30
Mar 15

Sign Up at irs.gov Before Crooks Do It For You

If you’re an American and haven’t yet created an account at irs.gov, you may want to take care of that before tax fraudsters create an account in your name and steal your personal and tax data in the process.

Screenshot 2015-03-29 14.22.55Recently, KrebsOnSecurity heard from Michael Kasper, a 35-year-old reader who tried to obtain a copy of his most recent tax transcript with the Internal Revenue Service (IRS). Kasper said he sought the transcript after trying to file his taxes through the desktop version of TurboTax, and being informed by TurboTax that the IRS had rejected the request because his return had already been filed.

Kasper said he phoned the IRS’s identity theft hotline (800-908-4490) and was told a direct deposit was being made that very same day for his tax refund — a request made with his Social Security number and address but to be deposited into a bank account that he didn’t recognize.

“Since I was alerting them that this transaction was fraudulent, their privacy rules prevented them from telling me any more information, such as the routing number and account number of that deposit,” Kasper said. “They basically admitted this was to protect the privacy of the criminal, not because they were going to investigate right away. In fact, they were very clear that the matter would not be investigated further until a fraud affidavit and accompanying documentation were processed by mail.”

In the following weeks, Kasper contacted the IRS, who told him they had no new information on his case. When he tried to get a transcript of the fraudulent return using the “Get Transcript” function on IRS.gov, he learned that someone had already registered through the IRS’s site using his Social Security number and an unknown email address.

“When I called the IRS to fix this, and spent another hour on hold, they explained they could not tell me what the email address was due to privacy regulations,” Kasper recalled. “They also said they could not change the email address, all they could do was ban access to eServices for my account, which they did. It was something at least.”

FORM 4506

Undeterred, Kasper researched further and discovered that he could still obtain a copy of the fraudulent return by filling out the IRS Form 4506 (PDF) and paying a $50 processing fee. Several days later, the IRS mailed Kasper a photocopy of the fraudulent return filed in his name — complete with the bank routing and account number that received the $8,936 phony refund filed in his name.

“That’s right, $50 just for the right to see my own return,” Kasper said. “And once again the right hand does not know what the left hand is doing, because it cost me just $50 to get them to ignore their own privacy rules. The most interesting thing about this strange rule is that the IRS also refuses to look at the account data itself until it is fully investigated. Banks are required by law to report suspicious refund deposits, but the IRS does not even bother to contact banks to let them know a refund deposit was reported fraudulent, at least in the case of individual taxpayers who call, confirm their identity and report it, just like I did.”

Kasper said the transcript indicates the fraudsters filed his refund request using the IRS web site’s own free e-file website for those with incomes over $60,000. It also showed the routing number for First National Bank of Pennsylvania and the checking account number of the individual who got the deposit plus the date that they filed: January 31, 2015.

The transcript suggests that the fraudsters who claimed his refund had done so by copying all of the data from his previous year’s W2, and by increasing the previous year’s amounts slightly. Kasper said he can’t prove it, but he believes the scammers obtained that W2 data directly from the IRS itself, after creating an account at the IRS portal in his name (but using a different email address) and requesting his transcript.

“The person who submitted it somehow accessed my tax return from the previous year 2013 in order to list my employer and salary from that year, 2013, then use it on the 2014 return, instead,” Kasper said. “In addition, they also submitted a corrected W-2 that increased the withholding amount by exactly $6,000 to increase their total refund due to $8,936.”

MONEY MULING

On Wednesday, March 18, 2015, Kasper contacted First National Bank of Pennsylvania whose routing number was listed in the phony tax refund request, and reached their head of account security. That person confirmed a direct deposit by the IRS for $8,936.00 was made on February 9, 2015 into an individual checking account specifying Kasper’s full name and SSN in the metadata with the deposit.

“She told me that she could also see transactions were made at one or more branches in the city of Williamsport, PA to disburse or withdraw those funds and that several purchases were made by debit card in the city of Williamsport as well, so that at this point a substantial portion of the funds were gone,” Kasper said. “She further told me that no one from the IRS had contacted her bank to raise any questions about this account, despite my fraud report filed February 9, 2015.”

The head of account security at the bank stated that she would be glad to cooperate with the Williamsport Police if they provided the required legal request to allow her to release the name, address, and account details. The bank officer offered Kasper her office phone number and cell phone to share with the cops. The First National employee also mentioned that the suspect lived in the city of Williamsport, PA, and that this individual seemed to still be using the account.

Kasper said the local police in his New York hometown hadn’t bothered to respond to his request for assistance, but that the lieutenant at the Williamsport police department who heard his story took pity on him and asked him to write an email about the incident to his captain, which Kasper said he sent later that morning.

Just two hours later, he received a call from an investigator who had been assigned to the case. The detective then interviewed the individual who held the account the same day and told Kasper that the bank’s fraud department was investigating and had asked the person to return the cash.

“My tax refund fraud case had gone from stuck in the mud to an open case, almost overnight,” Kasper sad. “Or at least it seemed to be that simple. It turned out to be much more complex.”

For starters, the woman who owned the bank account that received his phony refund — a student at a local Pennsylvania university — said she got the transfer after responding to a Craigslist ad for a moneymaking opportunity.

Kasper said the detective learned that money was deposited into her account, and that she sent the money out to locations in Nigeria via Western Union wire transfer, keeping some as a profit, and apparently never suspecting that she might be doing something illegal.

“She has so far provided a significant amount of information, and I’m inclined to believe her story,” Kasper said. “Who would be crazy enough to deposit a fraudulent tax refund in their own checking account, as opposed to an untraceable debit card they could get at a convenience store. At the same time, wouldn’t somebody who could pull this off also have an explanation like this ready?”

The woman in question, whose name is being withheld from this story, declined multiple requests to speak with KrebsOnSecurity, threatening to file harassment claims if I didn’t stop trying to contact her. Nevertheless, she appears to have been an unwitting — if not unwilling — money mule in a scam that seeks to recruit the unwary for moneymaking schemes.

ANALYSIS

The IRS’s process for verifying people requesting transcripts is vulnerable to exploitation by fraudsters because it relies on static identifiers and so-called “knowledge-based authentication” (KBA)  — i.e., challenge questions that can be easily defeated with information widely available for sale in the cybercrime underground and/or with a small amount of searching online.

To obtain a copy of your most recent tax transcript, the IRS requires the following information: The applicant’s name, date of birth, Social Security number and filing status. After that data is successfully supplied, the IRS uses a service from credit bureau Equifax that asks four KBA questions. Anyone who succeeds in supplying the correct answers can see the applicant’s full tax transcript, including prior W2s, current W2s and more or less everything one would need to fraudulently file for a tax refund.

The KBA questions — which involve multiple choice, “out of wallet” questions such as previous address, loan amounts and dates — can be successfully enumerated with random guessing. But in practice it is far easier, said Nicholas Weaver, a researcher at the International Computer Science Institute (ICSI) and at the University of California, Berkeley.

“I did it twice, and the first time it was related to my current address, one old address question, and one ‘which credit card did you get’ question,” Weaver said. “The second time it was two questions related to my current address, and two related to a car loan I paid off in 2007.”

The second time round, Weaver said a few minutes on Zillow.com gave him all the answers he needed for the KBA questions. Spokeo solved the “old address” questions for him with 100% accuracy.

“Zillow with my address answered all four of them, if you just assume ‘moved when I bought the house’,” he said. “In fact, I NEEDED to use Zillow the second time around, because damned if I remember when my house was built.  So with Zillow and Spokeo data, it isn’t even 1 in 256, it’s 1 in 4 the first time around and 1 in 16 the second, and you don’t need to guess blind either with a bit more Google searching.”

If any readers here doubt how easy it is to buy personal data on just about anyone, check out the story I wrote in December 2014, wherein I was able to find the name, address, Social Security number, previous address and phone number on all current members of the U.S. Senate Commerce Committee. This information is no longer secret (nor are the answers to KBA-based questions), and we are all made vulnerable to identity theft as long as institutions continue to rely on static information as authenticators. See my recent story on Apple Pay for another reminder of this fact.

Unfortunately, the IRS is not the only government agency whose reliance on static identifiers actually makes them complicit in facilitating identity theft against Americans. The same process described to obtain a tax transcript at irs.gov works to obtain a free credit report from annualcreditreport.com, a Web site mandated by Congress. In addition, Americans who have not already created an account at the Social Security Administration under their Social Security number are vulnerable to crooks hijacking SSA benefits now or in the future. For more on how crooks are siphoning Social Security benefits via government sites, check out this story.

Kasper said he’s grateful for the police report he was able to obtain from the the Pennsylvania authorities because it allows him to get a freeze on his credit file without paying the customary $5 fee in New York to place and thaw a freeze.

Credit freezes prevent would-be creditors from approving new lines of credit in your name — and indeed from even being able to view or “pull” your credit file — but a freeze will not necessarily block fraudsters from filing phony tax returns in your name.

Unless, of course, the scammers in question are counting on obtaining your tax transcripts through the IRS’s own Web site. According to the IRS, people with a credit freeze on their file must lift the freeze (with Equifax, at least) before the agency is able to continue with the KBA questions as part of its verification process.

Update, 10:46 p.m., ET: The link included in the first paragraph of this story directing readers to create an account with the IRS is currently returning the message: “We are currently experiencing technical issues and unable to process new registrations.”

Tags: , , , , ,

286 comments

  1. I went through the KBA process and then it just went back to the initial page. Asking for my logon info to be emailed to me didn’t result in an email. Is it possible that previous efilings have created this account already?

    • I had the same results, no email after aprox. 1 hour. Several reasons of this occur to me, only 1 is worrisome:
      1) My account has already been created/stolen with a different email address.
      2) The servers are backed up on processing these requests.
      3) They have disabled this function as part of the effort to tighten up (result from Brian’s newsletter) but haven’t edited all the pages yet.

      • > no email after aprox. 1 hour

        Check your spam folder – it may have been caught by a filter.

        • Nothing in my spam folders. I need to try again with pop-up blocker exclusion(s).

          • See post by ‘Craig’ below – your ISP’s mailserver is probably rejecting the IRS mailserver connection as suspicious.

  2. Just went to try to register with the IRS – it failed for reason of a credit freeze. I contemplated lifting the freeze, but realized that if I couldn’t register an account with the IRS, neither could the criminals.

    • Yeah, my registration failed for the same reason as well. Credit freeze prevents a lot of things, like a financial mess and annoying “special offers”, etc. Not being able to register at a government website, without unlocking the credit report, it’s annoying.

      If I recall correctly, the government uses Experian for accessing your credit report. Unlocking just one credit agency should allow registering at government sites. But you’re correct, if you cannot register, others cannot register either…

    • Same thing happened to me. I think I’ll do a temporary lift so I can go through the process–I’d feel better about having possession of my own IRS account so it can’t be claimed by someone else later if the IRS changes their procedures down the road.

  3. The website seems to be working now. I just did mine and my wife’s. Feel safer now.

  4. I wonder how well the irs and ssa handle ‘forgot your password’ requests……

  5. The security profile page keeps telling me to enter a phrase of no more than 50 characters. There’s no indication of the field it’s referring to. None of my entries on the page are anywhere near that long.

    • Check the phrase you are asked to enter when you select a picture you recognize. I think it has a light bulb and various other icons. Below that it asks you to enter a phrase you recognize (if I am recalling all of this correctly.)

      • Someone mentioned earlier in the comments that it might be special characters causing this error, perhaps an apostrophe or something like that.

    • The TOTAL character count for ALL of your security answers cannot exceed 50 characters. I ran into the same issue, but by reducing the length of some of my answers (and counting the characters to make sure they weren’t more than 50) the form submitted.

      Oh, and while the instructions say that your password must be “at least 8 characters” it actually can’t be of significant length either. I couldn’t get the password to submit when it was 16 characters.

      • Ah, the comment further below about having a question mark in the “site phrase” box may have been applicable to me as well. I did have a question mark there in earlier submits, and did end up changing it. I don’t recall if it was at the same time that I shortened my security answers or not.

        The password length comment still holds though.

        What a terrible user experience that form is. I’m not surprised that fraudsters are better at it than normal users (practice makes perfect I suppose).

  6. If you have a security freeze on your credit it will need to be lifted temporarily at Equifax in order to register.

  7. 10:30 a.m. EST March 30. IRS.gov allows account creation after filling out their brain dead programmed forms. Example: if you make a mistake on one of the questions they derive from Equifax (one of the questions related to a credit card my wife had) it just takes you back to the base irs.gov url without any indication you’ve made an error. Tried again and got registered. Went to transcript download page. Selected reason for transcript and one of the allegedly available transcripts. Click and nothing happens. No error message, no download, no email generated, nothing.

    Bigger picture: the whole situation is hopelessly fouled up with both IRS and State tax returns. They should be requiring a secure and validated ID and PIN before they process any kind of online return and refund. Setting something up is computer science 201 if not computer science 101.

  8. 2 of my challenge questions could be easily answered just by going to zillow.com. The years my house was built and the year I purchased it. This is incredibly insecure.

    • Never never never answer security questions honestly. Most of the answers are available online. Rather, use Wikipedia’s Random Article link to generate answers for you, and save these answers securely in your password manager.

      Bottom line: if you can remember any of your authentication username, password, security questions, or anything else, you’re doing something wrong.

      • Think before you speak.

        The IRS is validating your knowledge of yourself based on information it already has. Hence, the verification process.

        You are trying to solve an entirely different problem.

        • Random article

          Obviously you can use a random Wikipedia article to answer radio button financial questions. I’m referring to the text answers to the four security questions that will grant access to your account.

      • “Random Article”? That seems rather imprecise. Random generator, maybe, or random number, but there is no Random Article entry.

      • I was talking about the IRS questions, not mine. If you answer any with the correct information, it will not work. If you file jointly, do you need an account for both taxpayers?

  9. Also worth noting: Not so long ago (2 years?) Equifax leaked a huge list of email addresses in such a way that they landed in the hands of the slimiest classes of spammers: those using botnets and most recently bulk-registered throwaway domains in new gTLDs on “snowshoe” addresses ranges. If those addresses exfiltrated along with the random “KBA” facts that Equifax uses, that could explain the IRS vulnerability.

  10. 1. If a fraudster is doing your tax return, can you lower or eliminate your tax withholding and skip filing a return?

    2. It would seem if you register with the IRS you just run the risk the IRS server will be hacked and all 17 million who have registered will need protection?

    • Unfortunately, you’re still obligated for your actual taxes, whether or not a fraudster falsely files forms in your name.

      Also, note: Fraudsters don’t have to file forms in your name w/ particularly accurate W2s, they can make things up. Unfortunately, the IRS tends not to have access to your employer’s W2 information until after they’re required (by law) to have sent out the refund in response to the filing — thus, they can’t actually check.

      In the case reported here, the fraudster didn’t use the victim’s real W2, but did file a fake W2 based on the prior year’s W2 (which is a clever approach to avoid many potential fraud detectors), but it could have been that case that the victim had changed employers between 2013 and 2014 (I’ve done things like that in the past).

      If the IRS database is hacked, then it’ll be the IRS’s mess to clean up — at the very least, I’d expect everyone impacted to be issued an IRS Identity Protection PIN (IP PIN: http://www.irs.gov/Individuals/Get-An-Identity-Protection-PIN ) proactively.

      Certainly, having data available in a database means that it can be stolen.
      But in this case, the database exists and it already has everyone’s information, all that you’re doing by signing up is attaching a handle to your data. And you’re doing it to prevent someone else from attaching their own handle to your data.

      Personally, I’m going to gamble that no one created an account at the IRS before I froze my 4 Credit Bureau reports — If they did, I’ll probably find out when my taxes are filed and rejected, at which point, I’ll get to spend a year trying to clean up the mess. (Basically: if it’s already too late, then there’s no benefit to me to discover now, and if it isn’t too late, then I’m already about as protected as I can be — until someone compromises my unlock PINs to the Credit Bureaus.)

      N.b. my gamble will fail when the IRS changes from its current KBA check to something which isn’t blocked — but hopefully @Brian will have alerted me to whatever I’ll need to secure before the fraudsters take advantage of it…

    • “If a fraudster is doing your tax return, can you lower or eliminate your tax withholding and skip filing a return?”

      What many people miss is that a fraude-return has NOTHINg to do with your actual taxes. You coudl own money and they could file a refund. They do not get your refund, they file a completely 100% bogus return.

      Of course, the IRS actually catches a lot of returns, and the further away a thief strays from the truth the more likely their fake return gets rejected, but people have seen fake returns where they suddenly had a different spouse accepted.

      So no, your tax witholding has very little of any effect on whether someone can file a fake return.

  11. I was a phony tax refund victim 5 or 6 years ago. Went through the whole process; took 6 or 7 months to get my refund. Each year since, IRS sends me a fraud victim PIN number that must be used to file my return.
    Once you’ve been a victim, the IRS prohibits access to your transcripts online.

  12. In order to see transcripts you need to have pop-up blockers off – would be nice if they told you that on the page. Turned mine off and the transcript loaded.

    • Do you mean turning off the browser’s own popup blockers or turning off third-party popup blockers?

  13. How long before we see Phishing scams mimicking this website? Hard to believe the IRS is asking for all of this information via the web. Once the Phishers get wind of this site, thousands more will be compromised.

    Not only are hacks exposing the data, but many unknowing citizens, mostly the elderly, will fall prey to these attacks.

  14. How troubling is it that the IRS uses a commercial service to verify taxpayer identities?

    • Yes, this is the biggest conundrum. Why use third-party where it is easiest to create yet another hole for criminals?

  15. Brian some info and thoughts for you & the readers:

    A credit freeze will prevent the big 3 from displaying info electronically, but you have to pay each one for it.

    Before I fill out any information I check the site with Qualys SSL check. The three websites I checked ( all with Qualys) all get a B rating:2 supported TLS 1.1 but not 1.2, and one allowed RC4.

    The IRS site did allow me to register ( thank goodness) and even better accepts up to a 32 character pw. Still not as secure as I’d like ( no 2F auth ) but better than doing nothing.

    So anecdotally the freeze does work to some extent

    • Don’t take the Qualys site to literal. It is an engineering site, not an end-user check-this-site-score. Checking TLS features is complicated and scores are subjective.

      E.g. They use load balancing servers in front of their main servers (with likely also keys in hardware) so no direct need for forward secrecy. Also their access is different depending on whether you use IPv4 or IPv6. Qualys only checks teh IPv4 servers.

      Also the RC4 is at the bottom so unless you use an ancient browser, it will use a more modern cipher.

      Last the site does support TLS 1.2 It is likely your firewall settings that prevent it from detecting that. Their own FAQ explains which port is probably blocked.

  16. I have seen Craigslist *jobs* describing what appeared to be the one described in this story. The listing described accepting deposits and forwarding payments, and actually said “nothing illegal.”

    I guess that, technically, the account holder ISN’T acting illegally(although one has to be pretty naive, I’d think, to believe this was a kosher deal). Nonetheless, for a person who has held down the horror of franchised minimum wage jobs, where one is expected to be a vibrant ambassador for a company which couldn’t care less about their personal struggles, and come to the point of considering ads which include softcore porn(f you haven’t looked for a job via CL recently, I can tell you this is prevalent), the “accept funds/disburse funds” gig probably seems worth the risk. Necessity is the mother of invention and all. In some respects, we reap what we sow.

    • Naive is far too kind a word to describe these people, regardless of their financial situation.

    • They’ll hit you up when you try to sell something on Craigslist, too. They contact the seller wanting them to accept a certified check for more than the amount, deposit it to their bank and send them the balance, saying they will arrange for shipping the item.

      The check goes through and it may be a month or more before the victim finds out it was a fraudulent check. They are left holding the bag for the entire amount of the check deposited.

      Other craigslist or emailed employment opportunities have to do with secret shopping. Using the name of a legitimate survey company in the email, they send a money order or check, the victim is supposed to test Western Union by sending a large portion of the money, which can be picked up anywhere in the world, then are left holding the bag with their bank, the same way, when the instrument turns out to be invalid. Many of the survey companies have a warning on their websites about the secret shopper scam.

      The IRS refund bit seems to be the latest permutation.

  17. I’ve been trying to create an account for several weeks. Each time I get ‘registration error’.

    It’s impossible for me to get through to the IRS by phone. Each time I try I receive, at the end of many automated prompts, ‘our system is too busy and cannot answer calls today, try again later’

    I have also contacted (and paid) Equifax to see if there was a freeze on my account preventing me for logging in, but there was no freeze. I’ve tried entering my address in various formats but none work.

    So I’m left with being unable to log in or create an account at IRS.gov and not knowing why.

  18. Jolene Johnson

    Great and informative article, something that is definitely in everyone’s best interest to do. Thanks for sharing!

  19. I’m sorry, but I don’t understand what you mean by “create an account’ at irs.gov. Do you mean “create an IRS e-services account” ? The link you provide is to a ‘GET TRANSCRIPT” site.

    Thank you.

  20. >W2s
    What is this/ are these?

    >threatening to file harassment claims if I didn’t stop trying to contact her
    How many times did you try and contact her?

  21. The college student “appears to have been an unwitting — if not unwilling — money mule in a scam that seeks to recruit the unwary for moneymaking schemes.”

    That is the fault of the financial industry, which should sponsor public service announcements on TV which educate the public to the point where anyone who acts as a money mule would find it difficult to use the “I didn’t know” excuse.

  22. hey Brian,

    Got any dirt on these guys? It may fill your coffers. Good luck ! = )

    http://www.securityweek.com/us-offers-3-million-reward-alleged-russian-cybercriminals

  23. You might have trouble receiving the validation emails from the IRS. Their emails servers are not configured correctly and many ISP’s will drop their emails. The servers are sending out invalid system names in the HELO commands which at least caused my ISP to drop their emails.

    The name given in the HELO command isn’t valid which causes some email servers to response with a 501 error. Instead of being a valid machine name it has ?? in it.

    501 5.5.2 : Helo command rejected: Invalid name; from=

    • Ok, the HTML escaping makes it impossible to paste in the full error message. But the IRS email servers are identifying themselves as:

      ??N??.irs.gov

      in the HELO command of the SMTP handshake with causes many SMTP servers to return a 501 error and not allow the IRS server to send you the validation message.

  24. One thing to note on the account, if you use a “Site Phrase” that includes a question mark, it throws an error about the site phrase must be less than 50 characters.

    This is even with an 8 character, one word phrase.

    I did not explore the issue except made note of it when I created my account, but it made me worry about injection issues.

  25. I have a question regarding what constitutes an IRS.gov account

    What if you have previously e-filed?

    I have never gone to the irs site to create an account, but have I repeatedly filed via e-filing feature in TurboTax.

    Does the e-file process effectively create your account for you, thus helping avoid this scam?

    • As used here, an “IRS.gov account” means “a username and password established to use the IRS Get Transcript tool.” E-file or paper-file make no difference here; think of it like going to a credit card company’s website to get an account statement on PDF.

  26. Unfortunately, even if you create an IRS.gov account, there is a ‘Retrieve Return as Guest’ option which someone could still use to get your information…… They would still need to answer the same questions you can easily answer from Zillow (mostly) though…..

  27. Tried again — three times — without success.

    First time, Step 4 — verify personal info — dumped me back to the start page.

    Second attempt, nothing displayed in Step 4 was related at all to me. So, I canceled.

    Third attempt, received a “technical error” message.

    If the crooks have this much trouble getting an IRS site to work, maybe we’re safer than we think.

  28. I registered an account before fully reading this post, and damned if I also didn’t use Zillow to figure out when my house was built.

    • Fedex asked me the same question and I just guessed. They then asked me how many acres my house is? I live in a large city, what acres here you own lots in square feet. I agree thought to go to Zillow too, but then decided to guess instead. I find the best guess is ‘none of the above.’

  29. What is it with the IRS have they no sense trying to protect the privacy of the criminal! It seems as soon as there is a whiff of impropriety all cash disbursements should be frozen immediately until it can be sorted out as to who is really entitled to it. Once you give someone cash especially a crook you can’t get it back. Someone really needs to shakeup the IRS on this as what is common sense in business and everyone else. This agency has gotten too PC.

  30. I’m a real estate investor and they are asking about loans from 8 years ago. They only way I can claim my account is to get my entire credit history for the previous decade. For me their site is broken the other way, the assumption that I should know the answer to the questions is faulty. At least I know hackers won’t have an easy a time of it.