The Internal Revenue Service (IRS) disclosed today that identity thieves abused a feature on the agency’s Web site to pull sensitive data on more than 330,000 potential victims as part of a scheme to file fraudulent tax refund requests. The new figure is far larger than the number of Americans the IRS said were potentially impacted when it first acknowledged the vulnerability in May 2015 — two months after KrebsOnSecurity first raised alarms about the weakness.
In March 2015, I warned readers to Sign Up at IRS.gov Before Crooks Do It For You — which tracked the nightmarish story of Michael Kasper, one of millions of Americans victimized by tax refund fraud each year. When Kasper tried to get a transcript of the fraudulent return using the “Get Transcript” function on IRS.gov, he learned that someone had already registered through the IRS’s site using his Social Security number and an unknown email address.
Two months later, IRS Commissioner John Koskinen publicly acknowledged that crooks had used this feature to pull sensitive data on at least 110,000 taxpayers. Today, the Associated Press and other news outlets reported that the IRS is now revising those figures, estimating that an additional 220,000 potential victims had Social Security numbers and information from previous years’ tax filings stolen via the IRS Web site.
“In all, the thieves used personal information from about 610,000 taxpayers in an effort to access old tax returns,” the AP story notes. “They were successful in getting information from about 334,000 taxpayers.”
A BROKEN PROCESS
The IRS’s experience should tell consumers something about the effectiveness of the technology that the IRS, banks and countless other organizations use to screen requests for sensitive information.
As I reported in March, taxpayers who wished to obtain a copy of their most recent tax transcript had to provide the IRS with the following information: The applicant’s name, date of birth, Social Security number and filing status. After that data is successfully supplied, the IRS uses a service from credit bureau Equifax that asks four so-called “knowledge-based authentication” (KBA) questions. Anyone who succeeds in supplying the correct answers can see the applicant’s full tax transcript, including prior W2s, current W2s and more or less everything one would need to fraudulently file for a tax refund.
These KBA questions — which involve multiple choice, “out of wallet” questions such as previous address, loan amounts and dates — can be successfully enumerated with random guessing. But in practice it is far easier, as we can see from the fact that thieves were successfully able to navigate the multiple questions more than half of the times they tried.
If any readers here doubt how easy it is to buy personal data on just about anyone, check out the story I wrote in December 2014, wherein I was able to find the name, address, Social Security number, previous address and phone number on all current members of the U.S. Senate Commerce Committee. This information is no longer secret (nor are the answers to KBA-based questions), and we are all made vulnerable to identity theft as long as institutions continue to rely on static information as authenticators.
Unfortunately, the IRS is not the only government agency whose reliance on static identifiers actually makes them complicit in facilitating identity theft against Americans. The same process described to obtain a tax transcript at irs.gov works to obtain a free credit report from annualcreditreport.com, a Web site mandated by Congress. In addition, Americans who have not already created an account at the Social Security Administration under their Social Security number are vulnerable to crooks hijacking SSA benefits now or in the future. For more on how crooks are siphoning Social Security benefits via government sites, check out this story.
THE IRS IS STILL VULNERABLE
The IRS has responded to the problem of tax ID theft partly by offering Identity Protection PINs (IP PINs) to affected taxpayers that must be supplied on the following year’s tax application before the IRS will accept the return. However, according to Kasper — the tax ID theft victim whose story first prompted my reporting on the Get Transcript abuse problem back in March — the IRS.gov Web site allows consumers who have lost their IP PINs to recover them, and incredibly that feature is still using the same authentication method relied upon by the IRS’s flawed Get Transcript function.
“Unless they’ve blocked access online for these 330,000 people, then those 330,000 are vulnerable by having their IP PIN being obtained by the same people who got their transcript,” Kasper said. “These people have already been victimized, and this IP PIN recovery process potentially exposes those people to being victimized again via the IRS.”
Kasper, who testified about his experience on June 2, 2015 before the Senate Homeland Security and Government Affairs Committee, says the IRS could ameliorate the problem by allowing taxpayers to lock in their refund payment details.
“This could be done either with a form and supporting proof of identity documents, or with a check box on your tax return which would apply for the next year’s tax return,” Kasper said. “Unlike Identity Protection PINs, no one can lose their home address or bank account number. If someone has to change it, they can resubmit the form. As a result, it should be easy to let people opt in nationwide to prevent stolen refunds.”
The IRS said it is notifying all potential victims and offering free credit monitoring services. But this is hardly a useful solution. I have long urged readers to rely instead on freezing their credit files with the four major credit bureaus as a means of thwarting ID thieves (for more on what a security freeze is and why it’s superior to credit monitoring, see How I Learned to Stop Worrying and Embrace the Security Freeze).
Credit freezes prevent would-be creditors from approving new lines of credit in your name — and indeed from even being able to view or “pull” your credit file — but a freeze will not necessarily block fraudsters from filing phony tax returns in your name.
Unless, of course, the scammers in question are counting on obtaining your tax transcripts — or recovering your IP PIN — through the IRS’s own Web site. According to the IRS, people with a credit freeze on their file must lift the freeze (with Equifax, at least) before the agency is able to continue with the KBA questions as part of its verification process.