse
No announcement yet.
390,000 More Victims Of IRS.Gov Weakness
Collapse
X
-
So much for having an NSA. They spy on us and they can't even protect their own systems. We want our tax money back! Gov't efficiency ftw!
Iiiiittttt'sssss Eeeeeellllllllleeeeeecccccccctttttrrrrrrrrrrrrrrii IIIIIIIIIIIIIIIIICCCCCCCCCCCC!!!!!!!!!!!!!!!!!!!! WWWWHHHHHHOOOOOOOAAAAAAAHHHHHHHH!!!!
Leave a comment:
-
390,000 More Victims Of IRS.Gov Weakness
By Brian Krebs
The U.S. Internal Revenue Service (IRS) today sharply revised previous estimates on the number of citizens that were hit by tax refund fraud since 2014 thanks to a security weakness in the IRS’s own Web site. According to the IRS, at least 724,000 citizens were victims of refund fraud after crooks figured out how to abuse a (now defunct) IRS Web site feature called “Get Transcript” to steal victim’s prior tax data.
The number is more than double the figures the IRS released in August 2015, when it said some 334,000 taxpayers were refund fraud victims because of criminal schemes that drew on authentication weaknesses in the agency’s Get Transcript feature.
Turns out, those those August 2015 estimates were more than tripled from May 2015, when the IRS shut down its Get Transcript feature and announced it thought crooks had abused the Get Transcript feature to pull previous year’s tax data on just 110,000 citizens.
In a statement released today, the IRS said a more comprehensive, nine-month review of the Get Transcript feature since its inception in January 2014 identified the “potential access of approximately 390,000 additional taxpayer accounts during the period from January 2014 through May 2015.”
The IRS said an additional 295,000 taxpayer transcripts were targeted but access was not successful, and that mailings notifying these taxpayers will start February 29. The agency said it also is offering free credit monitoring through Equifax for affected consumers, and placing extra scrutiny on tax returns from citizens with affected SSN's.
As I warned in March 2015, the flawed Get Transcript function at issue required taxpayers who wished to obtain a copy of their most recent tax transcript had to provide the IRS’s site with the following information: The applicant’s name, date of birth, Social Security number and filing status. After that data was successfully supplied, the IRS used a service from credit bureau Equifax that asks four so-called “knowledge-based authentication” (KBA) questions. Anyone who succeeds in supplying the correct answers could see the applicant’s full tax transcript, including prior W2's, current W2's and more or less everything one would need to fraudulently file for a tax refund.
These KBA questions — which involve multiple choice, “out of wallet” questions such as previous address, loan amounts and dates — can be successfully enumerated with random guessing. But in practice it is far easier, as we can see from the fact that thieves were successfully able to navigate the multiple questions more than half of the times they tried. The IRS said it identified some 1.3 million attempts to abuse the Get Transcript service since its inception in January 2014; in 724,000 of those cases the thieves succeeded in answering the KBA questions correctly.
The IRS's answer to tax refund victims — the Identity Protection (IP) PIN — is just as flawed as the now defunct Get Transcript system. These IP PINS, which the IRS has already mailed to some 2.7 million tax ID theft victims, must be supplied on the following year’s tax application before the IRS will accept the return.
The only problem with this approach is that the IRS allows IP PIN recipients to retrieve their PIN via the agency’s Web site, after supplying the answers to the same type of KBA questions from Equifax that opened the Get Transcript feature to exploitation by fraudsters. These KBA questions focus on things such as previous address, loan amounts and dates and can be successfully enumerated with random guessing. In many cases, the answers can be found by consulting free online services, such as Zillow and Facebook.
ID thieves understand this all to well, and even a relatively unsophisticated gang engaged in this activity can make millions via tax refund fraud. Last week, a federal grand jury in Oregon unsealed indictments against three men accused of using the IRS’s Get Transcript feature to obtain 1,200 taxpayers transcripts. In total, the authorities allege the men filed over 2,900 false federal tax returns seeking over $25 million in fraudulent refunds. The IRS says it rejected most of those claims, but that the gang managed to successfully obtain $4.7 million in illegal refunds.
HOW BAD WAS IT OVERALL IN 2015?
The IRS hasn’t officially released numbers on how much tax refund fraud it saw overall in 2015, but in response to questions from KrebsOnSecurity it offered figures on how many fraudulent returns it detected and blocked last year.
“In calendar year 2015, the IRS rejected or suspended the processing of 4.8 million suspicious returns. The IRS stopped 1.4 million confirmed identity theft returns, totaling $8.7 billion,” the agency said in a statement. “Additionally, in calendar year 2015, the IRS stopped $3.1 billion worth of refunds in other types of fraud. That’s a total of $11.8 billion in confirmed fraudulent refunds protected.”
Again, these numbers do not reflect how many fraudulent refunds were paid out in calendar year 2015 due to ID theft, and as we can see with the numbers tied to the Get Transcript fiasco these numbers have a way of changing upward over time significantly. I mention that because something about these numbers doesn’t seem to square with figures previously released by the Government Accountability Office and the Federal Trade Commission.
Last month, the FTC said it saw an almost 50 percent spike in ID theft claims in 2015, a jump that was thanks largely to a huge uptick in consumer reports of tax refund fraud. Likewise, a report by the IRS last year indicates that between Jan. 1, 2015 and Sept. 30, 2015, the IRS saw more than 600,000 incidents of ID tax-related ID theft, up more than 50 percent over 2014, and 30 percent over 2013.
According to a January 2015 GAO report (PDF), the IRS estimated it prevented $24.2 billion in fraudulent identity theft refunds in 2013. Unfortunately, the IRS also paid $5.8 billion that year for refund requests later determined to be fraud. The GAO noted that because of the difficulties in knowing the amount of undetected fraud, the actual amount could far exceed those estimates.
The best way to avoid becoming a victim of tax refund fraud is to file your taxes before the fraudsters can. See Don't Be A Victim of Tax Refund Fraud in 2016 for more tips on avoiding this ID theft headache.
Leave a comment: