I just e-mailed this letter (PDF version here) to IRS Commissioner Koskinen, CCing several others. Paper copies of the letter and supporting documents are being hand-delivered to Commissioner Koskinen, Representative Chaffetz, and Senator Crapo.
February 18, 2016
John Koskinen
IRS Commissioner
1111 Constitution Avenue NW, Suite 5480
Washington, DC 20224
Dear Commissioner Koskinen:
I want to draw your attention to a very problematic feature on the current IRS website that represents a strong threat to data privacy of American taxpayers. The “Get My Electronic Filing PIN” page, https://sa.www4.irs.gov/irfof-efp/start.do, which enables taxpayers to obtain an IRS-provider number to file their taxes online, requires such minimal information that any data thief worth his salt would already have. Currently, anyone who has someone’s Social Security number, address, and date of birth can steal someone’s identity using this IRS page.
As first noticed by reporter Luca Gattoni-Celli of Tax Analysts, the page lacks the security features that would be necessary to prevent its usage as an instrument of defrauding taxpayers:
- A “CAPTCHA” feature that requires users to demonstrate that they are human before accessing sensitive data.
- Information beyond that which any hacker or data thief would have access to. Many similar state websites, for example, require entering information from the previous year’s taxA tax is a mandatory payment or charge collected by local, state, and national governments from individuals or businesses to cover the costs of general government services, goods, and activities. return to verify identity before granting access to filing. The IRS actually says in its publications that it requires users to submit the previous year’s adjusted gross incomeFor individuals, gross income is the total pre-tax earnings from wages, tips, investments, interest, and other forms of income and is also referred to as “gross pay.” For businesses, gross income is total revenue minus cost of goods sold and is also known as “gross profit” or “gross margin.” , but that is not the case: I was able to generate an electronic filing PIN without providing that information.
- My web browser (Chrome) produces an error message on the page warning that it “uses a weak security configuration” including that “the server did not supply any Certificate Transparency information” and that the “connection is encrypted using an obsolete cypher suite.”
The whole point of requiring a PIN to file electronically is to minimize identity theft, so it is sadly ironic that the process to obtain an electronic PIN is so easy that it makes the whole point of obtaining one pointless at best and making identity theft easier at worst.
I understand, from the Gattoni-Celli article, that your officials played down the identity theft potential of this webpage, responding that “the e-file PIN could only be used for the current-year tax return” and that the page exists as an alternative for taxpayers who cannot access their previous AGI information or self select PIN. With respect, this answer is not good enough. The IRS is using identifiers to verify identity that are not secret, and it represents a massive vulnerability waiting to happen.
I hope by drawing attention to this matter, the IRS will act quickly to remove the page and improve its website security before taxpayers are hurt.
Please do not hesitate to contact me if you have any questions.
Yours Very Truly,
Joseph D. Henchman
Vice President, Legal & State Projects
Tax Foundation
CC: Representative Jason Chaffetz, Chairman, House Committee on Oversight and Government Reform;
Senator Mike Crapo, Chairman, Senate Finance Committee Subcommittee on Taxation and IRS Oversight;
Jack Lew, Secretary of the Treasury
Nina Olson, National Taxpayer Advocate