Skip to content
Naked Security Naked Security

PIN-stealing IRS attack affects 100,000 taxpayers

Crooks have used a list of close to 500,000 social security numbers to milk an IRS portal of more than 100,000 taxpayers' e-filing PINs.

It’s tax filing season in the United States.

That means that you are are now able to go online and submit your tax returns for 2015.

Of course, with the final tax filing deadline far away in April, many of us are still twiddling our thumbs, or waiting for paperwork, or simply putting off until tomorrow what we’d rather not do today.

What that means is that this is an ideal time for tax refund fraudsters to get busy, filing a fraudulent return in your name, understating your income in order to claim a refund, and then scooping up the refund by having the funds diverted out of your account and into theirs.

The IRS has had plenty of trouble in recent years with refund fraud, including automated attacks from crooks who have gone out of their way to get access to innocent users’ online tax submission accounts.

In May 2015, for example, crooks used an online IRS system called Get Transcript to probe for taxpayers’ personal information that they could use in refund fraud.

Get Transcript wasn’t actually anything to do with the tax filing or refund system – it was actually a reference portal by which you could retrieve returns from previous years – but it turned out to be exactly the sort of information a crook could use to file this year’s return.

Granted, the crooks needed an existing database of personal information to initiate their attack, such as names and Social Security Numbers (SSNs), but it seems as though they had acquired a handy list from an earlier data breach somewhere else.

Even if they didn’t pull off the breach of the existing database themselves, the crooks could simply have bought that data on some underground forum.

Unfortunately, this sort of round-the-houses attack has happened again.

This time, the crooks used a list of known SSNs to make repeated attempt to access the IRS’s Get My Electronic Filing PIN portal.

Ironically, an E-Filing PIN is a sort of second factor of authentication (2FA), that you need, along with other personal data, when submitting online tax returns.

In other words, it seems that you can request your second factor of authentication by using your first factor, which isn’t quite the idea of 2FA.

According to the IRS:

Based on our review, we identified unauthorized attempts involving approximately 464,000 unique SSNs, of which 101,000 SSNs were used to successfully access an E-file PIN. The incident, involving an automated bot, occurred last month, and the IRS continues to closely monitor the web application.

The IRS says it will contact everyone whose account was affected.

Presumably, if you’re on that list you will be allowed to request a special, stronger form of 2FA from the IRS known as the IP Identity Protection PIN (IP PIN).

This is a six-digit number that is sent to you by snail-mail, and without which you can’t finalise your tax return.

Annoyingly, the IP PIN isn’t available to everyone on demand – only to taxpayers who have already suffered some kind of identity breach.

We think that the IRS ought to let anyone who wants one sign up for an IP PIN; if we got the chance, we’d do it.


11 Comments

The IRS ought to just assign everyone a PIN, where the rule would be, you can file OK without a PIN (such as if you’ve lost it), but you won’t get any refund back until the IRS can independently verify all of the important amounts you’ve reported. If you want your refund faster, you have to supply the PIN.

The problem, though, is *how* you assign and communicate the PIN. After all, the IRS *has* assigned everyone an e-filing PIN…the problem is that the crooks can figure it out.

Yeah, I was a victim last year and got an IP PIN. This week,I found out that I’m a victim again. They mail you the pin but the crooks can go to the IRS website and get the pin using the information they got originally from the IRS.

Sorry all – I learned today that the crooks have stolen our IP PIN! We were victims for the first time last year, didn’t receive our return until 12/31/2015, and today received a Green Dot debit card in the mail which was fraudulently opened in our name (same MO as last year). When we called the IRS, they said the crooks were able to obtain the IP PIN they sent us in January and file again. No one is safe!

I have a friend who worked for the IRS, he has since resigned, but he mentioned once that 20% of US individual tax returns were fraudulent, and worse the money paid for the claimed refunds on those returns is mostly unrecoverable. I’m beginning to think that the US government suffers from an intelligence deficit (maybe it’s the lead in the water). I think the reason the US has not adopted a VAT is that their is a lobby that wants the present system.

That sounds unlikedly. Perhaps he was implying that 1 in 5 people don’t tell the truth on their tax returns, which is fraudulent behaviour, but not the sort of tax refund fraud we are talking about here. Also, VAT is an alternative to sales tax, not income tax. Countries with VAT still have income tax. Well, the ones where I’ve lived, anyway :-)

I know it sounds like a very high number. My source was an upper grade employee who handled problem cases and was not directly involved with enforcement and fraudulent returns. It would not surprise me if the number were 10% however, a lot of people in the US have had fraudulent returns filed using their Social Security numbers. Not all the fraudulent returns may have been filed for refunds. Many fraudulent returns are filed to avoid detection of illegal residency, it is not uncommon to file a return and be told that a return with that SS# has already been filed usually in another state. I think the important fact is that the system does not work very well.

Paul, in the fourth paragraph, in the seantence “tax refund fraudsters to get stuck in”, did you mean snuck instead of stuck? BTW here’s a funny Snuck vs Sneaked” article. (http://www.writersdigest.com/online-editor/snuck-vs-sneaked)

I meant “to get stuck into”, as in “to get keenly busy with.” It’s commonly used to describe a contest (a cricket match, for example, or a pub fight) where one side really starts hammering the other lot. That’s “getting stuck in.”

I’ll change it in the interests of global comprehension :-)

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?