IRS Strikes Again – IP PIN Epic Fail

irs-logoWe wrote last year about how the IRS and their Get Transcript service was instrumental in helping identity thieves file fraudulent tax returns for big refunds.  The problem was that the IRS used static user identity information that was available elsewhere online.  They promised to fix this security problem, but have not.  This year, many users of the IP PIN  system that was supposed to harden security have found that criminals have filed before them yet again.

According to the IRS website:

“The IRS IP PIN is a 6-digit number assigned to eligible taxpayers to help prevent the misuse of their Social Security number on fraudulent federal income tax returns. The IP PIN helps us verify a taxpayer’s identity and accept their electronic or paper tax return.”

What is really awesome (not really) about the IP PIN is that you can’t get one until after you have been a victim. You can’t just go and get one if you wanted to.

“You’re eligible for an IP PIN if:

  • You’re a victim of identity theft and we have resolved your case. As a result, we placed an identity theft indicator on your account and in December 2015/January 2016, we sent you a CP01A Notice containing your IP PIN, or
  • You filed your federal tax return last year as a resident of Florida, Georgia or the District of Columbia, or
  • You received an IRS letter inviting you to ‘opt-in’ to get an IP PIN.”

And the comedy continues.  About that CP01A notice:

“Due to an error, taxpayers are receiving Identity Protection PIN letters with an incorrect year listed. Taxpayers and tax professionals should be advised the IP PIN listed on the CP01A Notice dated January 4, 2016 is valid for use on all individual tax returns filed in 2016.”

So I think it is fair to say that the IRS has a way to go before we can consider our electronic information and transaction with them to be truly secure.

The United States claims to be very good at cyber-surveillance, and cyber-war, but the overwhelming evidence is that they are terrible at cybersecurity.  Like their $6 billion Einstein firewall.  Another glaring example of why we cannot trust any branch or department of the government with secret master keys to break encryption.  It’s because they are leakier than a screen door.

More information:



About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Serving small business owners in the St Paul, Minneapolis, and western Wisconsin area since 2001. Cybersecurity and hacking have been a passion of mine since I entered the computer and networking business in 2000. I hold several cybersecurity certifications including Certified Information Systems Security Professional (CISSP), Certified Advanced Security Pratitioner (CASP), and Certified Ethical Hacker (CEH). Other computer industry certifications include A+, Network+ and Microsoft Certified System Engineer (MCSE). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of security on their computers, networks, and websites. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. We also provide Cybersecurity Awareness Training for clients and their employees. I am a frequent speakers at cybersecurity conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference, the (ISC)2 World Congress, and the ISSA International Conference, and many local community organizations, Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2008.

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.