To wrap up a special legislative session on highway funding, Arkansas Governor Asa Hutchinson signed a measure that will generate close to $300 million over two years to help pay for upgrades to the state’s roads and...
- The Tax Policy Blog
- Letter to IRS Commissioner Re IRS Website Data Vulnerabil...
Letter to IRS Commissioner Re IRS Website Data Vulnerability
I just e-mailed this letter (PDF version here) to IRS Commissioner Koskinen, CCing several others. Paper copies of the letter and supporting documents are being hand-delivered to Commissioner Koskinen, Representative Chaffetz, and Senator Crapo.
February 18, 2016
1111 Constitution Avenue NW, Suite 5480
Washington, DC 20224
Dear Commissioner Koskinen:
I want to draw your attention to a very problematic feature on the current IRS website that represents a strong threat to data privacy of American taxpayers. The “Get My Electronic Filing PIN” page, https://sa.www4.irs.gov/irfof-efp/start.do, which enables taxpayers to obtain an IRS-provider number to file their taxes online, requires such minimal information that any data thief worth his salt would already have. Currently, anyone who has someone’s Social Security number, address, and date of birth can steal someone’s identity using this IRS page.
As first noticed by reporter Luca Gattoni-Celli of Tax Analysts, the page lacks the security features that would be necessary to prevent its usage as an instrument of defrauding taxpayers:
- A “CAPTCHA” feature that requires users to demonstrate that they are human before accessing sensitive data.
- Information beyond that which any hacker or data thief would have access to. Many similar state websites, for example, require entering information from the previous year’s tax return to verify identity before granting access to filing. The IRS actually says in its publications that it requires users to submit the previous year’s adjusted gross income, but that is not the case: I was able to generate an electronic filing PIN without providing that information.
- My web browser (Chrome) produces an error message on the page warning that it “uses a weak security configuration” including that “the server did not supply any Certificate Transparency information” and that the “connection is encrypted using an obsolete cypher suite.”
The whole point of requiring a PIN to file electronically is to minimize identity theft, so it is sadly ironic that the process to obtain an electronic PIN is so easy that it makes the whole point of obtaining one pointless at best and making identity theft easier at worst.
I understand, from the Gattoni-Celli article, that your officials played down the identity theft potential of this webpage, responding that “the e-file PIN could only be used for the current-year tax return” and that the page exists as an alternative for taxpayers who cannot access their previous AGI information or self select PIN. With respect, this answer is not good enough. The IRS is using identifiers to verify identity that are not secret, and it represents a massive vulnerability waiting to happen.
I hope by drawing attention to this matter, the IRS will act quickly to remove the page and improve its website security before taxpayers are hurt.
Please do not hesitate to contact me if you have any questions.
Yours Very Truly,
Joseph D. Henchman
Vice President, Legal & State Projects
CC: Representative Jason Chaffetz, Chairman, House Committee on Oversight and Government Reform;
Senator Mike Crapo, Chairman, Senate Finance Committee Subcommittee on Taxation and IRS Oversight;
Jack Lew, Secretary of the Treasury
Nina Olson, National Taxpayer Advocate
Get Email Updates from the Tax Foundation
We will never sell or share your information with third parties.
Join the Tax Foundation's fight for sound tax policy Go
About the Tax Policy Blog
The Tax Policy Blog is the official blog of the Tax Foundation, a non-partisan, non-profit research organization that has monitored tax policy at the federal, state and local levels since 1937. Our economists welcome your feedback. If you would like to send an e-mail to the author of a blog post, please click on that person's name to locate his or her e-mail address or visit our staff page here.