March 30, 2015

If you’re an American and haven’t yet created an account at irs.gov, you may want to take care of that before tax fraudsters create an account in your name and steal your personal and tax data in the process.

Screenshot 2015-03-29 14.22.55Recently, KrebsOnSecurity heard from Michael Kasper, a 35-year-old reader who tried to obtain a copy of his most recent tax transcript with the Internal Revenue Service (IRS). Kasper said he sought the transcript after trying to file his taxes through the desktop version of TurboTax, and being informed by TurboTax that the IRS had rejected the request because his return had already been filed.

Kasper said he phoned the IRS’s identity theft hotline (800-908-4490) and was told a direct deposit was being made that very same day for his tax refund — a request made with his Social Security number and address but to be deposited into a bank account that he didn’t recognize.

“Since I was alerting them that this transaction was fraudulent, their privacy rules prevented them from telling me any more information, such as the routing number and account number of that deposit,” Kasper said. “They basically admitted this was to protect the privacy of the criminal, not because they were going to investigate right away. In fact, they were very clear that the matter would not be investigated further until a fraud affidavit and accompanying documentation were processed by mail.”

In the following weeks, Kasper contacted the IRS, who told him they had no new information on his case. When he tried to get a transcript of the fraudulent return using the “Get Transcript” function on IRS.gov, he learned that someone had already registered through the IRS’s site using his Social Security number and an unknown email address.

“When I called the IRS to fix this, and spent another hour on hold, they explained they could not tell me what the email address was due to privacy regulations,” Kasper recalled. “They also said they could not change the email address, all they could do was ban access to eServices for my account, which they did. It was something at least.”

FORM 4506

Undeterred, Kasper researched further and discovered that he could still obtain a copy of the fraudulent return by filling out the IRS Form 4506 (PDF) and paying a $50 processing fee. Several days later, the IRS mailed Kasper a photocopy of the fraudulent return filed in his name — complete with the bank routing and account number that received the $8,936 phony refund filed in his name.

“That’s right, $50 just for the right to see my own return,” Kasper said. “And once again the right hand does not know what the left hand is doing, because it cost me just $50 to get them to ignore their own privacy rules. The most interesting thing about this strange rule is that the IRS also refuses to look at the account data itself until it is fully investigated. Banks are required by law to report suspicious refund deposits, but the IRS does not even bother to contact banks to let them know a refund deposit was reported fraudulent, at least in the case of individual taxpayers who call, confirm their identity and report it, just like I did.”

Kasper said the transcript indicates the fraudsters filed his refund request using the IRS web site’s own free e-file website for those with incomes over $60,000. It also showed the routing number for First National Bank of Pennsylvania and the checking account number of the individual who got the deposit plus the date that they filed: January 31, 2015.

The transcript suggests that the fraudsters who claimed his refund had done so by copying all of the data from his previous year’s W2, and by increasing the previous year’s amounts slightly. Kasper said he can’t prove it, but he believes the scammers obtained that W2 data directly from the IRS itself, after creating an account at the IRS portal in his name (but using a different email address) and requesting his transcript.

“The person who submitted it somehow accessed my tax return from the previous year 2013 in order to list my employer and salary from that year, 2013, then use it on the 2014 return, instead,” Kasper said. “In addition, they also submitted a corrected W-2 that increased the withholding amount by exactly $6,000 to increase their total refund due to $8,936.”

MONEY MULING

On Wednesday, March 18, 2015, Kasper contacted First National Bank of Pennsylvania whose routing number was listed in the phony tax refund request, and reached their head of account security. That person confirmed a direct deposit by the IRS for $8,936.00 was made on February 9, 2015 into an individual checking account specifying Kasper’s full name and SSN in the metadata with the deposit.

“She told me that she could also see transactions were made at one or more branches in the city of Williamsport, PA to disburse or withdraw those funds and that several purchases were made by debit card in the city of Williamsport as well, so that at this point a substantial portion of the funds were gone,” Kasper said. “She further told me that no one from the IRS had contacted her bank to raise any questions about this account, despite my fraud report filed February 9, 2015.”

The head of account security at the bank stated that she would be glad to cooperate with the Williamsport Police if they provided the required legal request to allow her to release the name, address, and account details. The bank officer offered Kasper her office phone number and cell phone to share with the cops. The First National employee also mentioned that the suspect lived in the city of Williamsport, PA, and that this individual seemed to still be using the account.

Kasper said the local police in his New York hometown hadn’t bothered to respond to his request for assistance, but that the lieutenant at the Williamsport police department who heard his story took pity on him and asked him to write an email about the incident to his captain, which Kasper said he sent later that morning.

Just two hours later, he received a call from an investigator who had been assigned to the case. The detective then interviewed the individual who held the account the same day and told Kasper that the bank’s fraud department was investigating and had asked the person to return the cash.

“My tax refund fraud case had gone from stuck in the mud to an open case, almost overnight,” Kasper sad. “Or at least it seemed to be that simple. It turned out to be much more complex.”

For starters, the woman who owned the bank account that received his phony refund — a student at a local Pennsylvania university — said she got the transfer after responding to a Craigslist ad for a moneymaking opportunity.

Kasper said the detective learned that money was deposited into her account, and that she sent the money out to locations in Nigeria via Western Union wire transfer, keeping some as a profit, and apparently never suspecting that she might be doing something illegal.

“She has so far provided a significant amount of information, and I’m inclined to believe her story,” Kasper said. “Who would be crazy enough to deposit a fraudulent tax refund in their own checking account, as opposed to an untraceable debit card they could get at a convenience store. At the same time, wouldn’t somebody who could pull this off also have an explanation like this ready?”

The woman in question, whose name is being withheld from this story, declined multiple requests to speak with KrebsOnSecurity, threatening to file harassment claims if I didn’t stop trying to contact her. Nevertheless, she appears to have been an unwitting — if not unwilling — money mule in a scam that seeks to recruit the unwary for moneymaking schemes.

ANALYSIS

The IRS’s process for verifying people requesting transcripts is vulnerable to exploitation by fraudsters because it relies on static identifiers and so-called “knowledge-based authentication” (KBA)  — i.e., challenge questions that can be easily defeated with information widely available for sale in the cybercrime underground and/or with a small amount of searching online.

To obtain a copy of your most recent tax transcript, the IRS requires the following information: The applicant’s name, date of birth, Social Security number and filing status. After that data is successfully supplied, the IRS uses a service from credit bureau Equifax that asks four KBA questions. Anyone who succeeds in supplying the correct answers can see the applicant’s full tax transcript, including prior W2s, current W2s and more or less everything one would need to fraudulently file for a tax refund.

The KBA questions — which involve multiple choice, “out of wallet” questions such as previous address, loan amounts and dates — can be successfully enumerated with random guessing. But in practice it is far easier, said Nicholas Weaver, a researcher at the International Computer Science Institute (ICSI) and at the University of California, Berkeley.

“I did it twice, and the first time it was related to my current address, one old address question, and one ‘which credit card did you get’ question,” Weaver said. “The second time it was two questions related to my current address, and two related to a car loan I paid off in 2007.”

The second time round, Weaver said a few minutes on Zillow.com gave him all the answers he needed for the KBA questions. Spokeo solved the “old address” questions for him with 100% accuracy.

“Zillow with my address answered all four of them, if you just assume ‘moved when I bought the house’,” he said. “In fact, I NEEDED to use Zillow the second time around, because damned if I remember when my house was built.  So with Zillow and Spokeo data, it isn’t even 1 in 256, it’s 1 in 4 the first time around and 1 in 16 the second, and you don’t need to guess blind either with a bit more Google searching.”

If any readers here doubt how easy it is to buy personal data on just about anyone, check out the story I wrote in December 2014, wherein I was able to find the name, address, Social Security number, previous address and phone number on all current members of the U.S. Senate Commerce Committee. This information is no longer secret (nor are the answers to KBA-based questions), and we are all made vulnerable to identity theft as long as institutions continue to rely on static information as authenticators. See my recent story on Apple Pay for another reminder of this fact.

Unfortunately, the IRS is not the only government agency whose reliance on static identifiers actually makes them complicit in facilitating identity theft against Americans. The same process described to obtain a tax transcript at irs.gov works to obtain a free credit report from annualcreditreport.com, a Web site mandated by Congress. In addition, Americans who have not already created an account at the Social Security Administration under their Social Security number are vulnerable to crooks hijacking SSA benefits now or in the future. For more on how crooks are siphoning Social Security benefits via government sites, check out this story.

Kasper said he’s grateful for the police report he was able to obtain from the the Pennsylvania authorities because it allows him to get a freeze on his credit file without paying the customary $5 fee in New York to place and thaw a freeze.

Credit freezes prevent would-be creditors from approving new lines of credit in your name — and indeed from even being able to view or “pull” your credit file — but a freeze will not necessarily block fraudsters from filing phony tax returns in your name.

Unless, of course, the scammers in question are counting on obtaining your tax transcripts through the IRS’s own Web site. According to the IRS, people with a credit freeze on their file must lift the freeze (with Equifax, at least) before the agency is able to continue with the KBA questions as part of its verification process.

Update, 10:46 p.m., ET: The link included in the first paragraph of this story directing readers to create an account with the IRS is currently returning the message: “We are currently experiencing technical issues and unable to process new registrations.”


286 thoughts on “Sign Up at irs.gov Before Crooks Do It For You

  1. Antony

    When signing up for the IRS website I kept getting a ‘enter valid password’ error despite the grey box next to where you enter the password showing green for each password rule.
    I started out with a 21 character random password, dropped it to 18 got the same result and then dropped it to 13 and it was accepted.
    Appears they forgot one other password rule … the maximum length.

    1. Peter

      A password longer than the hash (or crypto) size used to store it, is useless as it is not making a password stronger. Remember length only protects you against the event someone steals the password database and tries to reverse engineer the hashes to passwords. All passwords long or short are mapped onto a hash equal to the storage algorithms crypto/hash-bitsize. Shorter means zero filled, but longer just means it has an unknown equivalent of maximum that size as well.

      As soon as you hit ballpark 12 characters longer is not the thing you need to worry about. More random is. Pure 100% machine generated random of the same size as the hash-algorithm used is then the strongest theoretical password possible.

      BTW the magic number at the IRS is likely 16 characters or 128bits. 🙂

      1. Allan Jude

        If the IRS was using a proper cryptographic hash, like sha512crypt or bcrypt, it could take any length password, and generate a same-length hash. That is how hashes work. The MD in MD5 stands for “Message Digest”, it digests the message down into a small fingerprint. You can create a sha512 hash of a 16 character string, or a 16 GB disk image, and it will come out as the same length hash.

      2. Frank

        I kept having trouble with the passphrase. The site kept telling me it had to be 50 characters or less. Of course my passphrase was much shorter than 50 characters, but the site insisted it wasn’t. Finally, I tried a phrase with no spaces in it and I was able to register. Crappy back end code, indeed. Useful error messages would help.

        Then it also depopulated almost all the other fields in spite of only 1 being “wrong.” I have to enter all that stuff over and over. I also discovered that they lower-case all your answers to security questions. Those type questions are already insecure, but way to go IRS, you figured out how to make them even less secure. If they were a business, they would be out of business. But because they’re government, they can continue to make an unholy mess and pay no consequences. Shameful.

    2. Rob Warner

      I’ve tried about 12 times, and no matter how long I make my password, how closely I scrutinize the password rules and compare them to what I’m entering, or how green the checkmarks are that say my passwords are valid, I get “Please enter a valid password.”

    3. Erik

      I tried 30+ characters an was denied. 24 random characters worked just fine though.

    4. jack

      I was having fits getting the irs website to accept my password. Then I tried manually entering the list of special characters into
      my password generating software, thus removing “\”, and
      everything worked fine. The irs web site could handle an 18
      charactacter password easily. I didn’t try longer passwords,
      figured 18 is enough. Try fiddling with your special characters
      if you’re having problems.

  2. Trevor Worly

    I did create my account on the IRS website.
    But Mr. Kerb: What’s the purpose behind creating this account? How will it help me in the future?
    Also it appears that the SSA also has an option to create an account.
    Should I create an account there too to protect myself?

    1. timeless

      You’re creating these accounts to prevent someone else from answering trivially answerable questions to create accounts in your “name”.

      In the case of the SSA account (which you should create), once someone has that account, they can redirect payouts from it at the very least.

      One important thing you can do w/ the SSA account is start your benefits.

      Historically the standard retirement age was 65. You could choose to take your benefits a couple of years earlier, doing so would result in a steep penalty against your future payout. A fraudster won’t mind taking money now at the risk of not being able to take as much money from you later. But I would not want to try to undo the trigger of this early start — I can’t imagine it would be fun, since the clock would have started as soon as someone triggers it for your SSN.

      — This is an argument against saying “I can’t retire yet, I’m only 60, there’s nothing a fraudster can do with my account” — since, at least a couple of years before the age that you’d plan to retire, they *could* do something. And if they redirect your SSA reports (and you aren’t actively looking for them), you could easily not notice that this has happened.

      And, of course, if you are already receiving benefits, you’re probably relying on them as a key source of income, probably to make automatic payments for various things — if your money gets redirected, then all of a sudden, your payments will start bouncing, and that’s a real mess to clean up.


      I think Brian’s article here does a good enough job explaining what a fraudster can do with an IRS account — by creating the IRS account, you’re protecting yourself from someone doing the same to you — and it’s clearly an active attack, this isn’t a one-off thing, I’m sorry for Michael Kasper, but at least this Michael Kasper isn’t famous, so it isn’t likely that he was specifically targeted (unlike @mat).

  3. robert

    Brian Krebs:

    Why do you identify the person who created Anti-detect, but you won’t print the name of the woman who stole money from the IRS, the Federal Reserve, and this identity theft victim?

    1. timeless

      The people who create sites for the express purpose of committing fraud have shown intent.

      Mules, such as this woman, are essentially unwitting accomplices.

      Imagine going to a store and buying something for $27.89 (including taxes), and presenting the cashier with a 50 dollar bill. The cashier gives you change. You then go to another store (or a bank) and pay for something costing $21.03, and present a bill you received from the first store. The cashier here inspects the bill and claims that it’s a fake. Should you be prosecuted?

      We normally would say that you didn’t know the bill you got was counterfeit, had no reason to believe it was, and acted in good faith.

      http://www.criminaldefenselawyer.com/resources/can-i-be-charged-with-using-counterfeit-money-if-i-di

      Brian treats mules, like this woman the same way you would want to be treated if you unknowingly handled a fake bill — you didn’t realize what you were doing was wrong, she didn’t realize what she was doing was wrong. If you aren’t going to be charged, you should be entitled to some privacy — which you could waive if you choose (hence Brian will ask you questions, — and yes, he covers counterfeiting in addition to IRS crime… — including permission to use your name).

      1. CAMERON

        I completely understand what you’re saying, but to ME, it does not seem plausible that maybe for a second someone didn’t think to themselves something was wrong with going on CL, gettting random large sums of money deposited into their accounts and then thusly dispersing the money throughout NIGERIA. Come on.

        I remember being a 12 year old with my own email account and receiving emails from people from overseas who needed me to deposit money, withdraw it etc etc, and I thought to myself, “That doesn’t make any sense” and then deleting the email.

          1. Joe Friday

            So true. My work involves detecting fraud, and because of it, I have developed much respect for Nigerian fraudsters. They are amateur psychologists as well as being pretty good crooks. Their methods are clumsy, but by God, they find some sucker.

  4. Jackie

    You can go directly to https://sa.www4.irs.gov/eauth/pub/login.jsp to create a login. I’m worried, though, because when I did so, it said I already had a login and gave me the option to send my username to the email address on the account. When I did so, I didn’t receive my username. I wonder if someone registered on my behalf as well, but I’m not quite sure how to find out.

    1. David

      Aaaaand same here also. Hoping there’s something wrong with the website.

        1. Tom

          Me too, more or less. They locked me out, saying that my information didn’t match their file.

          1. rjh

            I got the same response when I tried to create an account.

            1. Dave

              Worked for me, so that is a bad sign for the above folks. I wonder how many fraudulent accounts are registered?

              1. .Q

                Even if an account is already created in your name, you can “reregister” using the link on the “email me” page. While it does take you back to the same registration page you initially completed, you can complete the process again and successfully get to your information. (Of course it is also trivial to hijack an existing account using this method.)

                1. Sean

                  I tried this and it is just an endless loop of “you’ve already registered, retrieve your info”, then I try to reregister, then its rigth back where I started from.

    2. So stung that I don't want to give my name

      Well… my husband and I found out that we’re victims of this type of fraud when our e-filed return was rejected last week. We tried to make an account on the IRS site, but accounts had already been created for both our SSNs, but not by us of course. Today, I was able to log in as a guest, using the KBA method, and retrieve the transcript of the false tax return — it was unbelievably easy! Long story short, we too have to fill out IRS form 4506 and spend $50 to get a hard copy of the false return to hopefully track down where the refund was sent. And now, after a full day of calling banks, credit agencies, filing police reports, etc., we have to call the IRS back to put a lock on the online transcripts. Oh, and did you know that if you have dependents, their SSNs are also on your tax transcripts for all the criminal world to see? BRILLIANT, IRS!!! Absolutely, BRILLIANT!!!

      1. Heron

        Good luck,”stung.” Sorry you’re having to go through this.

    3. Megan

      Same. Can anyone post if they find a resolution to this issue? I am planning to call them up at 800-876-1715 tomorrow morning.

      1. Josh

        I have tried calling multiple numbers and am getting the automated system run-around. A couple times I have put on hold for 30-60 minutes, but due to being at work I can’t stay on the call for that length of time. My last attempt ended with a “due to the unusually high volume of calls on your topic we cannot handle your call at this time”.

        I have tried these numbers:
        866-255-0654
        800-829-1040 (and followed the following selections after selecting my language: 2-1-4-2)
        800-876-1715

        If anyone else has a different outcome I’d like to hear it. I’m expecting to need to *pay* taxes this year so I’m probably worrying for nothing, but this is still frustrating.

      2. Me again

        I’m sending off a letter to the IRS commissioner about it. If enough of us do the same thing, maybe the IRS will change this.

        1. Mugged

          My family had our accounts and tax submissions hijacked too.

          The US Gov is $18 trillion dollars in debt and losing $100 billions a year, I don’t think they care about a few thousand here and there.

    4. Joe

      When I clicked “email me my userid”, and entered my email address, it said email sent, but nothing showed up. Years back, I had requested paper transcripts, and thought that I may have had an account back then.
      Anyway, I was able to create a new account, and found out that the userid has to be at least 8 characters long. The userid I entered in the “email me” dialog was less than that. Looks as if they don’t check any error returns from their database. Crappy backend code…

      1. Larry Truesdale

        +1 on “Crappy backend code…”

        The “Recover userid” pages kept referring me to “re-register” pages and vice versa. Finally found that a misleading error message was the culprit.

        While trying to re-register, it returned a “your information is already in our system, use the recover userid link to log in” (paraphrased) error message. The real problem was that I was overlooking the “country” drop-down for my address and had not set it.

        After finding and setting the “country” field, the process continued and account was set up.

    5. javaman07

      Same thing for me. I cannot create an account, and I’ve tried three of my email addresses and it says it’s sending the email to the account, but I never receive anything.

  5. Chris

    I believe this actually happened to me this year.

    A month or so ago I received a check for a tax refund. Since I hadnt filed yet, I figured it was a fake check but looked online for the watermarks to look for. Sure enough after checking the watermarks and calling Dept of Treasury, it was a valid check for “my” tax refund.

    After freaking out for a bit, I signed up at the IRS transcript site (talked about in this article) so I could find a copy of the filed return. Either the whole “cant register the same SSN twice” security wasnt in place at that time, or they registered with my wifes (married filing jointly) because I was able to register without issue. And there it was: a tax year 2014 filed return.

    Comparing the fraudulent TY2014 to the TY2013 I filed myself showed basically what was in this article….they mucked with the numbers to bump the AGI up just a bit and the reported deductions differently (presumably because the worksheets behind deductions arent included, so they couldnt match last years)

    The direct deposit was attempted but failed, Im guessing the account was closed either on purpose (leave an account open for a few days and hope the money hits it just right) or because they got caught by someone and that triggered the account to be closed. Because of the failed deposit, a check was sent to the taxpayer (me)….so at least we arent out the amount of our return, but we now have to file by paper along with a identity theft form. And it will take up to 6 months for the IRS to figure out who’s filing is the legit one and then process our refund. Luckily we arent hurting for the money.

    Once I saw just how much info can be gleaned from that website, I had told quite a few people about it. Now a month later it looks like it might be a key to the high number of fraudulent returns….this has happened a LOT on the east coast lately.

  6. Trevor Worly

    Mr. Brian Kerb: What’s the purpose behind creating this account? Is it only, so that, crooks won’t get to access my tax transcripts?

    1. TErickson

      The though is to disrupt their ability to create one for you and link it to their email address. It sounds like its far harder to reclaim an account later, trying to prove you are you. The signup was surprisingly easy and used information that would not be hard to obtain. Not sure how much I like all of that information on me being right there, ripe for the picking. ::sigh::

  7. wcjackson

    Hi Everyone,

    Prior to my current position as a fraud analyst for a large corporation, I worked as a fraud investigator specializing in identity theft. I provided consultation to people that suspected identity theft (including tax fraud) and I worked to restore stolen identities to pre-theft status.

    I counseled hundreds of people on tax fraud every year, and if anyone has issues with this, or simply has questions, I would be happy to offer my insights and experience with the matter. I won’t ask for any personally identifiable information, I can simply walk you through the process of getting it fixed in the most expedient manner possible.

    I’m a PI and a Certified Fraud Examiner, as well as Fair Credit Reporting Act certified by the CDIA, and while I no longer work in the identity theft restoration business, if I can be of assistance to anyone who has questions or is going through an identity theft situation, I would certainly be happy to help!

    If you want to reach out to me: wjackson224@gmail.com.

    Thanks!

    Whitney

  8. jim garlow

    Brian, thank you for this site. I just followed the link at the top of this story and completed the create login. Without any problems. good luck people

  9. Dan

    I attempted to set up an account at IRS.gov and was stopped because I have a credit freeze at Experian. I suspect this is to allow the IRS to ask additional verification questions. It is interesting that Experian knows more about us than the IRS.
    My wife, who has a fraud alert rather than a freeze, was able to establish an account. I was relieved to see that no 2014 return had been filed.

  10. Frank Parth

    I was the victim of ID theft earlier this year. They went through mailboxes in my neighborhood and stole mail that they used to apply for credit cards in my name. We caught them (turns out it was a well-known Vietnamese gang in Orange County, CA) because they hired someone to wait for the FedEx delivery on the cell phones they ordered. Filed all the police reports but ID theft is a low priority for the local police departments.

    I was worried they would try to file a phony IRS refund in my name, so based on this article I created my own account to keep anyone else from doing it.

  11. Roy

    The link (below) to register doesn’t work for me. When I click “send email confirmation code” I get a new page saying: “A technical problem has occurred. Please try your request again later.”

    I’ve tried numerous times with both chrome and firefox.

    Gurus of security, any ideas?

    Link that doesn’t work: https://sa.www4.irs.gov/eauth/pub/login.jsp

    1. CN

      I went to that link numerous times, and got the same error every time.

      Then I used the link at the very beginning of Brian’s article, and clicked on “Online Transcript”. That took me to an identical-looking login page, which worked the first time.

      I got the result I was hoping for. My identity could not be verified, because my credit reports are frozen. Now I feel safer.

  12. cookie nadal

    My return was stolen this year. My question is. I already had a security freeze on my account at equifax and other agencies.. Does this mean that the id thievers did not get my info by this tax transcript online method.

    Also, is there any real advantages to knowing where your stolen money went. I am just waiting for the irs to resolve the case as I filled out 14039.

    1. Peter

      It is not YOUR money or return they steal. They can file a fake refund return even if you own money.

      So the real question is indeed where did they get your data. If you had a security freeze, then the answer is indeed not through the transcript system.

      One possible answer os getting a copy (or transcript) of your return and checking what numbers they used. If they used fake data, likely they got not their hands on your W2.
      If they used data close to reality and for instance used last years AGI and bumbed it up a bit, then they probably stole your W2 and I would look at your employer, payrol company or anyone you provided a transcript too (e.g. lenders etc).

      But it is often hard to trace down where it happened.

  13. Soy Tenley

    This appeared on Yahoo Finance on March 30. I just read it today, April 1.
    http://finance.yahoo.com/news/what-to-do-if-your-identity-has-been-stolen-170112261.html
    Tax fraud and identity theft: How to protect yourself
    By Aaron Task March 30, 2015 1:01 PM

    We live in an age of cyber-insecurity but I recently got a troubling reminder of the “old-fashioned” risk of identify theft when I received the following email from my accountant: {begin italics} “I am GREATLY concerned, your tax package arrived this morning and the envelope was completely opened when delivered to our office by the mailman. There were only 16 pages in the envelope and no W-2 or any other documents.” {end italics} (Emphasis his.)

    Yowser.

    The last sentence :
    Free monitoring can’t hurt but “the sad truth is that most services offer little in the way of real preventative protection against the fastest-growing crime in America,” writes security expert Brian Krebs. { http://krebsonsecurity.com/2014/03/are-credit-monitoring-services-worth-it/ }

  14. M Whitener

    Much of this is due to the 80 million SSN / birthdate / names leaked by Anthem. 1/3 of Missourians, and others, are affected.

  15. EAB

    If I create an account with the IRS, will that interfere with my tax preparer e-submitting my tax documents?

    1. Gnecht

      Will creating a “Get Transcript” account interfere with IRS’ e-file system? No, not at all. The systems are unrelated.

  16. Freddie

    To me, it verges on unbelievable that we citizens are reduced to taking these sorts of defensive steps to prevent government entities from giving away our PII and money to fraudsters or, having failed to proactively do so, are being reduced to investigating these losses ourselves.

    I mean, I’m not at all faulting those of us including myself who are taking these steps.

    I’m asking, is it just me or does this situation seem like the tail wagging the dog in the sense that the government seems to have not the slightest regard for even the minimal level of PII protection they require of the private sector?

    It seems to me if any private-sector entity was treating their customers’ PII so cavalierly, there would be calls by the media as well as members of the legislative and executive branches themselves for more consumer PII protection.

    In the larger scheme of things, is this not really that widespread of a problem as to have captured the attention of the media, lawmakers, etc. ?

    It seems sort of ironic to me that the folks who managed to work themselves into such high dudgeon as they did when it seemed the IRS was targeting certain non-profits a year or two ago for engaging in forbidden activities such as lobbying have either not yet caught wind of this latest IRS debacle or have not yet deemed it to be sufficiently egregious to warrant their taking up the flag.

  17. Ryan

    Some Success!! I was able to reclaim my and my wife’s tax transcript accounts!

    So, I called their Electronic Products & Support number at: 866.255.0654. After telling them that I am a victim of ID theft, they created a case number and elevated me to Tier 2 support where we were eventually able to reclaim my transcript account.

    First, try to reclaim it yourself by going to here: http://www.irs.gov/Individuals/Get-Transcript and clicking on the large button at mid-lower left titled “Get Online Transcript”. At the next page, under “Login”, click Forgot UserID. On the subsequent page, don’t bother completing the info, just click: “reregister”. Then follow the rest of the process.

    Step 3 of 6 appears to be the critical point. If you are stuck here with “The provided info does not match what we have on file”, I think you will need to call the number above.

    I did this for me and it worked just fine. However, for my wife, due to “a technical issue”, the guy on the phone (at the number above) had to do something behind the scenes for her. I have no idea what he did but it and, it allowed us to complete the re-registration steps for her info.

    Good luck everyone!

    1. Me again

      The two IRS fraud agents I spoke with didn’t offer this, so that’s good news. I’m wondering though, since the crooks had enough info to create the account in the first place, how do we keep ’em from calling Electronic Products & Support number and reregistering the account using another fraud address. What I want to see, is the ability for individual tax-payers to block online access to their own tax transcripts. The IRS has a responsibility to keep our data safe. If I don’t want online access to my tax transcripts, due to identity theft, that feature should be disabled on my account at my request.

      1. Ryan

        According to the agent I spoke with, you can do this by having a security freeze put onto your credit report. Which is fine, but, as you suggest, the IRS should provide some way to accomplish this without going through the credit bureaus. A credit freeze, of course, has many other implications beyond stopping someone from registering my account at the IRS.

  18. Narda

    Count me in as another IRS fraud case! Looks like the update shows that there has been a big hit to the IRS with all the people calling in! We went through H&R Block, shouldn’t they be liable if a fraudulent tax return is filed? Shouldn’t the IRS be able to match your withholding with your return? Don’t they figure your tax return against the employers reported amount? We didn’t have the same employers last year as the year before. Please Krebs keep us up-to-date on this bombardment of the IRS extracting our TAX REFUNDS!

  19. Dawn

    I am a CPA and tried to set up an account with the IRS. I was blocked because I have a security freeze on my account. The security freeze prevents strangers from being able to set up an account with the IRS in my name. This is an unexpected welcome benefit of the security freeze. Everyone should freeze their credit. Credit monitoring does not prevent i.d. theft. Monitoring only informs you after the damage has been done. I work for a CPA firm and frequently our clients are victims of I.D. theft. Protect yourself and freeze your credit. The cost is minimal compared to the effort of trying to clean your credit after it has been hijacked.

  20. Bob Nicol

    Just how do I freeze my “security” account? A security freeze you called it.

  21. Pascal

    Great article and superb comments to all.
    I could register a account at the IRS and will do a freeze on my credit. It’s about $10 each credit bureau.
    less hassle the cleaning up a ID theft later.

  22. me again

    I’m wondering, how many of us who were victims of this particular type of identity theft were Anthem subscribers, either now or sometime in the past 10 years. For what it’s worth, I was a member but I switched providers 7 to 8 years ago.

    The thing that really irks me is that no matter how careful I am about protecting my personal data, and I’ve always been careful/paranoid about this stuff, there is nothing I can do to keep Anthem or other companies that are mind-boggling lax about security from repeating this in the future. >:-(

  23. Jonathan Greenberg

    On 4/1/15, I successfully created an account to get transcripts online. I was able to login to the account again on 4/2/15. Today, 4/5/15, I attempted to login again and got the following message.

    “The information you entered does not match our records. Please verify your information and try again.”

    I verified my information and tried again, but still got the same message.

    Next, I attempted to retrieve my User ID by using the “Forgot User ID” option. I got the following message.

    “Your User ID has been sent to the email address we have on record. You must retrieve your User ID from your email and then sign in to continue.”

    I did not receive the email, so I tried to retrieve my User ID again, but still didn’t receive the email.

    Has anyone else successfully created an account that worked initially, but later wasn’t able to login because of the following message?

    “The information you entered does not match our records. Please verify your information and try again.”

    1. Freddie

      I had a similar but not identical problem to yours.

      I set up an account quickly with not the strongest password ever. I verified I could login with the ID and password.

      Later, I logged in successfully then went into profile and changed the password to a longer, stronger password and it stated it had accepted and changed the password.

      So far, so good.

      Then I tried multiple times to log in, copy/pasting the ID and new password and received ‘information does not match, try again’ each time.

      I wound up doing the ‘forgot password’ routine but had no problems changing it again and logging in to verify.

      I chalked it up to sloppy web site programming on the part of the IRS.

      1. Jonathan Greenberg

        Thanks for replying!

        I contacted the IRS hotline on 4/6/15 at, 888-841-4648 and explained the issue of not being able to login with the user ID that I created on 4/1/15 and also not receiving the email when I attempted to retrieve my user ID. My issue was then escalated to “Level 2” and I was transferred to an analyst. The analyst verified that my user ID wasn’t the same as the ID that I initially created. She recommended that I authorize her to deactivate my account and suggested that I submit an Identity Theft Affidavit, Form 14039, to the IRS, if I was concerned that my identity had been stolen.

        1. Jonathan Greenberg

          As a precaution, I requested that online account access, corresponding to my SSN & user ID and PIN be deactivated and they deactivated it. The IRS is currently looking into how my user ID got changed (was it caused by a glitch or did someone log in and change my user ID?)…also looking into why the system didn’t email me the user ID when I attempted to retrieve it (was my email address changed also?).

          Just got a call from the IRS — they highly recommended that I submit the Identity Theft Affidavit — they would not go into any more detail or answer any more of my questions about what happened.

          1. Jonathan Greenberg

            I got the phone number from the following email I received from the IRS 0n 4/3/15 at 7:04 p.m.

            “Dear user,

            A user registration has been performed on IRS online services per your request. If you did not perform this registration, please contact us at 888-841-4648.

            This is an automated email. Please do not reply.

            IRS will never initiate contact through email asking taxpayers for personal or financial information.

            Sincerely,
            IRS Online Services”

            Although I had successfully created the account around 5:00 p.m on 4/1/15 and was able to login again on 4/1 and 4/2 using my user ID, I didn’t get the email confirming registration until 4/3. Why the delay? I know other people who got the confirming email within minutes of successful registration.

            The IRS won’t tell me how and when my user ID got changed or why I didn’t get emails after I made several attempts to retrieve my user ID on 4/5/15…only getting the following online message.

            “Your User ID has been sent to the email address we have on record. You must retrieve your User ID from your email and then sign in to continue.”

            I suspect that my email address was also altered at the time my user ID was changed.

    2. Alan

      Jonathan, where did you get that phone number?

      I’ve been unable to create an account, as I get the error “The information you have entered already exists in our system. You may retrieve your User ID.” on step 3 of the signup process. Forgot user id doesn’t work (which makes sense, because I didn’t create an account), and the reregister link on that page doesn’t work either.

      I contacted the helpline at 866.255.0654 but was told to call the general helpline, since they didn’t support the Get Transcripts functionality.

      I contacted the general helpline at (800) 829-1040 and they basically told me I was SOL and would have to figure out who created the account and get the credentials from them. They said they had no way of resetting the account so I could access it, or otherwise disabling access to the account. (Which seems incorrect, based on other comments on this post.)

      1. me again

        I got the same SOL from the IRS, too, when I talked to them last week. We need a more consistent level of service.

        1. Alan

          The 888-841-4648 number worked for me. Thanks to Jonathan for posting it.

          Called, told them I couldn’t create an account because it said one already existed, and that I hadn’t created one. They forwarded me up to Tier 2 with a case number.

          So it turns out the problem is that I was entering my address with a # sign (for the apartment number), and their system didn’t like that and was giving the “The information you have entered already exists in our system. You may retrieve your User ID.” error.

          I tried signing up again without the # sign and everything worked. So if anyone else is running into that issue, try replacing # with “Apt.” in your address.

          1. Phil

            Thanks for the info Alan. This is exactly what I needed!

          2. Sean

            Alan you are the man! Although I’d like to talk to whatever site developers didn’t let us use ‘#’ for apartment number…Grrrr…

  24. K K

    Does anyone know if you file “Married Filing Jointly”, if the spouse should set up their own login too?

    1. me again

      Yes, spouse should setup his/her own login, and spouse should call IRS, too, if a return was falsely reported.

  25. meh

    At what point should the government take the accountability and damage instead of the public? They coddle the credit bureaus, they coddle student loan companies.. They coddle the IRS and in all cases the public has no real recourse and faces substantial damage whenever the model breaks down.

  26. Tim

    Thank you so much for publishing this article, after a few times I was able to create my account.

    Keep up the great info!

  27. Erik H

    It was shockingly easy to create that account. I can believe that it was hard for Equifax to come up with good questions, as my credit file only contains two items, but they managed to ask questions that ignored both of these items – there were only questions about loans I never had, so ‘none of the above’ was the right answer each time.

    Why wouldn’t the IRS add some questions to which they know the answer, e.g. the AGI I specified last year?

  28. Ron Hekier

    Timely. Our tax return was fraudulently filed by someone else before we filed ours last month. Our accountant says she has seen a huge increase in these identity theft cases this year. We were due a return but our accountant says it takes so long to fix this mess that it is best to forgo the return and re-file and have the return credited to our taxes for next year.

  29. Elizabeth

    Am I the only one who noticed that when you access the site to create an account (https://sa.www4.irs.gov/eauth/pub/login.jsp), you receive a message that states the site is monitored by “authorized” personnel and you waive all rights to privacy? That seems a little scary, as well.

Comments are closed.