June 10, 2016

The Internal Revenue Service has re-enabled a service on its Web site that allows taxpayers to get a copy of their previous year’s tax transcript. The renewed effort to beef up taxpayer authentication methods at irs.gov comes more than a year after the agency disabled the transcript service because tax refund fraudsters were using it to steal sensitive data on consumers.

irsbldgDuring the height of tax-filing season in 2015, KrebsOnSecurity warned that identity thieves involved in tax refund fraud with the IRS were using irs.gov’s “Get Transcript” feature to glean salary and personal information they didn’t already have on targeted taxpayers. In May 2015, the IRS suspended the Get Transcript feature, citing its abuse by fraudsters and noting that some 100,000 taxpayers may have been victimized as a result.

In August 2015, the agency revised those estimates up to 330,000, but in February 2016, the IRS again more than doubled its estimate, saying the actual number of victims was probably closer to 724,000.

So exactly how does the new-and-improved Get Transcript feature validate that taxpayers who are requesting information aren’t cybercriminal imposters? According to the IRS’s Get Transcript FAQ, the visitor needs to supply a Social Security number (SSN) and have the following:

  • immediate access to your email account to receive a confirmation code;
  • name, birthdate, mailing address, and filing status from your most recent tax return;
  • an account number from either a credit card, auto loan, mortgage, home equity loan or home equity line of credit;
  • a mobile phone number with your name on the account.

“If you previously registered to use IRS Get Transcript Online, Identity Protection PIN, Online Payment Agreement, or ePostcard online services, log in with the same username and password you chose before,” the IRS said. “You’ll need to provide a financial account number and mobile phone number if you haven’t already done so.”

The agency said it will then verify your financial account number and mobile phone number with big-three credit bureau Equifax. Readers who have taken my advice and placed a security freeze on their credit files will need to request a temporary thaw in that freeze with Equifax before attempting to verify their identity with the IRS.

According to Federal Computer Week, central to the new setup will be knowledge-based authentication that uses supposedly harder-to-answer questions than the tests that led to the compromise of Get Transcript.

Mike Kasper, the tax fraud victim whose story ultimately earned him a chance to testify about the experience before the U.S. Senate Committee on Homeland Security & Governmental Affairs, called the new authentication methods a good step forward. But he worries that they will simply encourage tax refund thieves to commit more acts of identity theft in victim’s name.

“Looks like the investment for a $6,000 refund went from $10 to purchase credit data or now a card number for the victim, up to about $30 to buy a prepaid number although it’s probably even cheaper now,” Kasper said. “I think the ID thieves might simply open new cell phone or credit card accounts in the name of the victim or even keep changing the name on prepaid cell phone accounts acquired just for this purpose.”

Kasper notes that the same lame authentication methods that led to the Get Transcript debacle are still used by annualcreditreport.com, a site mandated by Congress as the only site where consumers can get their by-rights guaranteed free copy of their credit report from each of the major bureaus. Credit reports contain quite a bit of information that may allow thieves to glean the mobile and credit card account numbers for the taxpayers they’re targeting.

Annualcreditreport.com asks consumers to provide a bunch of personal data that can be bought for about $3-$4 from cybercrime shops online — such as date of birth, Social Security number, address and previous addresses. The site also asks the visitor to answer a series of so-called knowledge-based authentication (KBA) questions supplied by the credit bureaus.

These KBA questions — which involve four multiple choice, “out of wallet” questions such as previous address, loan amounts and dates — can be successfully enumerated with random guessing.  In many cases, the answers can be found by consulting free online services, such as Zillow and Facebook.

Fraudsters also may opt to simply phish the phone and credit card information from victims, or turn to criminal data brokers in the underground that specialize in selling these dossiers on consumers, Kasper said.

“The real question is, when will more banks start to check that the incoming transfer from the IRS is for an account under the name of an actual customer,” Kasper said. “Most banks do not do this, but even if they did that is not a complete solution unless they also know their customer. There were probably thousands of fraudulent tax refunds last year where the [perpetrators] just opened up bank accounts in other peoples’ names to receive a refund from the IRS. Because if you’re a thieve and you open an account in the victim’s name, it’s a little harder to trace.”


35 thoughts on “IRS Re-Enables ‘Get Transcript’ Feature

  1. Ryan

    Would you recommend, to those readers who signed up for the IRS site before and additionally put a credit freeze on their accounts through the three (four?) bureaus, to lift that freeze temporarily to do this or just leave it be?

    1. Mike

      If it was me, I would leave my credit reports frozen and just request a tax transcript sent by mail if I needed one.

  2. sarah

    I’m wondering, if I leave my Equifax account frozen, my IRS account should be relatively safe? (After all, I do retain my was tax copies for several years.) If they can’t verify any data supplied by the perp, no bogus account created…..?

    1. BrianKrebs Post author

      Yes, Sarah. I should have made that more explicit in the article. No one can access your transcript from the IRS (including you) if there is a freeze on your file. So that is the best approach, and it’s consistently been the one I’ve recommended to readers.

      1. Blanche Dubois

        Brian,
        First, I am a strong supporter of the Security Freeze, and have had one in effect for 11 years.

        Your news that it now ALSO blocks a release of an IRS transcript, is a significant added reason to have a Security Freeze in effect at all three CRAs in this deepening Era of Massive Data Breaches.

        Next, further to your Sarah response “No one can access your transcript from the IRS (including you) if there is a freeze on your file.”
        That would seem to apply only if a transcript is requested by mail or online.

        Query:
        Is the following true?
        If I walk into an IRS office, provide their required photo-ID and other vetting queries, for the purpose of asking for and getting my transcript there, that day, do I still have to have suspended my Equifax Security Freeze BEFORE I visited the IRS office?

        In some states, the CRAs charge $10 for a Freeze suspension/person, and since most of us file jointly, the spouse’s Freeze suspension would seem to be needed as well to get a transcript.
        It’s not the Thaw expense, it’s the advance planning needed before I visit the IRS. Security and peace of mind in spite of the latest data breach is well worth it.

        Thanks again for the work you do for all of us.

  3. DennyBoBenny

    Everyone’s credit should be frozen by default, and then unfrozen temporarily when needed. Imagine how much fraud would be eliminated.

    1. yyzguy

      And how many people wouldn’t be able to buy stuff they can’t afford because they don’t know how to unfreeze their credit.

      The lenders would go broke too!

      People would have to start living within their means.

      A truly transformative idea….I vote yes!

      1. Stephen Twiss

        Bingo! Have an Up-vote on me…..along with a much deserved Friday beer.

      2. trefunny

        “People would have to start living within their means.”

        But i was approved for 600,000 on my mortgage app, doesn’t that mean I am supposed to use very last penny they approve me for???? I also took out 200,000 for college, they approved me so why not!? I also bought a brand new mustang, cus Ford approved me. Life is so great xxx,xxx amount in debt. Hope I never get laid off.

  4. David Smith

    IRS seems to be unable/unwilling to verify GoogleFi (T-Mobile) mobile accounts.

    Requesting a transcript by mail is phenomenally quicker and still more secure (and doesn’t require unlocking your credit records). Unless you need it today just go that route. If you want a pdf to save, just have one mailed to your home and scan it.

    But nobody listens to me, why should you?

    1. EricksonT

      I would agree that by mail can be more secure, but the bigger concern for me is someone creating an account for me and accessing all of my tax information w/o me knowing it.

      Followed Brian’s advise long ago and created my account before they took it offline and also have a freeze in place, so feel relatively safe. But for folks that have never created an account the question is, how long before the fraudsters figure a way to do it for them?

  5. David Longenecker

    “If you previously registered to use IRS Get Transcript Online, Identity Protection PIN, Online Payment Agreement, or ePostcard online services, log in with the same username and password you chose before”

    If only it were that easy. I was one that had previously registered, but the username I used before was not recognized by the new system. The “Forgot username” function appeared to accept my email address and SSN – but an email containing my username never arrived (yes, I checked my spam folder). I tried registering as a new user – at which point the site said my email address already existed in the system.

    So… I could not recover my existing account, nor could I register a new account with my existing address. Insert joke about so secure, even the rightful owner cannot gain access…

    I had to create a new email alias to register as a new user. That at least was successful.

    If you’ve followed Brian’s standard advice and frozen your credit reports, your IRS account cannot be accessed by you nor by a crook. If you’ve taken other approaches (such as a fraud alert, or worse, nothing), be sure to update your IRS online account before a crook does it for you. And be aware that it might be a painful process.

    1. Jerry

      Darn! So someone can create a new account with new email to access your records regardless of what was set up in the past. Just what I was afraid of. One would hope that once some pertinent info like your email and/or phone was associated with your SS#, it would block someone else trying to create another login to access the same SS# with different email.

      Maybe the new system does this since it now has your cellphone. Can’t know without trying.

  6. Stuart Miller

    Our new state-of -the-art authentication technology can solve the IRS problems once and for all. All information and communication with the service can be totally and securely encrypted. No keylogging, no phishing, no replay, no network breaches, and no mobile hacks, and no FRAUD. Total 2FA.

    1. Jim

      Fantastic–I love snake oil! BTW, I hear it also turns ponies into unicorns, solves world hunger and acts as a real-world working prototype of Harry Potter’s invisibility cape. Is that true too?

      1. Stuart

        Proceeding with a FIPS 140-2, LEVEL 3 cert. Educate yourself and check out what that means. FYI- in the discussion huddle with NASA, DHS, DOE, IRS, IBM, Mantech, and GD. Let me know when you return to the planet.

        1. Rich

          From what I’ve seen, the identity security problem has been technically “solved” for a long time. A major problem that remains is usability of the most secure systems. In short, it’s not an encryption problem so much as “simple-enough” identity and key management. Good luck.

  7. John B

    I keep my own paper tax records and have no need for a home loan or otherwise so no need to order a transcript. Sounds like since i don’t own a cellphone that the IRS would prevent me from requesting one online but then again, i don’t think i’d want to.

    I still just have my old landline and it feels much safer

    1. Old Fogy

      old luddite no-tech stay-offline solutions are always best.

  8. May

    Seems to me most of the the “improved” data points are just additional data points for criminals to mine for:

    name, birthdate, mailing address, and filing status from your most recent tax return (all but the last are already data-mined. Filing status seems like one of five easy-enough guesses);
    an account number from either a credit card, auto loan, mortgage, home equity loan or home equity line of credit (the credit card number is already data-mined);
    a mobile phone number with your name on the account (probably another data-mined item or easily enough)

    This new-improved isn’t good enough–awaiting the next mass IRS transcript breach.

    1. Kerry

      They send a text message verification code to that phone that you then enter to access your records. No verification code, no account setup. That’s the most secure part.

      1. Kerry

        And a verification code is sent to this same phone number on subsequent logins.

  9. Mark

    The phone # is the most secured out of it… As criminal can still have your full credit card number. Since the system will not take a prepaid/burner phones but still criminals are smart as they can make a contract with your information with another telephone company.

    1. Kerry

      Right, I suppose they could set up a mobile phone account in your name if they have your name, DOB, SS# and get a phone to use the mobile number. But then they have to reuse a phone. It’s a lot of trouble and involves some up front charges.

      It’s not clear that the IRS is remembering your email and mobile phone which can be used for two-step verification later. Is is possible for someone to re-register and clobber all your info and break into your account? SS.gov doesn’t allow new online accounts to be opened once one is associated with your SS# and they remember the email associated with your account.

  10. pol

    Any fraud couse minus as puvblic dept so fromevery minus the banks can print out more money and lend money to working people as credit to keep everybody to working even more and more more fraud = more printed money!! To avoid inflation then we make sure people keep working working to feed that system.

  11. John Willis

    The site really is broken, you have to practically [expose] all your personal information un-encrypted to sign-up (you cannot) sign up following their rules on the website. Complex user names are not allowed, long usernames are not allowed. Complex passwords are sort of enforced, but do not conform to the complexity rules on the sing-up page, you have to reduce the number of characters and complexity to very simplified, stupidly short passwords to sign-up (its extremely insecure).

    In short they did not test the “product” provided by whoever they paid to create the website. They got ripped off. Its got lots of buzzword features.. from ten years ago.. but gosh its bad.

    Once you do get in.. saving grace.. its totally non-functional. None of the reports actually generate or download.. they branch to an xml data point into oblivion.

    I tried with both firefox and chrome to make sure they were not browser specific.

    But! you know what I didn’t try IE6.. perhaps that’s the mistake I am making. GA used to mandate all government sites be made in IE6 and Coldfusion.

  12. Gall

    I wonder if I have my data stolen that way, and the crooks get loan in my name, can I redeem the damages incurred in the Court?

    1. OMG....

      Hehehehehe this sounds like a premeditated gold digger =X

  13. Rip Toren

    If you don’t have a cell phone, you are out of luck. If you believe that your cell phone is secure, you are out of luck. Never put anything on your cell phone that requires a login. You probably have a ‘flashlight’ app or ‘rock flinging’ game that is constantly scrapping your phone, texts, images, and location. Cell phones and JavaScript are 2 of the biggest evils of modern society.

    (please don’t publish my full name. I have been following your column daily, for years)

  14. Robert.Walter

    Given the comments above regarding how little has changed from the last craptastic attempt prior to being pulled down, I wonder why the IRS couldn’t have adopted the system used by the social security administration for ease of set-up and use and just improve the verification process.

    As someone who lives overseas, I will likely be disappointed but not surprised to learn, when I try to give my overseas mobile number, that the allowable syntax will not accept a foreign number format.

  15. Barb Dwyer

    RE: annualcreditreport.com – After having issues with the KBA (because I can’t remember what the monthly payment was on a car I purchased five years prior), I switched to submitting a paper form, available on the site. Name, address, SS, DOB, select the bureau, stamp, seal, mail – done!

  16. elkhorn

    As a Luddite with no cell phone, it seems that I am just s.o.l. The new requirements would require me to 1) pay the “unfreeze / refreeze” fee; and 2) purchase a cell phone & 2-year contract.

    It seems to me that the new “security” measures are there to enrich Equifax and some cell phone company of my choice… A pity that they don’t give you a list of approved cell phone companies, as they don’t allow pre-paid cell phones. I wonder how long it would take for a new cell phone contract to be deemed “valid”.

    And re: the “KBA” question mentioned above — since the last car I purchased was paid for in full, cash on the barrel-head, I wonder if they would accept a monthly payment of $0.00. I kind of doubt it.

    All in all, a nice try. What a crock.

  17. AnOfferYouCan'tRefuse

    A few things to clear up regarding the quote by Mr. Kasper:

    “The real question is, when will more banks start to check that the incoming transfer from the IRS is for an account under the name of an actual customer. Most banks do not do this, but even if they did that is not a complete solution unless they also know their customer. There were probably thousands of fraudulent tax refunds last year where the [perpetrators] just opened up bank accounts in other peoples’ names to receive a refund from the IRS. Because if you’re a thieve and you open an account in the victim’s name, it’s a little harder to trace.”

    1. Banks are not allowed to reject incoming ACH deposits based on payee name mis-match, the receipt of electronic ACH transactions (like direct deposit payroll or electronic tax returns) is governed by NACHA operating rules and funds availability is regulated under Regulation E and neither allows you to reject a payment due to a name mis-match.

    2. Banks have had to ‘know their customer’ for a very long time, you cannot open a bank account in someone else’s name without already having an ID and provide all the verifying information for them in order to establish an account. It is FAR more likely that these fraudsters use turbo tax or other services which offer a prepaid card with the return rather than an electronic deposit, and even if the fraudster goes the route of electronic deposit they are going to go through a money mule to launder the funds rather than deposit directly to their own account.

    Thanks for the write-up, very informative – just wanted to correct Mr. Kasper’s mis-information implying its the bank’s fault when it clearly is not.

Comments are closed.