Identity Thieves Bypass IRS Protections for Previous Victims

March 1, 2016

The Tax Foundation noted last year that identity thieves filed hundreds of thousands of fraudulent tax returns with the help of an insecure IRS website that allowed them to get victims’ tax filings from previous years. The IRS website that enabled identity thieves has been taken offline, but the IRS is still enabling identity thieves to get all of the information they need to file fraudulent returns for previous victims.

Last year, the IRS’s Get Transcript website allowed anyone with specific personal knowledge to access their previous filings. However, this knowledge-based authentication (KBA) using data from credit reports is relatively easy to fool. Searching Google for the intended victim can return most of the information required by KBA questions. The IRS, in acknowledging their role in facilitating this identity theft, closed down the Get Transcript website. Unfortunately, they have not abandoned the flawed approach of using KBA for protecting taxpayer data.

The IRS provides an Identity Protection PIN (IP PIN) to victims of identity theft with the goal of preventing it going forward. This IP PIN is mailed to individuals at the start of tax season, and is required to file a return. But the IRS also allows taxpayers to retrieve their IP PIN online by answering the same kinds of knowledge-based authentication questions that let thieves take advantage of the older Get Transcript website.

Computer crime reporter Brian Krebs published this account of Becky Wittrock, a previous identity theft victim whose IP PIN was compromised:

“I tried to e-file this weekend and the return was rejected,” Wittrock said. “I received the PIN since I had IRS fraud on my 2014 return. I called the IRS this morning and they stated that the fraudulent use of IP PINs is a big problem for them this year.”

Wittrock said that to verify herself to the IRS representative, she had to regurgitate a litany of static data points about herself, such as her name, address, Social Security number, birthday, how she filed the previous year (married/single/etc), whether she claimed any dependents and if so how many.

“The guy said, ‘Yes, I do see a return was filed under your name on Feb. 2, and that there was the correct IP PIN supplied’,” Wittrock recalled. “I asked him how can that be, and he said, ‘You’re not the first, we’ve had many cases of that this year.’”

Wittrock noted that the IRS representative said that they would be moving away from using the IP PIN in the near future and replacing it with a different system. No details are known about how this new system might function or if it will avoid the insecure knowledge-based approach to authentication.


Related Articles