Letter to IRS Commissioner Re IRS Website Data Vulnerability
I just e-mailed this letter (PDF version here) to IRS Commissioner Koskinen, CCing several others. Paper copies of the letter and supporting documents are being hand-delivered to Commissioner Koskinen, Representative Chaffetz, and Senator Crapo.
February 18, 2016
1111 Constitution Avenue NW, Suite 5480
Washington, DC 20224
Dear Commissioner Koskinen:
I want to draw your attention to a very problematic feature on the current IRS website that represents a strong threat to data privacy of American taxpayers. The “Get My Electronic Filing PIN” page, https://sa.www4.irs.gov/irfof-efp/start.do, which enables taxpayers to obtain an IRS-provider number to file their taxes online, requires such minimal information that any data thief worth his salt would already have. Currently, anyone who has someone’s Social Security number, address, and date of birth can steal someone’s identity using this IRS page.
As first noticed by reporter Luca Gattoni-Celli of Tax Analysts, the page lacks the security features that would be necessary to prevent its usage as an instrument of defrauding taxpayers:
- A “CAPTCHA” feature that requires users to demonstrate that they are human before accessing sensitive data.
- Information beyond that which any hacker or data thief would have access to. Many similar state websites, for example, require entering information from the previous year’s tax return to verify identity before granting access to filing. The IRS actually says in its publications that it requires users to submit the previous year’s adjusted gross income, but that is not the case: I was able to generate an electronic filing PIN without providing that information.
- My web browser (Chrome) produces an error message on the page warning that it “uses a weak security configuration” including that “the server did not supply any Certificate Transparency information” and that the “connection is encrypted using an obsolete cypher suite.”
The whole point of requiring a PIN to file electronically is to minimize identity theft, so it is sadly ironic that the process to obtain an electronic PIN is so easy that it makes the whole point of obtaining one pointless at best and making identity theft easier at worst.
I understand, from the Gattoni-Celli article, that your officials played down the identity theft potential of this webpage, responding that “the e-file PIN could only be used for the current-year tax return” and that the page exists as an alternative for taxpayers who cannot access their previous AGI information or self select PIN. With respect, this answer is not good enough. The IRS is using identifiers to verify identity that are not secret, and it represents a massive vulnerability waiting to happen.
I hope by drawing attention to this matter, the IRS will act quickly to remove the page and improve its website security before taxpayers are hurt.
Please do not hesitate to contact me if you have any questions.
Yours Very Truly,
Joseph D. Henchman
Vice President, Legal & State Projects
CC: Representative Jason Chaffetz, Chairman, House Committee on Oversight and Government Reform;
Senator Mike Crapo, Chairman, Senate Finance Committee Subcommittee on Taxation and IRS Oversight;
Jack Lew, Secretary of the Treasury
Nina Olson, National Taxpayer Advocate