March 1, 2016

Last year, KrebsOnSecurity warned that the Internal Revenue Service‘s (IRS) solution for helping victims of tax refund fraud avoid being victimized two years in a row was vulnerable to compromise by identity thieves. According to a story shared by one reader, the crooks are well aware of this security weakness and are using it to revisit tax refund fraud on at least some victims two years running — despite the IRS’s added ID theft protections.

irsbldgTax refund fraud affects hundreds of thousands — if not millions — of U.S. citizens annually. It starts when crooks submit your personal data to the IRS and claim a refund in your name, but have the money sent to an account or address you don’t control.

Victims usually first learn of the crime after having their returns rejected because scammers beat them to it. Even those who are not required to file a return can be victims of refund fraud, as can those who are not actually due a refund from the IRS.

The IRS’s preferred method of protecting tax refund victims from getting hit two years in a row — the Identity Protection (IP) PIN — has already been mailed to some 2.7 million tax ID theft victims. The six-digit PIN must be supplied on the following year’s tax application before the IRS will accept the return as valid.

As I’ve noted in several stories here, the trouble with this approach is that the IRS allows IP PIN recipients to retrieve their PIN via the agency’s Web site, after supplying the answers to four easy-to-guess questions from consumer credit bureau Equifax.  These so-called knowledge-based authentication (KBA) or “out-of-wallet” questions focus on things such as previous address, loan amounts and dates and can be successfully enumerated with random guessing.  In many cases, the answers can be found by consulting free online services, such as Zillow and Facebook.

Becky Wittrock, a certified public accountant (CPA) from Sioux Falls, S.D., said she received an IP PIN in 2014 after crooks tried to impersonate her to the IRS.

Wittrock said she found out her IP PIN had been compromised by thieves this year after she tried to file her tax return on Feb. 25, 2016. Turns out, the crooks beat her to the punch by more than three weeks, filing a large refund request with the IRS on Feb. 2, 2016. 

“So, last year I was devastated by this,” Wittrock said, “But this year I’m just pissed.”

Wittrock said she called the toll-free number for the IRS that was printed on the identity theft literature she received from the year before.

“I tried to e-file this weekend and the return was rejected,” Wittrock said. “I received the PIN since I had IRS fraud on my 2014 return. I called the IRS this morning and they stated that the fraudulent use of IP PINs is a big problem for them this year.”

Wittrock said that to verify herself to the IRS representative, she had to regurgitate a litany of static data points about herself, such as her name, address, Social Security number, birthday, how she filed the previous year (married/single/etc), whether she claimed any dependents and if so how many. 

“The guy said, ‘Yes, I do see a return was filed under your name on Feb. 2, and that there was the correct IP PIN supplied’,” Wittrock recalled. “I asked him how can that be, and he said, ‘You’re not the first, we’ve had many cases of that this year.'”

According to Wittrock, the IRS representative shared that the agency wouldn’t be relying on IP PINs for long.

“He said, ‘We won’t be using the six digit PIN next year. We’re working on coming up with another method of verification’,” she recalled. “He also had thrown in something about [requiring] a driver’s license, which didn’t sound like a good solution to me.”

Interestingly, the IRS’s own failure to use anything close to modern authentication methods may have contributed to Wittrock’s original victimization. From January 2014 to May 2015, the IRS allowed anyone to access someone else’s previous year’s W-2 forms, just by supplying the taxpayer’s name, date of birth, Social Security number, address, and the answers to easy-to-guess-or-Google KBA questions.

The IRS killed the Get Transcript function in May 2015 after it was revealed (first on this blog) that crooks were abusing it to hijack consumer identities and refunds. But here’s the problem: the agency requires IP PIN holders seeking a copy of their PIN to jump through the exact same flawed authentication process that afflicted its now-defunct Get Transcript service.

According to the IRS, at least 724,000 citizens had their tax data stolen through the IRS’s Get Transcript feature between January 2014 and May 2015. This may in fact be a lowball number: The IRS previously said the number of those affected was 334,000, figures that were sharply revised from an initial estimate of 110,000 taxpayers.

The IRS did not respond to requests for comment for this story. But in a related story by Quartz last year, the IRS said access to an IP PIN itself “does not expose taxpayer Personally Identifiable Information.” However, this may be of small solace to taxpayers who had their tax and income data stolen directly from the IRS in the first place.

The IRS told Quartz that taxpayers who use IP PINs will be sent a new one in the mail each year, prior to each tax season—making it much harder for an identity thief to access this information.

“That is, hackers would have a small window—between the end of the tax year and the moment a taxpayer files a return—to try to steal the IP PIN,” Keith Collins wrote. “The statement added: “In addition, we carefully monitor IP PIN traffic in order to respond swiftly to any potentially suspicious activity.”

I suppose time will tell how swiftly the IRS is moving to respond to suspicious IP PIN activity. In the meantime, if you’d like to know more about tax ID theft and what you can do to minimize your chances of becoming the next victim, check out Don’t Be a Victim of Tax Fraud in ’16.


93 thoughts on “Thieves Nab IRS PINs to Hijack Tax Refunds

  1. Tiffany

    Yes the IRS is really messing up this year I filled on jan 21 my return said approved that day 2 weeks sent by nothing so something told me to call I called they had me verify myself on Feb 4 then told me I should get my return by Feb 19 I called a very unprofessional man answered acting very rude told me not to call back just wait checked where my refund still nothing to this day I’m not understanding how people who are doing taxes under the table getting or got they return back already we worked hard for our money but we have to wait 9 weeks for our own money I’m upset about it I can’t call the gas light people in tell them wait for a payment they really need to do better with this wait time after verifying yourself

  2. a

    im not from the US, but it seems that the problem is that they want to have a solution easy enough for everybody, which is bad, because “everybody” includes people who are dumb or just don’t care.

    there should be a solution for the people who really want to protect their identity, and let the ones that don’t care take the risks. with this assumption you can do 2fa, proper cryptography (with signatures etc), use tokens etc.

    1. Peter

      It cost the taxpaper billions (10^9 for those using the metric system 🙂 ) in dollars a year, so it should not be opt-in for the ones who want to protect their identity. Even the ones “who don’t care should be forced to participate.

      The real ‘problem’, which isn’t so much a problem, is that the US has no central government database. So the IRS cannot identify you even if they wanted to. If you move, or a crook tells them they moved, they cannot possibly verify as there is no central data base that lists these changes. Most European countries have such a government database, which makes identity theft much, really much, harder.

      In many countries cannot file a return or request a credit card on an address that is not in the central database. And changing the central database address requires often things like registration with ID in person, or similar.

      Of course having a central government database is a privacy issue, hence why I stated this is a ‘problem’ and not problem. It is a choice. The IRS really has no choice other than relying on easy to guess questions, or indeed asking for ID’s. The latter which – as expressed in the article – will lead to complaints. (And even asking for ID’s will only make the bar higher, as ID’s can be faked. But it will lift the bar up significantly compared to now.)

  3. Michael

    Team Krebs: I recognize refunds differ from tax fraud. Even if you owe money to the IRS, a con artist can still file and request a refund.

    But…why on earth are there so many people here posting about waiting for refunds from the IRS!!!? Look at your W-4s and calculate your needed withdrawals so that you owe the IRS $100 or so at years end.

    1. timeless

      I can’t speak for everyone, but I’m going to receive a refund from the CRA [1]. And I had a similar experience with Vero [2]. The easiest way is to change employers (e.g. leaving a country [the US is special since you’re taxes as a citizen regardless of residence, but it’s really an exception] or becoming unemployed).

      Withholding is generally established at the beginning of the year and is designed to be smooth over the course of the year. But your taxes aren’t technically smooth (this would change if someone instituted a “flat tax”. which is probably a horrible idea).

      Here’s a short summary of taxes from Wikipedia [3]:

      The standard deduction is $6,300
      A. 10% $0 – $9,275
      B. 15% $9,276 – $37,650
      C. 25% $37,651 – $91,150
      D. 28% $91,151 – $190,150
      E. 33% $190,151 – $413,350
      F. 35% $413,351 – $415,050
      G. 39.6% $415,051+

      Hypothetically, say you expected to be in the D bracket (earning $186,000).
      You set withholding for that: A(10%) * ~10k + B(15%) * ~30k + C(25%) * ~55k + D(28%) * ~90k = 44k
      ~$3,704/month.

      Say after 2 months ($30,000), your employment ends (and for whatever reason you don’t pick up a new one – perhaps you got disability or unemployment for the rest of the year — I’m not going to try to calculate it, but to make my numbers nice, let’s pretend that’s $6k). You end up being in the B bracket because you earned $36,000.
      Less the ~$6000 standard deduction, your actual taxes should be A(10%) * ~10k = $100 + B(15%) * ~20K = $1500 = $1600.
      Had you set that as your annual expectation, would have been withholding of ~$134/month. But you didn’t do that. You withheld 2months @ $3704. You don’t have any withholding to adjust (well, you set withholding to $0 for unemployment/disability, but ….). You’ve overpaid by $2104 (these numbers are all very very very fuzzy, but …).

      Anyway, in this case, you’re due a refund, and there’s nothing you can do to fuss with it.

      You /could/ choose to not have withholding be flat across the year, but that means that the amount of money you earn monthly would decline with time, and that’s much harder to budget for than having a steady income (trust me, the drop from your income @D to the ~0 income later is really hard to budget for).

      Note: this isn’t my actual story, but it’s a pretty easy one to describe and hopefully understand. (I picked the numbers to make them work moderately well, not because they are real.)

      [1] http://www.cra-arc.gc.ca/
      [2] https://www.vero.fi/en-US
      [3] https://en.wikipedia.org/wiki/Income_tax_in_the_United_States

    2. Bob

      Michael,

      Not everyone has a situation where they can count on a steady income, deductions, and tax payments every year.

      I once had a non-sales job where I had a bonus plan where part of the bonus was based upon my performance and part of it was based upon the company’s performance. The exact amount of my bonus was not determined until some point in November. The company did withhold some of that for taxes, but it didn’t always exactly cover the additional tax due.

      For the past two years, my family has had unforeseen life events that have caused us to get unexpected refunds. I’d gladly trade those refunds for not having those life events, but that’s not how life works.

    3. Stephen

      I understand what you mean; however it’s not always that simple. I submit my W-4 with an allowance two more than what the worksheet calculates. The problem is that at bonus time, my company withholds too much. They withhold 50% of my bonus. That bonus withholding is 80-90 percent of my annual refund. They can’t lower the bonus withholding, something about IRS rules.

  4. Stephen

    Tax refund fraudsters got me a second year in a row, hopefully I won’t have to wait till October to get my refund this year.
    Two things irk me about this fraud.
    First, that the IRS “protected” my wife and I from fraud using the IRS ID PIN, but TurboTax did not ask for these PINs when submitting our tax return. TurboTax did ask for both of our driver license numbers, supposedly for our protection, but the IRS did not receive this information with our return. (Yes I spoke to them).
    Second, the long delay in getting annual tax documents. The fraudsters start filing early in the tax cycle. However, I don’t even get all my forms until February 26th. They’ve had plenty of time to file in my name or even get the refund prior to me even having all the information to file.

  5. Michael Iger

    Why isn’t the IRS communicating with taxpayers confirming all requests and changes? When I do something with my bank I immediately get an email telling me the nature of any request I made and a number if it isn’t me. This simple procedure will head-off many frauds before a check is sent out. Its not fool proof, but nothing seems to be from what you are writing. The IRS isn’t doing enough to protect information and taxpayer’s money.

    1. JimPas

      And each year a certain side of Congress wants to take more and more manpower away from the IRS, even when they (IRS) have said they need more bodies in this or that office. The population isn’t shrinking and the problems are not getting smaller. So why should the staffing? I’m afraid the security problem is only going to get worse in the foreseeable future.

  6. Fred SokolowskiEA

    Lots of blame to go around. Any bank that cashes a check without proper ID should be responsible.. If someone does not have an account time to get one. If you are entitled to that money you should be mature enough to get a bank account. NO DEBIT CARDS.. and any direct deposit that does not match SSN records and Name should no be funded… Perhaps large refunds should be made in installements..

  7. jason popp

    Speaking from experience, the major callout here is the security control breakdown that allowed W2’s with Social Security Numbers to be distributed to an external address via Corporate email. Company security policy should dictate that internal employee PII should be encrypted with additional policies for use and distribution (never via email, never full #’s, always encrypted etc.) and technical controls should be in place to stop accidental or intentional distribution. That said, it is easier said than done with false positives in DLP, scenarios that impact business transactions where clear text data may still be used, but these attacks are proof that it is critical to continue to push for solid policy and technical controls that can mitigate the risks. We can educate employees on policy, security practices, phishing attacks etc. but until we are also implementing available technical controls to protect the critical data, these kinds of attacks will continue to be successful more than they should.

  8. George

    https://www.irs.gov/uac/Newsroom/IRS-Statement-on-IP-PIN
    IRS Statement on IP PIN
    March 7, 2016
    As part of its ongoing security review, the Internal Revenue Service temporarily suspended the Identity Protection PIN tool on IRS.gov. The IRS is conducting a further review of the application that allows taxpayers to retrieve their IP PINs online and is looking at further strengthening the security features on the tool.

    Taxpayers received 2.7 million IP PINs by mail for the current filing season. About 5 percent of those — approximately 130,000 — used the online tool to try retrieving a lost or forgotten IP PIN. For taxpayers retrieving a lost IP PIN, the IRS emphasizes it has put strengthened processes and filters in place for this tax season to review these tax returns. These strengthened review procedures — which are invisible to taxpayers — have helped detect potential identity theft and stopped refund fraud. Through the end of February, the IRS had confirmed and stopped 800 fraudulent returns using an IP PIN.

    Taxpayers who have been issued an IP PIN should continue to file their tax returns as they normally would. The online tool is primarily used by taxpayers who have lost their IP PINs and need to retrieve their numbers. Most taxpayers receive their IP PIN via mail and never use the online tool.

  9. Bracket Creep

    A consumption tax would eliminate identity theft related refund fraud. As long as we continue to tax income instead of consumption, we will require the IRS to dedicate customer service and enforcement resources to refund fraud.

  10. Beeker

    I filed my return online and so far nothing have happened yet. However, I found something new in the verification of ID this year: they ask for your DL # and name associated with it before proceeding with the filing.

  11. Mark Pugner

    Abolish the IRS and, voila!, problem solved. After all, taxation is theft.

    That aside, article says this: “He also had thrown in something about [requiring] a driver’s license, which didn’t sound like a good solution to me.”

    FEDGOV is trying to implement a national identification card (REAL ID they call it). Many U.S. states put on their driver’s licenses “not for federal purposes.” Good luck claiming a refund from a federal agency using a state-issued card that is not good for federal identification purposes.

    What’s that? REAL ID can solve the problem? That’s what they say.

Comments are closed.