March 30, 2015

If you’re an American and haven’t yet created an account at irs.gov, you may want to take care of that before tax fraudsters create an account in your name and steal your personal and tax data in the process.

Screenshot 2015-03-29 14.22.55Recently, KrebsOnSecurity heard from Michael Kasper, a 35-year-old reader who tried to obtain a copy of his most recent tax transcript with the Internal Revenue Service (IRS). Kasper said he sought the transcript after trying to file his taxes through the desktop version of TurboTax, and being informed by TurboTax that the IRS had rejected the request because his return had already been filed.

Kasper said he phoned the IRS’s identity theft hotline (800-908-4490) and was told a direct deposit was being made that very same day for his tax refund — a request made with his Social Security number and address but to be deposited into a bank account that he didn’t recognize.

“Since I was alerting them that this transaction was fraudulent, their privacy rules prevented them from telling me any more information, such as the routing number and account number of that deposit,” Kasper said. “They basically admitted this was to protect the privacy of the criminal, not because they were going to investigate right away. In fact, they were very clear that the matter would not be investigated further until a fraud affidavit and accompanying documentation were processed by mail.”

In the following weeks, Kasper contacted the IRS, who told him they had no new information on his case. When he tried to get a transcript of the fraudulent return using the “Get Transcript” function on IRS.gov, he learned that someone had already registered through the IRS’s site using his Social Security number and an unknown email address.

“When I called the IRS to fix this, and spent another hour on hold, they explained they could not tell me what the email address was due to privacy regulations,” Kasper recalled. “They also said they could not change the email address, all they could do was ban access to eServices for my account, which they did. It was something at least.”

FORM 4506

Undeterred, Kasper researched further and discovered that he could still obtain a copy of the fraudulent return by filling out the IRS Form 4506 (PDF) and paying a $50 processing fee. Several days later, the IRS mailed Kasper a photocopy of the fraudulent return filed in his name — complete with the bank routing and account number that received the $8,936 phony refund filed in his name.

“That’s right, $50 just for the right to see my own return,” Kasper said. “And once again the right hand does not know what the left hand is doing, because it cost me just $50 to get them to ignore their own privacy rules. The most interesting thing about this strange rule is that the IRS also refuses to look at the account data itself until it is fully investigated. Banks are required by law to report suspicious refund deposits, but the IRS does not even bother to contact banks to let them know a refund deposit was reported fraudulent, at least in the case of individual taxpayers who call, confirm their identity and report it, just like I did.”

Kasper said the transcript indicates the fraudsters filed his refund request using the IRS web site’s own free e-file website for those with incomes over $60,000. It also showed the routing number for First National Bank of Pennsylvania and the checking account number of the individual who got the deposit plus the date that they filed: January 31, 2015.

The transcript suggests that the fraudsters who claimed his refund had done so by copying all of the data from his previous year’s W2, and by increasing the previous year’s amounts slightly. Kasper said he can’t prove it, but he believes the scammers obtained that W2 data directly from the IRS itself, after creating an account at the IRS portal in his name (but using a different email address) and requesting his transcript.

“The person who submitted it somehow accessed my tax return from the previous year 2013 in order to list my employer and salary from that year, 2013, then use it on the 2014 return, instead,” Kasper said. “In addition, they also submitted a corrected W-2 that increased the withholding amount by exactly $6,000 to increase their total refund due to $8,936.”

MONEY MULING

On Wednesday, March 18, 2015, Kasper contacted First National Bank of Pennsylvania whose routing number was listed in the phony tax refund request, and reached their head of account security. That person confirmed a direct deposit by the IRS for $8,936.00 was made on February 9, 2015 into an individual checking account specifying Kasper’s full name and SSN in the metadata with the deposit.

“She told me that she could also see transactions were made at one or more branches in the city of Williamsport, PA to disburse or withdraw those funds and that several purchases were made by debit card in the city of Williamsport as well, so that at this point a substantial portion of the funds were gone,” Kasper said. “She further told me that no one from the IRS had contacted her bank to raise any questions about this account, despite my fraud report filed February 9, 2015.”

The head of account security at the bank stated that she would be glad to cooperate with the Williamsport Police if they provided the required legal request to allow her to release the name, address, and account details. The bank officer offered Kasper her office phone number and cell phone to share with the cops. The First National employee also mentioned that the suspect lived in the city of Williamsport, PA, and that this individual seemed to still be using the account.

Kasper said the local police in his New York hometown hadn’t bothered to respond to his request for assistance, but that the lieutenant at the Williamsport police department who heard his story took pity on him and asked him to write an email about the incident to his captain, which Kasper said he sent later that morning.

Just two hours later, he received a call from an investigator who had been assigned to the case. The detective then interviewed the individual who held the account the same day and told Kasper that the bank’s fraud department was investigating and had asked the person to return the cash.

“My tax refund fraud case had gone from stuck in the mud to an open case, almost overnight,” Kasper sad. “Or at least it seemed to be that simple. It turned out to be much more complex.”

For starters, the woman who owned the bank account that received his phony refund — a student at a local Pennsylvania university — said she got the transfer after responding to a Craigslist ad for a moneymaking opportunity.

Kasper said the detective learned that money was deposited into her account, and that she sent the money out to locations in Nigeria via Western Union wire transfer, keeping some as a profit, and apparently never suspecting that she might be doing something illegal.

“She has so far provided a significant amount of information, and I’m inclined to believe her story,” Kasper said. “Who would be crazy enough to deposit a fraudulent tax refund in their own checking account, as opposed to an untraceable debit card they could get at a convenience store. At the same time, wouldn’t somebody who could pull this off also have an explanation like this ready?”

The woman in question, whose name is being withheld from this story, declined multiple requests to speak with KrebsOnSecurity, threatening to file harassment claims if I didn’t stop trying to contact her. Nevertheless, she appears to have been an unwitting — if not unwilling — money mule in a scam that seeks to recruit the unwary for moneymaking schemes.

ANALYSIS

The IRS’s process for verifying people requesting transcripts is vulnerable to exploitation by fraudsters because it relies on static identifiers and so-called “knowledge-based authentication” (KBA)  — i.e., challenge questions that can be easily defeated with information widely available for sale in the cybercrime underground and/or with a small amount of searching online.

To obtain a copy of your most recent tax transcript, the IRS requires the following information: The applicant’s name, date of birth, Social Security number and filing status. After that data is successfully supplied, the IRS uses a service from credit bureau Equifax that asks four KBA questions. Anyone who succeeds in supplying the correct answers can see the applicant’s full tax transcript, including prior W2s, current W2s and more or less everything one would need to fraudulently file for a tax refund.

The KBA questions — which involve multiple choice, “out of wallet” questions such as previous address, loan amounts and dates — can be successfully enumerated with random guessing. But in practice it is far easier, said Nicholas Weaver, a researcher at the International Computer Science Institute (ICSI) and at the University of California, Berkeley.

“I did it twice, and the first time it was related to my current address, one old address question, and one ‘which credit card did you get’ question,” Weaver said. “The second time it was two questions related to my current address, and two related to a car loan I paid off in 2007.”

The second time round, Weaver said a few minutes on Zillow.com gave him all the answers he needed for the KBA questions. Spokeo solved the “old address” questions for him with 100% accuracy.

“Zillow with my address answered all four of them, if you just assume ‘moved when I bought the house’,” he said. “In fact, I NEEDED to use Zillow the second time around, because damned if I remember when my house was built.  So with Zillow and Spokeo data, it isn’t even 1 in 256, it’s 1 in 4 the first time around and 1 in 16 the second, and you don’t need to guess blind either with a bit more Google searching.”

If any readers here doubt how easy it is to buy personal data on just about anyone, check out the story I wrote in December 2014, wherein I was able to find the name, address, Social Security number, previous address and phone number on all current members of the U.S. Senate Commerce Committee. This information is no longer secret (nor are the answers to KBA-based questions), and we are all made vulnerable to identity theft as long as institutions continue to rely on static information as authenticators. See my recent story on Apple Pay for another reminder of this fact.

Unfortunately, the IRS is not the only government agency whose reliance on static identifiers actually makes them complicit in facilitating identity theft against Americans. The same process described to obtain a tax transcript at irs.gov works to obtain a free credit report from annualcreditreport.com, a Web site mandated by Congress. In addition, Americans who have not already created an account at the Social Security Administration under their Social Security number are vulnerable to crooks hijacking SSA benefits now or in the future. For more on how crooks are siphoning Social Security benefits via government sites, check out this story.

Kasper said he’s grateful for the police report he was able to obtain from the the Pennsylvania authorities because it allows him to get a freeze on his credit file without paying the customary $5 fee in New York to place and thaw a freeze.

Credit freezes prevent would-be creditors from approving new lines of credit in your name — and indeed from even being able to view or “pull” your credit file — but a freeze will not necessarily block fraudsters from filing phony tax returns in your name.

Unless, of course, the scammers in question are counting on obtaining your tax transcripts through the IRS’s own Web site. According to the IRS, people with a credit freeze on their file must lift the freeze (with Equifax, at least) before the agency is able to continue with the KBA questions as part of its verification process.

Update, 10:46 p.m., ET: The link included in the first paragraph of this story directing readers to create an account with the IRS is currently returning the message: “We are currently experiencing technical issues and unable to process new registrations.”


286 thoughts on “Sign Up at irs.gov Before Crooks Do It For You

  1. AP

    Maybe I overlooked it, but can you be more specific about what needs to be done to create the account at the IRS website. I followed the link to the forms, but at no point during the account creation did it ask for my SSN.

  2. Syslock

    They know we are coming:

    We are currently experiencing technical issues and unable to process new registrations.

    1. Frank

      Still having technical difficulties at 02:20 (March 30)

  3. Dennis

    Yes, Brian,how do you register on irs.gov? Can you be more specific. The site has no login or registration page.

    1. BrianKrebs Post author

      The link to do that is in the first paragraph of this story. Oddly enough, the site seems to be having troubles at the moment.

      1. a

        If you click “Forgot User ID” you can then click a reregister link that seems to work, though I haven’t verified that the resulting page would actually submit successfully.

        1. Bob Brown

          I did it all the way through. It works, so here are no “technical difficulties.” (They don’t tell you that you can’t have special characters in the “recognition phrase,” though; they tell you your phrase is over 50 characters, which is not allowed. Sloppy programming.)

          Conjecture: This IRS has seen this column and is scurrying around trying to prevent a flood of fraudulent registrations. Trouble is, they left the back door open. More sloppy programming.

          1. Steve Wartik

            Pretty much ditto, Bob. It took me several tries to realize that many special characters aren’t permitted. (Wish I’d read your comment first.) Spaces are legal, for the record. Perhaps they only permit the ones listed for passwords.

            1. Bob Brown

              I’d guess it was the apostrophe that did it, because checking for database meta-characters. but then they emit an incorrect error message instead of just escaping the meta-character. {sigh}

      2. a

        Apologies if this comes through twice.

        If you click the “Forgot User ID” link, you can then click “reregister,” which takes you to a page that loads. Whether it actually works, I don’t know, because I didn’t submit the form.

        1. Jeff G

          I attempted to register, and at the end of the process I got a “technical” error messages that my transaction to create my account failed.

          1. Chris

            I registered no issues through the re-register from the forgot username page. valid transcripts also

        2. SingleBbl

          My credit is frozen at Equifax. When I tried to re-register using the “Forgot User ID” link and “reregister” it went up to the step 3 of 6 where it verifies your information and quit with this error message “The system cannot verify your identity to access your requested application at this time.” and referred me to a page of possible errors. The 2nd in the list is “You placed a credit security freeze with Equifax”. And I’m hoping this is good news but if I learned anything from this discussion it’s that the IRS computer systems are totally screwed up so maybe not. Will wait till August, temporairly lift the freeze, and register. For both of us.

          BTW the possible error page is http://www.irs.gov/uac/Taxpayer… so I guess not all http://www.irs.gov is bad?

      3. Tech-Key

        Seems to be the IRS is flawed. Very flawed in so many levels.

        We are mad at companies like Intuit for not being careful with TurboTax.
        We are mad at the fraudsters for stealing our money and for getting us into legal trouble.

        But when do we get mad at the IRS that basically invites this to happen?

        1. B_Brodie

          Don’t blame the IRS – congress has cut IRS funding steadily for the last 10 years out of spite.

            1. darevsek

              OK, Steve… let’s cut your salary by 20% each year for the next 10 years and see if you can pay all your bills and keep your lifestyle going… without excuses.

              1. Chip Douglas

                GOOD! They are corrupt to the core as the most recent Congressional investigation proved. As usual no meaningful punishment was applied so it all means nothing!

            2. Bart

              It’s true. The GOP has ham-strung the IRS with staff cuts just as they did with the Post Office by making them fully pre-fund pensions for the next several decades. In the case of the PO, it’s to keep them in the red and out of competition with UPS and Fedex. In the case of the IRS, it’s so that fewer taxes are collected.

          1. Tech-Key

            So you say I should not condemn a government agency for jeopardizing personal information of all Americans, on top of being a free money dispensing machine for fraudsters…

            .. just because another government entity has decided they were getting paid too much for what they were doing (or not doing)?

            I think I will continue to blame the IRS.

        2. Chip Douglas

          The IRS could not find their a** with both hands when it comes to any kind of customer service. They ONLY thing they are good at is making your life miserable if they want your money and you have not paid. If congress would abolish the IRS and adopt the fair tax, that would be the best solution. Unfortunately the clowns in Congress are just as incompetent as the IRS. We are stuck with this crap and it will never get better. They are all secure in US government jobs, paid with tax money and they just don’t care.

    1. a

      Yep.

      http://www.irs.gov uses an invalid security certificate.
      The certificate is only valid for the following names: *.akamaihd.net, *.akamaihd-staging.net, a248.e.akamai.net, *.akamaized.net, *.akamaized-staging.net (Error code: ssl_error_bad_cert_domain)

    2. timeless

      *sigh*, that’s been a problem w/ the irs site for ages.

      @Brian: think you could contact the IRS and encourage them to fix it?

  4. Bill

    This is the best story that I’ve read in a long time. Very useful. Another problem with the KBA questions is that they could be wrong. I tried the annual credit report site once and got questions about loans that I never heard about so slapped a fraud alert up right away. Nothing in my credit file about any loans so I have no idea where the questions came from.
    As an aside, if I’m a mule, what’s to prevent me from skipping the WU step?

    1. Allie

      That happens to people all the time – turns out they are be questions to do with the finances of ex-spouses, relatives-in-law, distant relatives who died years ago, etc.

  5. Allie

    IRS: “We are currently experiencing technical issues and unable to process new registrations.”

    Social Security: “We are currently experiencing technical issues and unable to process new registrations. “

  6. James Kappel

    IRS create an account:
    http://www.irs.gov/uac/Step-1-Create-an-IRS-e-services-Account

    Form:
    https://la2.www4.irs.gov/e-services/Registration/Reg_Online/Reg_RegisterUserForm

    Register You Must Register To Create An Account:
    https://la2.www4.irs.gov/pub/rup_login_1?TYPE=33554433&REALMOID=06-3e42c2f4-1c41-0019-0000-25b0000025b0&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=lgjzN0Exzjjq7GXjaIQAtum2VjVbftpJfXjCX5EEznNQ6gB2VzGstn8fCh3KSapr&TARGET=-SM-%2fRUP%2fnewSelectPersonality%2f%3fTYPE%3d33554433%26REALMOID%3d06–42d3d179–ae36–0006–0000–4d5700004d57%26GUID%3d%26SMAUTHREASON%3d0%26METHOD%3dGET%26SMAGENTNAME%3dlgjzN0Exzjjq7GXjaIQAtum2VjVbftpJfXjCX5EEznNQ6gB2VzGstn8fCh3KSapr%26TARGET%3d–SM—%2fPORTAL—-PROD-%2fCRM-%2fsignon-%2ehtml

  7. Michael

    Just tried to register and after several steps the site encountered an error and halted the process.

    “We are currently experiencing technical issues and unable to process new registrations.”

  8. louis

    This is currently happening to me right now. I went to e-file and found that someone else submitted a tax return in my name. I submitted the fraud alert form to the IRS but also sent in my hard copy of the real tax return. It sounds like I shouldn’t have done that and should have filed and sent $50 to have a transcript sent of the fraudulent claim.

  9. Dave

    HMRC send inderviduals a unique reference on the usual paperwork an then a further activation code by post to validate the current address if they register to file online.

    It begs the question; All this because they are too cheap to authenticate you by post?

  10. Johnny

    http://www.irs.gov/pub/irs-utl/infoqualityguidelines.pdf

    Integrity
    Integrity, as defined in the OMB quality guidelines, refers to the security of information
    from unauthorized access or revision to ensure that the information is not compromised
    through corruption or falsification.
    To ensure the integrity of its information, IRS will employ rigorous controls that have
    been identified as representing sound security practices.
    Tax returns are protected from public scrutiny by law, and strict procedures govern the
    handling of returns and computer files containing such information. IRS has programs
    and policies in place for securing its resources as required by the Internal Revenue Code.

    1. Dave

      Please lookup how CDN’s and DDoS protection work. They use Anycast too meaning that IP to location data is utterly useless, because that one IP is actually serviced by many locations globally, simultaneously and routing protocols dictate the shortest path between you and the CDN.

      FWIW Akamai have several service windows this week too meaning that your geographically local pop may be unavailable.

      Happy hunting 😉

  11. Mike

    Register at the IRS website? Really?

    Considering what’s been going on with TurboTax, routers, and breaches of all kinds…..
    Considering how much trouble everyone seems to be having with this ‘registration process’…..
    Considering that this has never been required before…..

    This entire idea is at the very least, laughable. At the most, questionable and suspect.

    With all this going on; What’s the point in even having SSN#’s in the first place?

    1. Bob Brown

      The point of an SSN is to be a financial identifier for the Federal government. It’s quite good for that.

      The problem is that people insist on using the SSN as an authenticator, which is a miserably stupid thing to do.

      1. Tech-Key

        I am so glad I’m not the only one who think this way!

  12. George Scott Hollingsworth

    I suspect a generic error message is being used or an admin blocked access to Equifax servers as a quick and dirty fix to the weak KBA.

    I have seen the same KBA used also at healthcare.gov and free credit info sites operated by the credit agencies and maybe others like mint.com (an Intuit brand).

    Somebody asked when we would get mad at the IRS? Too late, we have generally been mad at the tax collectors since they made their first appearance thousands of years ago.

  13. William Drislane

    I already have an IRS EFTPS account that I use to pay my quarterly taxes – does that mean I already have an e-services account? I don’t e-file because certain aspects of my return prevent it.

    1. KapnKirk

      I thought the same thing. I think it is different because I’ve used EFTPS for years and just now created the IRS.GOV accounts for me and my wife and it didn’t say anything about an account existing already. Of course, I might get a rejection email or letter – who knows. So confusing. There’s also an IRS efile PIN that I got from somewhere, I guess when filing via Turbotax.

  14. Ed

    You just gave all other fraudsters that did not know about the scheme the knowledge which will create more victims. All these fraudsters are now on the IRS website now trying to beat out everyone. There has to be a better way of getting this info out to help people than articles like this.

    1. Jane

      With no useful suggestions, you’re basically telling us burying our heads in the sand is the better option.

      But likely you knew that and I’m just feeding the troll.

    2. BrianKrebs Post author

      Ed,

      It’s not possible to make people aware of a problem without also making the fraudsters who don’t already know aware of it. Aren’t you better off knowing than not?

    3. E.M.H.

      The operative principle here is that the risks from nondisclosure outweigh the risks from disclosure. While this may indeed provide operative information for criminals bent on defrauding the government, it also functions to warn people to create their own accounts so as to prevent this from affecting them, as well as to publicize the problem so as to create pressure on the agency to fix it.

      Again, there’s a cost/benefit calculation to such articles, but I see the benefit side of that ledger clearly favoring publication.

  15. Donald J Trump

    I have personally defeated the KBA questions on quizzle.com. it is real easy to obtain a persons credit report information on anyone. Again, as this article states, using Google.com, along with other websites makes it very easy to accomplish.

    Why hasn’t this person contacted the Secret Service?

  16. Mark Strelecki

    Good morning, Brian.

    Thanks for shaming the IRS into shutting down their “complicit” registration page on their website.

    Maybe they’ve taken your suggestions to heart and are retooling to make it more secure?

    I can dream.

  17. Ken Williams

    I work for a local government (under the BCBS/Anthem breach), and we have been getting a lot of complaints about Green Dot permanent debit cards showing up in our mailboxes, the temporary cards already used to fraudulently claim our tax refunds.

    Anyone else under BCBS getting this?

  18. KapnKirk

    Just registered my wife and myself and had no problem. Said it was going to send confirmation instructions by snail mail. It did ask if I wanted to change the address they have on file — to which I answered No of course. I’d prefer that option not be available when you register a new account…

    Thanks Brian for pointing this out!

  19. Doug

    Confirm that re-registration works. Just did it. Shocking that with just some information available on a credit report one of the bad guys can get my IRS transcript so easily.

  20. Tom

    I just successfully registered myself.

    I then tryied to register my wife and I got a “JBWEB000065: HTTP Status 500 – java.lang.NullPointerException” error after entering the challenge questions. Nice!

    1. Soy Tenley

      Perhaps you should have cleared all your cookies and history, then rebooted, and accessed the site for the second registration. Or waited a few hours.

      I hope they don’t allow repeated registrations from a single IP address within a short time of each other, and from the same computer, as a noob fraudster would be likely to try as quickly as possible.

      1. Tom

        Thanks for the suggestions. I tried it the next day and it worked. I think the IRS server(s) was overloaded.

  21. Rosseloh

    OK, so this has nothing to do with tax fraud, etc…but:

    “The woman in question, whose name is being withheld from this story, declined multiple requests to speak with KrebsOnSecurity, threatening to file harassment claims if I didn’t stop trying to contact her.”

    Seriously? Unless you were being extremely pushy in your requests, I can’t understand why A) she wouldn’t be willing to share her part of the story and B) she’d be so rude about it. Even if you don’t want to talk about it, at least be polite when you refuse.

    Maybe I’m just different.

    1. Soy Tenley

      She is being questioned by police detectives, local and federal. She doesn’t have to answer any questions from anyone.

      Fifth Amendment rights, you know. Anything she says to anyone except her lawyer can be used against her.

      Also, the investigators might be asking her to remain quiet while they dig further into this, as the people who tricked her into this probably have other mules.

  22. Sue

    How can creating an account prevent hackers from accessing my data? If they can create an account using my data, can’t they reset the password ore break into my account using the same data?

    1. Tech-Key

      It’s a lot easier to create an account that doesn’t exist yet than to modify an existing one.

  23. Eugene Schlussel

    Do I need to do this if I am already retired and on social security?

  24. K

    I’m wondering if this is how my fed return fraud was accomplished this year. I tried efiling through TurboTax desktop on 3/5, and it was “not accepted.” Checked everything, tried again 3/6, same thing. I called the IRS fraud line, stayed on hold for 35 minutes, and got a woman who said her name & number so quick I couldn’t catch any of it. I think that was intentional, since as soon as I started explaining, she HUNG UP on me. I stumbled on the IRS transcript area the next day while researching what to do, and after some trouble (yes, crummy programming) did get registered. And then found someone had filed with my name, SSN & old address on Feb. 16, receiving an almost $5K refund on a 1040A. I haven’t filed a 1040A in decades; you think that would have alerted the IRS. And I’ve never had a return that high; again, that didn’t raise red flags? They can institute ‘red flags’ for audits, why not better red flags for fraud?

    So now I’ve done everything they suggested: filed by paper with the fraud alert form, called the fraud line again (yes, they confirmed, your return was fraudulently filed. Duh.), filed a local police report, put a freeze on my credit reports, filed with the FTC, and the state, called my credit union (and put a passphrase on my account). Still have some work to do, and a lot of worry to go through.

    And now I get to wait UP TO SIX MONTHS for my return, while the IRS dithers and “investigates.”

    I’m in IT support, so I’m careful online and with email, and all my passwords are difficult and unique. But nothing matters anymore. No matter how careful you are, the criminals are there before you.

    The lack of security for the transcript area of the IRS is infuriating. The whole mess, and the whole process angers me immensely.

    1. BOB

      You’re not alone! Same situation here. I work in information security and I too am extremely careful — probably even paranoid — about protecting my personal info. I was dismayed (to say the least) with the IRS’s so called “confirmation process”.

      They ask for your first/last name and an email address. They send you a confirmation code that you then enter into the IRS website to continue the registration process. WHAT DID THAT JUST ACCOMPLISH? What was verified? NOTHING!

      Then in the following account registration steps all the perpetrator needs is your first/last name (again), an email address (again) social security number, birth date, address, and last known filing status (easy to guess), phone number (optional) and then choose to proceed as a GUEST (??) or create user ID and password. UNBELIEVABLE!

      You’d think with all the breaches of those exact pieces of data the IRS would get a clue. Everything else they do is PAPER when it could be electronic. Then the one that would be more secure if it were PAPER they do electronically?! LOL! THIS WOULD BE HILARIOUS IF IT WEREN’T SO DAMN TRAGIC!

      1. timeless

        For the record, sending a token to an email address is the only correct way to confirm that you might at some point control the email address.

        This should be used by any and all sites trying to establish an email address connected account. (The alternative is OAUTH.)

        There isn’t really a proper way to establish who owns an SSN — which is the underlying problem here that the IRS more or less is failing to solve. The closest thing to a correct answer would be sending a token to either the postal address on file from last year’s tax filing* (just as sending a token to an email address partially confirms control of the email address). For a bit of additional security, the token could require you to enter something from your IRS filing (preferably an intermediate step instead of an input / final answer — since the former and latter are more likely to be compromised / publicly available) — although such an additional requirement adds a need for a reset option, and thus an additional attack vector (resets as people are discovering tend to have weaker protection than normal paths).

        * failure paths:
        1. If someone fraudulently filed your taxes last year and you had some odd reason for not filing and colliding with the fraud, but that’s a rare case;
        2. If you moved after filing — which can happen, but you should have set up mail forwarding with the USPS
        3. If someone fraudulently filed a USPS mail forwarding — you should get notification when this happens, and the USPS has a law enforcement arm for this
        4. If someone is stealing your USPS mail — you may notice this, and as with 3, there are provisions for it.

  25. David

    “Equifax” or “Experian”?

    Brian, at end of the article Experian is indicated as the KBA agency where initially Equifax is indicated. Please clarify which of the two is used by the IRS, or whether it is both.

    Very important for those who have preemptively frozen one of the three files rather then all of them. Is a lot of trouble so one might pick the one that was easiest to freeze–which happens to be Equifax.

    1. BrianKrebs Post author

      David,

      You are correct. It should be “Equifax” at the end. I’ve fixed that. Thanks!

    2. timeless

      Note that people should really freeze all 4…

      But yes, it’s worth knowing which one we need to thaw if we want to set up this account.

      @Brian: If I leave my accounts frozen, does that protect me from this? (That seems better than creating an account)

      1. BrianKrebs Post author

        Yes, assuming no one obtained an account in your name prior to your freeze. Unfortunately, only way to find out is to lift the freeze 🙁

  26. Barbara

    Brian, If a couple files jointly should both people create IRS accounts or only the 1st name on the tax filing? Also, would both have to lift credit freezes at Experian (and only Experian)?
    Thanks for this great info!

    1. BrianKrebs Post author

      Hi Barbara, I don’t know. Can’t hurt for both to create an account, each under his/her own SSN. And I misspoke at the end of the article (now fixed). The credit bureau involved is Equifax, not Experian.

Comments are closed.