30
Mar 15

Sign Up at irs.gov Before Crooks Do It For You

If you’re an American and haven’t yet created an account at irs.gov, you may want to take care of that before tax fraudsters create an account in your name and steal your personal and tax data in the process.

Screenshot 2015-03-29 14.22.55Recently, KrebsOnSecurity heard from Michael Kasper, a 35-year-old reader who tried to obtain a copy of his most recent tax transcript with the Internal Revenue Service (IRS). Kasper said he sought the transcript after trying to file his taxes through the desktop version of TurboTax, and being informed by TurboTax that the IRS had rejected the request because his return had already been filed.

Kasper said he phoned the IRS’s identity theft hotline (800-908-4490) and was told a direct deposit was being made that very same day for his tax refund — a request made with his Social Security number and address but to be deposited into a bank account that he didn’t recognize.

“Since I was alerting them that this transaction was fraudulent, their privacy rules prevented them from telling me any more information, such as the routing number and account number of that deposit,” Kasper said. “They basically admitted this was to protect the privacy of the criminal, not because they were going to investigate right away. In fact, they were very clear that the matter would not be investigated further until a fraud affidavit and accompanying documentation were processed by mail.”

In the following weeks, Kasper contacted the IRS, who told him they had no new information on his case. When he tried to get a transcript of the fraudulent return using the “Get Transcript” function on IRS.gov, he learned that someone had already registered through the IRS’s site using his Social Security number and an unknown email address.

“When I called the IRS to fix this, and spent another hour on hold, they explained they could not tell me what the email address was due to privacy regulations,” Kasper recalled. “They also said they could not change the email address, all they could do was ban access to eServices for my account, which they did. It was something at least.”

FORM 4506

Undeterred, Kasper researched further and discovered that he could still obtain a copy of the fraudulent return by filling out the IRS Form 4506 (PDF) and paying a $50 processing fee. Several days later, the IRS mailed Kasper a photocopy of the fraudulent return filed in his name — complete with the bank routing and account number that received the $8,936 phony refund filed in his name.

“That’s right, $50 just for the right to see my own return,” Kasper said. “And once again the right hand does not know what the left hand is doing, because it cost me just $50 to get them to ignore their own privacy rules. The most interesting thing about this strange rule is that the IRS also refuses to look at the account data itself until it is fully investigated. Banks are required by law to report suspicious refund deposits, but the IRS does not even bother to contact banks to let them know a refund deposit was reported fraudulent, at least in the case of individual taxpayers who call, confirm their identity and report it, just like I did.”

Kasper said the transcript indicates the fraudsters filed his refund request using the IRS web site’s own free e-file website for those with incomes over $60,000. It also showed the routing number for First National Bank of Pennsylvania and the checking account number of the individual who got the deposit plus the date that they filed: January 31, 2015.

The transcript suggests that the fraudsters who claimed his refund had done so by copying all of the data from his previous year’s W2, and by increasing the previous year’s amounts slightly. Kasper said he can’t prove it, but he believes the scammers obtained that W2 data directly from the IRS itself, after creating an account at the IRS portal in his name (but using a different email address) and requesting his transcript.

“The person who submitted it somehow accessed my tax return from the previous year 2013 in order to list my employer and salary from that year, 2013, then use it on the 2014 return, instead,” Kasper said. “In addition, they also submitted a corrected W-2 that increased the withholding amount by exactly $6,000 to increase their total refund due to $8,936.”

MONEY MULING

On Wednesday, March 18, 2015, Kasper contacted First National Bank of Pennsylvania whose routing number was listed in the phony tax refund request, and reached their head of account security. That person confirmed a direct deposit by the IRS for $8,936.00 was made on February 9, 2015 into an individual checking account specifying Kasper’s full name and SSN in the metadata with the deposit.

“She told me that she could also see transactions were made at one or more branches in the city of Williamsport, PA to disburse or withdraw those funds and that several purchases were made by debit card in the city of Williamsport as well, so that at this point a substantial portion of the funds were gone,” Kasper said. “She further told me that no one from the IRS had contacted her bank to raise any questions about this account, despite my fraud report filed February 9, 2015.”

The head of account security at the bank stated that she would be glad to cooperate with the Williamsport Police if they provided the required legal request to allow her to release the name, address, and account details. The bank officer offered Kasper her office phone number and cell phone to share with the cops. The First National employee also mentioned that the suspect lived in the city of Williamsport, PA, and that this individual seemed to still be using the account.

Kasper said the local police in his New York hometown hadn’t bothered to respond to his request for assistance, but that the lieutenant at the Williamsport police department who heard his story took pity on him and asked him to write an email about the incident to his captain, which Kasper said he sent later that morning.

Just two hours later, he received a call from an investigator who had been assigned to the case. The detective then interviewed the individual who held the account the same day and told Kasper that the bank’s fraud department was investigating and had asked the person to return the cash.

“My tax refund fraud case had gone from stuck in the mud to an open case, almost overnight,” Kasper sad. “Or at least it seemed to be that simple. It turned out to be much more complex.”

For starters, the woman who owned the bank account that received his phony refund — a student at a local Pennsylvania university — said she got the transfer after responding to a Craigslist ad for a moneymaking opportunity.

Kasper said the detective learned that money was deposited into her account, and that she sent the money out to locations in Nigeria via Western Union wire transfer, keeping some as a profit, and apparently never suspecting that she might be doing something illegal.

“She has so far provided a significant amount of information, and I’m inclined to believe her story,” Kasper said. “Who would be crazy enough to deposit a fraudulent tax refund in their own checking account, as opposed to an untraceable debit card they could get at a convenience store. At the same time, wouldn’t somebody who could pull this off also have an explanation like this ready?”

The woman in question, whose name is being withheld from this story, declined multiple requests to speak with KrebsOnSecurity, threatening to file harassment claims if I didn’t stop trying to contact her. Nevertheless, she appears to have been an unwitting — if not unwilling — money mule in a scam that seeks to recruit the unwary for moneymaking schemes.

ANALYSIS

The IRS’s process for verifying people requesting transcripts is vulnerable to exploitation by fraudsters because it relies on static identifiers and so-called “knowledge-based authentication” (KBA)  — i.e., challenge questions that can be easily defeated with information widely available for sale in the cybercrime underground and/or with a small amount of searching online.

To obtain a copy of your most recent tax transcript, the IRS requires the following information: The applicant’s name, date of birth, Social Security number and filing status. After that data is successfully supplied, the IRS uses a service from credit bureau Equifax that asks four KBA questions. Anyone who succeeds in supplying the correct answers can see the applicant’s full tax transcript, including prior W2s, current W2s and more or less everything one would need to fraudulently file for a tax refund.

The KBA questions — which involve multiple choice, “out of wallet” questions such as previous address, loan amounts and dates — can be successfully enumerated with random guessing. But in practice it is far easier, said Nicholas Weaver, a researcher at the International Computer Science Institute (ICSI) and at the University of California, Berkeley.

“I did it twice, and the first time it was related to my current address, one old address question, and one ‘which credit card did you get’ question,” Weaver said. “The second time it was two questions related to my current address, and two related to a car loan I paid off in 2007.”

The second time round, Weaver said a few minutes on Zillow.com gave him all the answers he needed for the KBA questions. Spokeo solved the “old address” questions for him with 100% accuracy.

“Zillow with my address answered all four of them, if you just assume ‘moved when I bought the house’,” he said. “In fact, I NEEDED to use Zillow the second time around, because damned if I remember when my house was built.  So with Zillow and Spokeo data, it isn’t even 1 in 256, it’s 1 in 4 the first time around and 1 in 16 the second, and you don’t need to guess blind either with a bit more Google searching.”

If any readers here doubt how easy it is to buy personal data on just about anyone, check out the story I wrote in December 2014, wherein I was able to find the name, address, Social Security number, previous address and phone number on all current members of the U.S. Senate Commerce Committee. This information is no longer secret (nor are the answers to KBA-based questions), and we are all made vulnerable to identity theft as long as institutions continue to rely on static information as authenticators. See my recent story on Apple Pay for another reminder of this fact.

Unfortunately, the IRS is not the only government agency whose reliance on static identifiers actually makes them complicit in facilitating identity theft against Americans. The same process described to obtain a tax transcript at irs.gov works to obtain a free credit report from annualcreditreport.com, a Web site mandated by Congress. In addition, Americans who have not already created an account at the Social Security Administration under their Social Security number are vulnerable to crooks hijacking SSA benefits now or in the future. For more on how crooks are siphoning Social Security benefits via government sites, check out this story.

Kasper said he’s grateful for the police report he was able to obtain from the the Pennsylvania authorities because it allows him to get a freeze on his credit file without paying the customary $5 fee in New York to place and thaw a freeze.

Credit freezes prevent would-be creditors from approving new lines of credit in your name — and indeed from even being able to view or “pull” your credit file — but a freeze will not necessarily block fraudsters from filing phony tax returns in your name.

Unless, of course, the scammers in question are counting on obtaining your tax transcripts through the IRS’s own Web site. According to the IRS, people with a credit freeze on their file must lift the freeze (with Equifax, at least) before the agency is able to continue with the KBA questions as part of its verification process.

Update, 10:46 p.m., ET: The link included in the first paragraph of this story directing readers to create an account with the IRS is currently returning the message: “We are currently experiencing technical issues and unable to process new registrations.”

Tags: , , , , ,

286 comments

  1. Brian, Thank you so much for the recommendations to set up accounts and the IRS and SSA to prevent others from doing so first and potentially stealing money. I’ve done both.

    Simply invaluable information. Not sure why the government doesn’t communicate this recommendation to everyone.

    I wonder how long it will take before the ACA Healthcare Exchange sites get hit. There is so much information there it;s got to be a target.

  2. Articles like this make me feel our government is rotten to the core. Between taxes and forced jury duty nobody wants to do for $10/day seems like its harder and harder to tell who the real criminal is.

    • Matthew of Capernaum

      The gov. isn’t evil or corrupt, they’re just inept and employed full of stupid people who can’t for the life of themselves think one original thought.

      ‘forgive them for they know not what they do.’

      Matthew of Capernaum

      • The government is most certainly corrupt

        • Feels that way to me.. Seems there are far too many ways these days to end up on the wrong side of the law, or even just survivability when they coddle bankers, coddle collection agencies, make it manditory to go to jury duty, force penalties over buying private health plans.. Can’t secure tax records, or social security.. Citizens united and billions in dark money flooding every election..

  3. So, I register with the IRS just by requesting a copy of my transcript? If more, I don’t get it.

      • This link seems to be for tax professionals and related industries, not individuals seeking to control access to their tax records.

        The URL that you originally linked to seems to be the right one to control access to transcripts and other historic information.

        I was able to create two accounts (for wife and me) around noon. One of them took three runs at it – I don’t expect Government e-commerce to work very well and am rarely disappointed – but it did work.

        I was pleased to see that it seems to be able to swallow 20-character passwords, although it won’t accept a passphrase with spaces, though.

      • BTW did they just change the policy? I quote from the link you quote:

        “Provide your Adjusted Gross Income from the current or prior tax year;”

        This would effectively prevent the ‘trick’ crooks used. They cannot register to get your previous return data, as they would need that previous return data to register.

        If so compliments for the IRS for fixing it so quick!

        (Of course this is by far not ideal security, don’t get me wrong, but at least it stops this most obvious attack you diescribe in your post.)

      • The IRS has two different systems for getting transcripts online.

        As a commenter below has noted, IRS e-Services is for tax professionals. The link here looks like Step 1 in the process to become an Electronic Return Originator to e-file returns for clients. Another step in that process is getting fingerprinted and sending the card to the IRS. http://www.irs.gov/pub/irs-pdf/p3112.pdf The online transcript request tool at IRS e-Services only works if a tax pro has a Form 2848 Power of Attorney or Form 8821 Tax Information Authorization on file for a taxpayer. (Fax form to IRS, wait 3-5 biz days for processing.)

        The IRS Get Transcript tool is the one that’s available to the public. http://www.irs.gov/Individuals/Get-Transcript It sounds like that’s the one in the story here.

  4. I am surprised nobody brought up the Lexus Nexus compromise a couple of years back. With that data on the underground, it makes answering the questions a no-brainer.

  5. Franklin Antonio

    The IRS web site keeps changing. The above URL no longer works, but I found this one which does.

    https://sa.www4.irs.gov/eauth/pub/login.jsp

  6. If you have a credit freeze with Equifax, the IRS account creation process fails.

    You must unfreeze with Equifax before you can create the login account.

    Let me suggest creating an account with Social Security also, and enabling two-factor authentication with the SSN admin. — Before the fraudsters create a fraudulent account with that government agency also. Very similar.

    • Why do you need to unfreeze Equifax? I don’t understand? Thanks

      • He said IF you have a credit freeze.

      • It seems that the IRS process for setting up a new account must query credit information held by the credit bureaus as a means of posing authentication questions.

        For example, when I set mine up, it asked me when I purchased my house, the pay-off year and the monthly payment amount of a vehicle loan.

        I presume such information would be unavailable to the IRS account setup process if a credit freeze is in effect.

    • In order to create an online account with the SSA, you must temporarily unfreeze any security freeze with Experian.

      • My entire family was part of the Anthem hack. I put a fraud alert on my son’s credit and a freeze on myself and wife (we aren’t applying for credit and retired).
        I see that opening an account with the IRS and SSA by anyone even ourselves would mean lifting the credit freezes.

        I guess I am trying to say that IF by chance you don’t need a loan, credit card or mortgage or new job….. freeze or alert your accounts and unfreeze them as necessary.

        Could cost you $5-10 on the frozen accounts (nothing on the alerts) but this looks like part of the protection plan to me (not all but part).

  7. Just filled out the registration form but at the end it would not go through:”e-services data entry error window” as someone wrote earlier today. Sigh…

  8. I tried to create an account and learned that one already existed. I tried to retrieve the username and used Forgot UserID. No email has arrived at any mailbox of mine, 4 hours later.

    I called 800-829-1040 (10 minute wait) and spoke to Miss Kim (didn’t get her ID#). Miss Kim indicated that she could issue a transcript. I replied that I didn’t want a transcript, but I wanted to have access to my online account. She encouraged me to call the Helpdesk at 866-255-065.

    I called 866-255-0654 (15 minute wait) and spoke to 1000151726 Miss Stigner. Miss Stigner indicated that her department could not help with this type of request. She indicated that their assistance was limited to informing the taxpayer to reregister. I notified her that this did not work (account already exists error). She said I would need to talk to the people at 800-829-1040 for further assistance. She acknowledged that they’d already told me to call her, but said I should try again since I might get someone who is better informed.

    I called 800-829-1040 (15 minute wait) and spoke to Miss Harris 1000778225. I explained the multiple calls and asked for assistance. She too tried to brush aside the login issue and simply send me a fresh transcript. When I continued to press the online login issue, she stated that only the Helpdesk people could assist. I asked her what I should do about the repeatedly conflicting instructions. She said she didn’t know. I asked to speak to a supervisor. She said none was available but took my name and number indicating one would call within.

    I called the Helpdesk again at 866-255-0654 (10 minute wait) and spoke to Valencia 1000776505. Valencia was the first person who took some ownership over the runaround I’d gotten. She escalated me and warm-transferred me to level 2 with a case number. She indicated that level two would be able to delete the current account and permit me to reregister. Before she transferred me, she made the startling assertion that the Reregistration process on the web (which failed for me) was supposed to delete and overwrite any existing account.

    The transfer brought me to 100018279 Mr. Romeo Garza. Mr. Garza took my case number and immediately indicated that Valencia was wrong. His department can freeze an account for web access in the event of fraud, but it cannot delete an account. Mr. Garza also had the power to verify some interesting facts. He said that he found no account associated with my SSN. So, that was not the blocking factor(!). He did not have an email search tho, but after I gave him 2 possible addresses I might have registered from he contacted an internal developer(!) who ran a search and further asserted that no existing account was associated to those, either. This raises a question of what info is the cause of the claim that an account already exists.

    Romeo sent me back to the 800-829-1040 number. However, he gave me the secret combo of prompts necessary to get to the right team.

    Select language-2-1-4-2-SSN-then don’t hit anything

    This took me to a voice recording that described services that sounded like they might help. However, it also said they were so busy I couldn’t even wait on hold, and I would have to call back another time.

    >click<

    • Thank you for this, Matthew–I was wondering what my recourse was as I am having the same issue (claims account already exists, but no email to any of the accounts I currently have–spam or no–and I’ve only had 4 primary email addresses over my lifetime).

      I don’t like that the information used to supposedly ‘authenticate’ me is publicly available on the web. That rather defeats the purpose of ‘one-to-one’ authentication.

    • Did you ever figure out how to delete or reregister an account? This is still broken, and I haven’t found a way to resolve it.

  9. I’m a bit confused. Is it ONLY tax preparators that should/need to create an IRS account or should EVERYONE create an IRS acct as a safeguard? I have someone else do my filing for me and e-file my tax return to the IRS.

  10. Authentication

    The US doesn’t have a robust way to authenticate, it’s clear.

    The static identifiers are no good.

    It’s interesting to look at how Estonia and Korea have done it.

    For example:
    http://www.economist.com/news/international/21605923-national-identity-scheme-goes-global-estonia-takes-plunge?zid=307&ah=5e80419d1bc9821ebe173f4f0f060a07

  11. Gary Gulbransen

    Brian I believe the e-services account http://www.irs.gov/uac/Step-1-Create-an-IRS-e-services-Account is only for tax professionals.
    However, if you filed e-filed 2013 you selected a “self-service PIN” for future use..
    You can request a PIN using the information from your 2013 return (SS#, DOB, filing status and exact address) …that should block scammers.

  12. Easy solution:

    Lower your withholding and/or quarterly payments such that you always owe money on April 15. File your income taxes via certified mail.

    Let the IRS worry about how easily it sends out those refunds!

    Bonus advice: ID theft is an eventuality. 100% protection is an illusion. Freeze your CBIs and don’t write personal checks. Don’t sign up for credit protection and limit your loan applications.

    • I agree Comaboy!

      I can appreciate that people dread paying a big check to the IRS for owing taxes, but that’s my solution to this whole fraud scam.

      Put free tax alerts on your credit as well. Its real easy to do online, just renew them before the end of the 3rd month and lift the alert when the credit bureaus alert you to a legit reason! Does not affect your credit score at all or so claims the credit agencies and if you alert one of them they all get alerted by law. Works great.

      OR, if you don’t forsee needing a loan or work related contact with the credit agencies… just pay a few bucks and temporarily freeze your account but you need to do it with each credit company.

      • “I can appreciate that people dread paying a big check to the IRS for owing taxes, but that’s my solution to this whole fraud scam. ”

        I do hope you realize that having a balance due when you file your taxes won’t prevent fraudsters from filing a fraudulent tax return in your name and claiming a huge refund. The only way you can prevent tax return fraud is by filing your taxes before a fraudster files one for you.

  13. This might sound silly, but it occurs to me that one way to defeat the online discovery of correct answers to KBAs such as mother’s maiden name would be to deliberately provide FALSE data as answers to such questions (and not publicize the fact, obviously).

    In this way, anyone who attempted to use the correct answer to such a question would be unable to make progress in stealing your identity.

    So, for example, you might provide the answer “iwlaac06” when creating a KBA to the question “what is your mother’s maiden name?”

    Obviously you’ll need to remember in future that that’s what you did – and the same rules would apply as for password creation (i.e., don’t use any term that’s associated with you, such as a pet’s name or your date of birth, or even leetspeak versions of the correct data).

    As I say, it sounds silly. But it strikes me that it’s a very simple but effective way to create a multi-level password system to try and protect your identity.

    Any thoughts?

    • Wouldn’t work for this, as those KBAs are pulled from your credit file. It does help if you’re the one supplying answers for those “Forgot Password?” questions.

    • I think it depends on whether they check any answers provided by you against what they know about you, such as address, SSN, Zip Code, etc. Perhaps that is what is meant by “out of wallet” questions.

      Your suggestion about providing incorrect answers to questions like “what was your first pet’s name? would work. Much of that kind of info might be on FaceBook.

  14. Is creating an IRS “e-services-Account” only for those who file online?

  15. This is happening to me right now. I was alerted about possible identity theft by the IRS in January. I suspect Intuit Turbo Tax, which I have used for a couple years, is somehow involved. An unrelated (?) company that seems to be a collection agency has sent me a bill in the name of Turbo Tax. Apparently, one can ask Turbo Tax to deduct the cost of filing from the refund. Since I responded quickly enough to the IRS, the refund seems to have been frozen. When Turbo Tax didn’t receive its share, it decided to send the bill out to collections. Of course, the bill could be further attempt at fraud. I have no idea how my info got loose in the wild. I have had my credit card info stolen a couple of times, but this is another level altogether. Back to the relatively expensive CPA next year.

  16. This is a timely post. I literally last week received a notice from the IRS that my refund direct deposit had been rejected and they were sending me the check. The problem was I hadn’t filed yet. The check arrived by mail 2 days later. Luckily the crooks didn’t get the money. I’m left in a quandary about whether to cash the check or not. In the meantime I’ve been on the phone with the IRS and have started jumping through their hoops. I’ll have to file my taxes anyway by mail along with the form 14039 indicating I’ve been frauded.
    Another fallout from this is I tried to create an IRS login after seeing this blog post. I failed because someone already created one in my name and SSN. I expect that correcting this alone will be very painful.

    • You and I are in the same boat. I just tried to e-file and got the rejection. I’ll have to file 14039 and file by paper. Tried to create an IRS account but that’s been created too . I am so upset right now. How can people do this to each other. IDK what I’ll do about the state refund.

  17. About paying the IRS $50 to process a Form 4506 Request for Copy of Tax Return: That is for getting an actual COPY of the tax return.

    COPY is different than TRANSCRIPT.

    A transcript is just a list of tax form lines and dollar values for them. It looks more like a Table of Contents than like tax return forms.

    And, the IRS will send transcripts for free if you need one. Use Form 4506-T instead of Form 4506. http://www.irs.gov/pub/irs-pdf/f4506t.pdf Or, use the “Get Transcript” tool on their website.

    Some banks prefer a transcript over a return when verifying a prospective borrower’s income, since it shows not just what the taxpayer sent to the IRS, but rather what actually ended up in the IRS systems.

  18. Unable to create an account, tells me my info is already there. But it won’t send me a email when I give them my email. So, either I can’t recall my userId/password (possible) or I’ve already been registered.

  19. I have an easy way to prevent this nightmare. I make sure that every year I owe money to the IRS. So if they tell me they already have a filing for me. I just wait for them to fix it if they want that fake return back and my money. Never hear from them again.

  20. The site is working now. I encountered a few difficulties signing up though that I want to share. The password requires ‘at least one number and one special character.’ However, my pw had too many of each and it was rejected. I changed to only one of each and it was accepted then. They also ask for a site phrase. The phrase generated by the program PWGen included numbers and a special character and was rejected. Removing those allowed me to register.

    The error messages were misleading. The password error said the pw was not compliant, even though the box next to it was highlighted in green, indicating I met the criteria. The phrase error message said it had to be less than 50 characters, even though it was only about 20.

  21. Doesn’t matter if you create an account. If you type the wrong password three times it locks you out and offers to re-register using the same braindead non-authentication.

  22. The money mule should be prosecuted. She was stupid enough to handle a clearly illegitimate processing of money and didn’t have enough common sense to think “oh, i’m get an IRS tax return that isn’t mine and sending it on?”

    I’m sorry, no. Being stupid should be a crime if your THAT stupid.

    • It is outrageous this woman isn’t in jail. I hope our Taxpayer is able to sue her.

      She deserves to be in jail for a long time.

      • This happened to me as well. I suspected it was a breach of irs.gov as I could not get a password reset through email. I made calls to local law enforcement and the irs. The worst part is the government will not go after these people. I think they should take anybody who had involvement with these frauds and hang them high.

  23. I tried to create an account at the irs.gov website and answered all questions than this occurred.

    ——————————————————————————–

    JBWEB000309: type JBWEB000066: Exception report

    JBWEB000068: message java.lang.NullPointerException

    JBWEB000069: description JBWEB000145: The server encountered an internal error that prevented it from fulfilling this request.

    JBWEB000070: exception

    org.apache.jasper.JasperException: java.lang.NullPointerException
    org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:409)
    org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:309)
    org.apache.jasper.servlet.JspServlet.service(JspServlet.java:242)
    javax.servlet.http.HttpServlet.service(HttpServlet.java:847)

    JBWEB000071: root cause

    java.lang.NullPointerException
    gov.irs.eauth.CreateProfileProxy.getFormFields(CreateProfileProxy.java:133)
    gov.irs.eauth.ProxyObject.process(ProxyObject.java:103)
    org.apache.jsp.pub.common.eauthController_jsp._jspService(eauthController_jsp.java:155)
    org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:69)
    javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
    org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:365)
    org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:309)
    org.apache.jasper.servlet.JspServlet.service(JspServlet.java:242)
    javax.servlet.http.HttpServlet.service(HttpServlet.java:847)

    JBWEB000072: note JBWEB000073: The full stack trace of the root cause is available in the JBoss Web/7.4.9.Final-redhat-1 logs.

    ——————————————————————————–

    What’s going on at IRS

  24. I can’t thank you enough for this article. It’s happening to me right now; I tried to e-file our tax returns via TurboTax this morning and couldn’t because someone else had already filed with our SSNs. Thanks to the info here I now have a transcript of the fraudulent return, and have sent for an actual copy of it so I can get the bank account number to turn over to the police. My husband and I have spent the entire day dealing with all the identity theft stuff, and I’m sure it’s only the beginning.

  25. Brian, i noticed that the earlier question of whether EFTPS Online payments registration done to make estimated tax payments is the same as registering on the IRS website? I am registered to make estimated taxes. Do i also need to register on the IRS website?

    As Always,
    Thanks

    • EFTPS is for making tax payments.

      The “Get Transcript” tool mentioned in the article is for getting copies of the info IRS has on file from past filings. This way, if someone wants to see account history with filings and payments, or a list of their Forms W2, 1099, etc, they just do it online instead of calling the IRS and waiting on hold for 30 mins (on a good day) to find someone who can fax them the info.

      So yes, EFTPS and Get Transcript are completely different systems.

  26. Why isn’t this evil woman behind bars? Welcome to Barack Obama’s America, where criminals aren’t punished, and innocent taxpayers are made to suffer.

    • Robert…….Or to George Bush Jr.’s America where a financial meltdown in 2008 resulted in business too big to fail, golden parachutes for finance execs and guess what…. NO criminal prosecutions and the taxpayer got hammered for the bill.

  27. Why are you withholding the criminal’s name? If you know for a fact she was involved, she can’t sue you. PRINT HER NAME so future prospective employers will know she’s a FRAUDSTER.

    • Until she is CONVICTED in a court of law, she can NOT be considered “guilty” – and there is good reason why we have this process codified in our Constitution. Far too many people are ready to “hang ’em high” without irrefutable proof of guilt which has cost too many innocents their lives ( figuratively and even literally). Mob justice tends to be mindlessly vicious – I’ve seen plenty of evidence of that especially online! That is why we don’t get to decide. Brian is wise to withhold her name.

  28. As to how the obtained your last year’s tax return information, I can tell you… TurboTax. A couple of weeks ago, I received a thank-you email from that saying “Thank-you for your question: What was my last years AGI?” How would you rate our service. I immediately called them and demanded to know what was said on the call. The customer service rep advised me they didn’t record that kind of information, but the last words were “Have a provided you with all the needed information? Yes, great, I hope you have a nice day”. I then spend two hours on the phone trying waiting for their “head of security” only to be told I would get a call back. This call back was never received and getting through to someone has been a like talking to a wall. While waiting for their “head of security”, I changed all my information with the IRS and anywhere I could think. Interestingly enough, they never asked me for any confirmation of who I was, even though this was a call about their lax security.

  29. Just tried to e-file and found out someone already filed taxes with my taxpayer ID. I suspect I know where the data breach happened for me, but I had been monitoring my credit reports and nothing happened. Last week I received a Green Dot card in the mail, which I never signed up for, so I called them and cancelled that. And told them not to allow any cards to ever be opened with my information.
    Anyways just to clarify:

    1) is to call the IRS? And tell them what happened? The person also signed up for an IRS account so I’ll tell them to freeze the e-services? Or will they do that after receiving form 14039 from me in the mail?

    2) ask for a transcript and then a copy of the false return? Then provide local law enforcements with the copy? Should I also file a police report now?

    3) how does this affect my state refunds?

    4) do I get my refund? Or does the IRS basically say tough luck and move on?

    Any answers would be helpful. I can’t even try to register for an SSA account right now but I have a sinking feeling right now.

    I am so upset right now.

  30. FK has a good point–what is the recourse to all of this?

    If you go by the IRS’ own admissions for their phone banks, a wait of over an hour would not be uncommon, and a lot of us don’t have that sort of time during the work day. That’s assuming you even get a person on the phone.

    Do we simply have a perpetual credit freeze on our accounts so that miscreants, to borrow one of Brian’s favorite terms, cannot access prior tax returns using the IRS’ admittedly lax authentication standards?

    It appears simply owing the IRS money doesn’t deter the thieves–I owe money, yet my account appears to have been compromised as well. (Funny how that works.)

    At this point, it looks like–correct me if I’m wrong–the only reasonable recourse is to file for a transcript, then when it arrives file form 14039 plus your tax return by paper, contact the bank and file a police report, and hope for the best?

    • Quoting @Gnecht

      > Here’s what the IRS says to do.
      > http://www.irs.gov/uac/Taxpayer-Guide-to-Identity-Theft

      Note that the transcript isn’t listed on the list of instructions, and many seem to indicate you can file the 14039 pretty eagerly (instead of just waiting for the notice from the IRS).

      Those instructions include:
      http://www.identitytheft.gov/
      (sadly, this server doesn’t even offer SSL) which redirects to (the insecure version of):
      https://www.consumer.ftc.gov/features/feature-0014-identity-theft

      Those instructions include placing a fraud alert (and renewing it every 90 days).

      Personally, to the best of my knowledge, I haven’t yet been impacted by an actual fraud against my details, but I’d encourage everyone to place a freeze on their reports w/ the 4 major bureaus (you unfortunately will probably get to do this after you do the more urgent cleanup). Freezes, unlike fraud alerts don’t go away automatically, they last until you temporarily lift them or permanently remove them (I don’t know of any circumstances where it makes sense to permanently lift them).