We wrote last year about how the IRS and their Get Transcript service was instrumental in helping identity thieves file fraudulent tax returns for big refunds. The problem was that the IRS used static user identity information that was available elsewhere online. They promised to fix this security problem, but have not. This year, many users of the IP PIN system that was supposed to harden security have found that criminals have filed before them yet again.
According to the IRS website:
“The IRS IP PIN is a 6-digit number assigned to eligible taxpayers to help prevent the misuse of their Social Security number on fraudulent federal income tax returns. The IP PIN helps us verify a taxpayer’s identity and accept their electronic or paper tax return.”
What is really awesome (not really) about the IP PIN is that you can’t get one until after you have been a victim. You can’t just go and get one if you wanted to.
“You’re eligible for an IP PIN if:
- You’re a victim of identity theft and we have resolved your case. As a result, we placed an identity theft indicator on your account and in December 2015/January 2016, we sent you a CP01A Notice containing your IP PIN, or
- You filed your federal tax return last year as a resident of Florida, Georgia or the District of Columbia, or
- You received an IRS letter inviting you to ‘opt-in’ to get an IP PIN.”
And the comedy continues. About that CP01A notice:
“Due to an error, taxpayers are receiving Identity Protection PIN letters with an incorrect year listed. Taxpayers and tax professionals should be advised the IP PIN listed on the CP01A Notice dated January 4, 2016 is valid for use on all individual tax returns filed in 2016.”
So I think it is fair to say that the IRS has a way to go before we can consider our electronic information and transaction with them to be truly secure.
The United States claims to be very good at cyber-surveillance, and cyber-war, but the overwhelming evidence is that they are terrible at cybersecurity. Like their $6 billion Einstein firewall. Another glaring example of why we cannot trust any branch or department of the government with secret master keys to break encryption. It’s because they are leakier than a screen door.
More information:
- Krebs on Security – IRS IP PIN hack
- TechDirt Daily – IP PIN hack
- TechDirt Daily – IRS fraud specialist arrested for ID theft
- Quartz – IRS IP PIN system hacked
- IRS web page The Identity Protection PIN
Share
MAR
About the Author:
I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com