In the wake of automated attacks speeding up, the US tax overlords – the Internal Revenue Service (IRS) – has likewise sped up plans to deep-six its repeatedly hacked PIN system.
The IRS on Thursday announced that it’s removed its electronic filing PIN tool (e-File PIN), formerly available on IRS.gov or by toll-free phone call, following “additional questionable activity.”
Additional, as in, on top of 800 identity thefts that had already caused the IRS to suspend the PIN system in March 2016 (though it told taxpayers who already had an IP PIN at the time to continue to file their tax returns as they normally would).
The e-File PIN, also known as the Identity Protection (IP) PIN, is a supposedly special, strong form of two-factor authentication (2FA) meant to protect taxpayers from ID fraud: a six-digit number that, oddly enough, the US tax authority only sent to taxpayers who’d already been victimized.
Those PINs were for victimized taxpayers to include on future tax returns as an extra layer of security, since cybercrooks had already stolen their taxpayer IDs – i.e., their Social Security Numbers (SSNs).
The idea was that without a valid IP PIN, you couldn’t login, even if you were a crook armed with somebody’s SSN.
“Great!” we said, as did the vast majority of readers. “Why can’t everybody get one?”
The problem with the PIN retrieval system, presumably, was that it used the same knowledge-based authentication that led to last year’s breach of the agency’s Get Transcript service: a service that allowed taxpayers to retrieve details of their past tax returns.
Applicants had to answer four questions about themselves to get a number, along the lines of “On which of the following streets have you lived?” or “What is your total scheduled monthly mortgage payment?”
But scammers can dig out, guess, or buy personal data like that online. That can enable them to get the PIN, with which they then try to file a bogus return.
Even before last year’s Get Transcript breach, a report by the Government Accountability Office pointed out the weaknesses in the PIN retrieval system.
But for whatever reason, the IRS left it in place.
And along with that status quo came an increase, over recent years, in automated attacks from crooks who’ve gone out of their way to get access to innocent users’ online tax submission accounts.
In February, we got wind of the thieves having struck again. This time, they used a list of known SSNs to repeatedly try to access the IRS’s Get My Electronic Filing PIN portal.
At the time, the crooks were after the PINs corresponding to 464,000 previously stolen SSNs and other taxpayer data. The IRS blocked that automated bot, but not before it had successfully grabbed 100,000 PINs.
The Get Transcript tool only reveals the PIN. It doesn’t reveal taxpayer data.
In the statement put out on Thursday, the IRS said that the criminals stole the SSNs somewhere else, and not from the agency. In addition to the SSNs, the crooks also used taxpayers’ names, addresses, filing status, and dates of birth to access the e-File PIN.
After this history of repeated attacks, why didn’t the IRS throw in the towel on the IP PIN after that February attack?
It says that it couldn’t: links to the tool are woven into “almost all” of the commercial tax software products that consumers use to file their tax returns. The IRS said it did, however, add “additional defenses,” including extra scrutiny for returns with e-File PINs.
But recently, the automated attacks sped up. The increasing frequency of attacks only affected “a small number of e-File PINs,” the IRS said. Those attacks were spotted thanks to additional defenses put in place earlier this year, along with backend protections.
The IRS didn’t give details on the beefed-up security measures, but we already know that the procedures running invisibly in the background include looking for improper/repetitive use of IP numbers, for example, along other measures the IRS outlined last June.
The IRS said that it had already been working with the industry as it mulled pulling the plug on the e-File PIN system later this year.
Scratch that “maybe later this year” timetable. Batten the hatches and arm the torpedoes: it’s happening now.
From the announcement:
The IRS decided to remove the e-File PIN program as a safety measure.
Amy Gurley
Maybe a good idea with the Q&As we’re given is to purposely give the wrong answer and remember that. Sometimes I have to do that anyway when I can’t choose a question that corresponds with anything in my life
Bryan
That’s a great idea Amy, since it’s not public knowledge that I attended high school at “Welch’s Pineapple Juice.” Since many answers are searchable anyway I do the same with all security questions.
However, it’s tough to keep track of which lie you’ve told where…
Favorite band: Mario Kart 64
Favorite sports team: New Belgium Trippel
Mother’s maiden name: The Princess Bride
Lisa, Duck, anyone else? Who has a strategy to this aside merely a scratch pad under the doberman’s bed?
Paul Ducklin
The simple answer is, “Use your password manager to generate and remember one.” The trickier answer is, “It depends what sort passphrase they allow for recovery questions”. A lot of sites seem to convert your answers by dropping (amongst other things) spaces, and converting to all-upper (or all-lower) case, expecting longer and more complex phrases where there might be characters you didn’t even realise you’d typed. But you can still use your password manager to keep track of all the fake answers you choose. Because, yes, you do need fake answers if the questions are pre-selected, or else you end up with the same answer every time :-(
Anon
Paul, you guys usually do great work, but this article was poorly researched. the efile PIN and the IP PIN are not the same thing. IP PIN was yanked a while back. Also, the Get Transcript tool provides access to a tax transcript, not to a PIN
Anonymous
Unfortunately, the system used by the IRS (presumably) is the same system used by AnnualCreditReport.com that pulls the information from your credit report to populate the questions – which makes it completely impossible to use fake answers.
Combine that with the fact that the people targeted by that program have already had their identity stolen – and therefore the crooks can be assumed to have access to 100% of the person’s credit report data – and you find that it’s a very, very, VERY bad idea that does. not. work.
Anonymous
Another complication with knowledge-based authentication is that data bases contain incorrect information. What happens when it asks where you lived in one year that you lived in three states and two of them are on the list of responses? I saw that.
Hardened Cynic
Welcome to Web 2.0, where noting can be trusted and all your data is available for theft and sale.
Seriously, has NO ONE thought through the design ramifications? How about a one-time physical-presence enrollment which feeds Q&A NOT available when the rest of your data has already been stolen?
Richard
What do you mean with PIN? We have PIN in NL and it works fine (no explanation either). In general every solution fails if used in the wrong way.
Michelle
If the crooks already have the SSNs, why do they want the PINs? What is their objective? I assume they want to steal money, but how?
Adam
They use that info to file fraudulent tax info for those people, and have the resulting tax returns sent to some other address that the criminals control, instead of sending it to the proper person’s address.