IRS Strikes Again – IP PIN Epic Fail

irs-logoWe wrote last year about how the IRS and their Get Transcript service was instrumental in helping identity thieves file fraudulent tax returns for big refunds.  The problem was that the IRS used static user identity information that was available elsewhere online.  They promised to fix this security problem, but have not.  This year, many users of the IP PIN  system that was supposed to harden security have found that criminals have filed before them yet again.

According to the IRS website:

“The IRS IP PIN is a 6-digit number assigned to eligible taxpayers to help prevent the misuse of their Social Security number on fraudulent federal income tax returns. The IP PIN helps us verify a taxpayer’s identity and accept their electronic or paper tax return.”

What is really awesome (not really) about the IP PIN is that you can’t get one until after you have been a victim. You can’t just go and get one if you wanted to.

“You’re eligible for an IP PIN if:

  • You’re a victim of identity theft and we have resolved your case. As a result, we placed an identity theft indicator on your account and in December 2015/January 2016, we sent you a CP01A Notice containing your IP PIN, or
  • You filed your federal tax return last year as a resident of Florida, Georgia or the District of Columbia, or
  • You received an IRS letter inviting you to ‘opt-in’ to get an IP PIN.”

And the comedy continues.  About that CP01A notice:

“Due to an error, taxpayers are receiving Identity Protection PIN letters with an incorrect year listed. Taxpayers and tax professionals should be advised the IP PIN listed on the CP01A Notice dated January 4, 2016 is valid for use on all individual tax returns filed in 2016.”

So I think it is fair to say that the IRS has a way to go before we can consider our electronic information and transaction with them to be truly secure.

The United States claims to be very good at cyber-surveillance, and cyber-war, but the overwhelming evidence is that they are terrible at cybersecurity.  Like their $6 billion Einstein firewall.  Another glaring example of why we cannot trust any branch or department of the government with secret master keys to break encryption.  It’s because they are leakier than a screen door.

More information:



About the Author:

Cybersecurity guru to business owners in the St Paul, Minneapolis, and western Wisconsin area. Computer security and hacking have been a passion of mine since I entered the computer and networking business in 2000. In 2013 I completed a course of study and certification exam to become a Certified Ethical Hacker (CEH). In 2016 I was certified as a Certified Information Systems Security Professional (CISSP). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of computer security, network security, and web site security. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also provide Cybersecurity Awareness Training for clients and their employees. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. The views expressed on this Web site are mine alone and do not necessarily represent the views of my employer.

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.