Skip to content
Naked Security Naked Security

IRS announces 2016 anti-fraud arrangements – but do they go far enough? [POLL]

As a result of the IRS breach announced in May 2015, changes are afoot in how US tax returns will be authenticated in 2016. Are they enough? Have your say in our poll...

– IRS seal photo thanks to Geraldshields11 via Wikipedia (cc by-sa 3.0) –

At the end of May 2015, we wrote about a data breach at the Internal Revenue Service (IRS), the USA’s federal tax office.

Crooks were able to login to the IRS’s Get Transcript application, a feature designed to allow taxpayers to review details of their income and tax-related information from previous tax years.

Admittedly, the attackers needed a fair bit of personally identifiable information (PII) up front about their victims in order to login illegally.

But once the crooks were in, they were able to learn more about each victim, and even about other members of some victims’ families, given that many Americans file one tax return to cover their whole family, typically including their spouses and dependent children.

Many unhappy returns

If crooks know enough about your tax affairs, they may very well be able to pull off a crime that’s become a real problem in the US.

They may be able to login in as you and to submit a bogus tax return while you’re still diligently preparing the paperwork to file legitimately.

The crooks will deliberately understate your final income, change your bank account details, request an electronic refund, and run off with the money.

When you get your documents together to file your own proper tax return, you’ll be unpleasantly surprised to find that you can’t, because the IRS system will consider your tax affairs to be finalised for the year.

So you’re stuck with what amounts to undeclared income, and the IRS is stuck with having paid out money from the public purse to a bunch of thieving rotters.

Identity Protection

Interestingly, even before the Get Transcript breach, the IRS already had a handy anti-fraud measure known as the Identity Protection PIN (IP PIN).

That’s a six-digit number sent out by snail-mail that you need to provide in order to finalise your return: a form of two-factor authentication (2FA).

Simply put, a crook would need to steal your physical mail as well as know enough of your PII before he could stitch you up with a fraudulent return.

Unfortunately, the IP PIN system isn’t a standard part of the US tax filing season – it seems to be somewhere between an experimental and an emergency feature.

You can request an IP PIN if you live in Florida, Georgia or the District of Columbia; if you’re anywhere else in the US, you’re only eligible if you have already been a victim of identity fraud.

It’s something of an irony that 2FA codes for fraud prevention are routinely issued only to those people against whom fraud has already been detected.

Changes afoot

As a result of the Get Transcript problem, changes are afoot in how US tax returns will be authenticated in 2016.

The IRS has announced a number of automated measures that will be applied to electronically submitted tax returns in the hope of preventing fraud in the future.

These include:

• Reviewing the transmission of the tax return, including the improper and/or repetitive use of [IP numbers...].
• Reviewing computer device identification data tied to the return's origin.
• Reviewing the time it takes to complete a tax return, so computer mechanized fraud can be detected.
• Capturing metadata in the computer transaction that will allow review for identity theft related fraud.

We approve.

But we still think that the IRS should roll out the IP PIN system to everybody as a useful additional step.

Even if it remained opt-in, so you’d explicitly have to ask, we’d like to see IP PIN’s availability extended to to the entire USA.

Yes, that would cost money, but it would also be a positive way of engaging with the very Americans who are making an effort to live a more secure digital life.

And it would help to keep public money out of the hands of undeserving crooks.

What do you think?

Do you agree? Have your say in our poll…


Hopefully you will pass this poll onto those in charge over at the US IRS agency. This should have been done in the first place, and been mandatory, not optional as soon as they started electronic filing directly through the IRS website.


Of course they don’t far enough and never will as those committing fraud are the corporate entities who run this corrupt government and it was our foreign president who appointed the heads of almost every federal agency that has committed treason against our rule of law.


I would say the whole tax situation is FUBAR.
I have prepared and e-filed my taxes using TaxAct for years, including this year (tax year 2014). I e-filed in February and the same day received confirmation that my tax return had been received and accepted by the IRS and was ‘advised’ that refunds ordinarily were paid within 21 days. More than 21 days passed with no refund, and then along came a snail-mail letter from a Texas IRS office saying they had my return but needed more info before it could be processed. I was instructed to either call a number or go to an IRS website to verify my identity. I did so and was told it might take up to 60 days to process the return from the identity verification date. More than 60 days passed and still no refund. I called IRS, explained the above and was told that an electronic notice had been sent to the proper persons (while I waited on the phone) and that my refund would be dispatched in two to three weeks. More than three weeks have passed, and still no refund.
In the past I have claimed only a part of my refund and left some amount on deposit with the IRS in case I needed a cushion the next tax year. Never again will I do that – – if anything, I will underpay my taxes and let them try to collect from me instead of me trying to collect a refund of overpayment from them.


Clearly I responded in the affirmative to your recent poll, whether …

… the IRS [should] make “IP PIN” available on request throughout the USA.

But I have this nagging worry: what if a miscreant or malefactor requests such an IP PIN for *my* identity before I myself do?

Will there be mechanisms in place to weed out such malicious requests from authentic ones? Or will whoever gets a foot in the door earliest be the winner of the spoils, as seems to be the case now with filing for refunds?


My husband was a victim of identity theft. We live in California, and someone was using his info in Virginia, Kentucky, Arizona and Nebraska . All while he has been at his job for over 5 years. The irs didn’t catch it until 2012 when they asked for the rest of his w2’s. I’m not a genius, but how can you be working in 5 states at once?? Needless to say it took bout six months, and it was somewhat fixed. Still having a bit of issues with cellular one (or what ever they are now)saying we owe,even tho we sent a police report and everything. Anyways we have been using the IP Pin since,only had a delay once with are taxes,but no more identity theft.


So far no one has said why they don’t want an IP Pin opt-in process. Curious.

The IRS has effectively opted all of us into their unsecured e-filing system. Presumably, this was done to save money – obviously at the expense of the tax payer’s personal data which they apparently under-value.

We all need to ask our government reps to amend the laws of our land to reflect the digital age we live in and protect our privacy. No more opt-out policies. No more PII scraping without our permission. Mandatory encryption (strong and migrated to update to the best possible) if data storage is authorized.


I’m guessing – and it is just a guess – that they don’t yet have the infrastructure to handle the PIN mailing if everyone were to sign up. And once you do sign up, you have to have the PIN, so any failure to get it to you just makes everything worse. So they are taking a “softly softly” approach, testing how many people are interested, whether it works well enough to use country-wide, what difference it makes to fraud. A sort of “closed beta,” if you like. For example, residents of Florida, Georgia and DC can opt in if they want. Whether that’s because they are worse for fraud, were chosen randomly, or had populations that just happened to add up to the desired test sample size, I have no idea.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!