August 17, 2015

The Internal Revenue Service (IRS) disclosed today that identity thieves abused a feature on the agency’s Web site to pull sensitive data on more than 330,000 potential victims as part of a scheme to file fraudulent tax refund requests. The new figure is far larger than the number of Americans the IRS said were potentially impacted when it first acknowledged the vulnerability in May 2015 — two months after KrebsOnSecurity first raised alarms about the weakness.

Screenshot 2015-03-29 14.22.55In March 2015, I warned readers to Sign Up at IRS.gov Before Crooks Do It For You — which tracked the nightmarish story of Michael Kasper, one of millions of Americans victimized by tax refund fraud each year. When Kasper tried to get a transcript of the fraudulent return using the “Get Transcript” function on IRS.gov, he learned that someone had already registered through the IRS’s site using his Social Security number and an unknown email address.

Two months later, IRS Commissioner John Koskinen publicly acknowledged that crooks had used this feature to pull sensitive data on at least 110,000 taxpayers. Today, the Associated Press and other news outlets reported that the IRS is now revising those figures, estimating that an additional 220,000 potential victims had Social Security numbers and information from previous years’ tax filings stolen via the IRS Web site.

“In all, the thieves used personal information from about 610,000 taxpayers in an effort to access old tax returns,” the AP story notes. “They were successful in getting information from about 334,000 taxpayers.”

A BROKEN PROCESS

The IRS’s experience should tell consumers something about the effectiveness of the technology that the IRS, banks and countless other organizations use to screen requests for sensitive information.

As I reported in March, taxpayers who wished to obtain a copy of their most recent tax transcript had to provide the IRS with the following information: The applicant’s name, date of birth, Social Security number and filing status. After that data is successfully supplied, the IRS uses a service from credit bureau Equifax that asks four so-called “knowledge-based authentication” (KBA) questions. Anyone who succeeds in supplying the correct answers can see the applicant’s full tax transcript, including prior W2s, current W2s and more or less everything one would need to fraudulently file for a tax refund.

These KBA questions — which involve multiple choice, “out of wallet” questions such as previous address, loan amounts and dates — can be successfully enumerated with random guessing. But in practice it is far easier, as we can see from the fact that thieves were successfully able to navigate the multiple questions more than half of the times they tried.

If any readers here doubt how easy it is to buy personal data on just about anyone, check out the story I wrote in December 2014, wherein I was able to find the name, address, Social Security number, previous address and phone number on all current members of the U.S. Senate Commerce Committee. This information is no longer secret (nor are the answers to KBA-based questions), and we are all made vulnerable to identity theft as long as institutions continue to rely on static information as authenticators.

Unfortunately, the IRS is not the only government agency whose reliance on static identifiers actually makes them complicit in facilitating identity theft against Americans. The same process described to obtain a tax transcript at irs.gov works to obtain a free credit report from annualcreditreport.com, a Web site mandated by Congress. In addition, Americans who have not already created an account at the Social Security Administration under their Social Security number are vulnerable to crooks hijacking SSA benefits now or in the future. For more on how crooks are siphoning Social Security benefits via government sites, check out this story.

THE IRS IS STILL VULNERABLE

The IRS has responded to the problem of tax ID theft partly by offering Identity Protection PINs (IP PINs) to affected taxpayers that must be supplied on the following year’s tax application before the IRS will accept the return. However, according to Kasper — the tax ID theft victim whose story first prompted my reporting on the Get Transcript abuse problem back in March — the IRS.gov Web site allows consumers who have lost their IP PINs to recover them, and incredibly that feature is still using the same authentication method relied upon by  the IRS’s flawed Get Transcript function.

“Unless they’ve blocked access online for these 330,000 people, then those 330,000 are vulnerable by having their IP PIN being obtained by the same people who got their transcript,” Kasper said. “These people have already been victimized, and this IP PIN recovery process potentially exposes those people to being victimized again via the IRS.”

Kasper, who testified about his experience on June 2, 2015 before the Senate Homeland Security and Government Affairs Committee, says the IRS could ameliorate the problem by allowing taxpayers to lock in their refund payment details.

“This could be done either with a form and supporting proof of identity documents, or with a check box on your tax return which would apply for the next year’s tax return,” Kasper said. “Unlike Identity Protection PINs, no one can lose their home address or bank account number.  If someone has to change it, they can resubmit the form.  As a result, it should be easy to let people opt in nationwide to prevent stolen refunds.”

IP-PIN

The IRS said it is notifying all potential victims and offering free credit monitoring services. But this is hardly a useful solution. I have long urged readers to rely instead on freezing their credit files with the four major credit bureaus as a means of thwarting ID thieves (for more on what a security freeze is and why it’s superior to credit monitoring, see How I Learned to Stop Worrying and Embrace the Security Freeze).

Credit freezes prevent would-be creditors from approving new lines of credit in your name — and indeed from even being able to view or “pull” your credit file — but a freeze will not necessarily block fraudsters from filing phony tax returns in your name.

Unless, of course, the scammers in question are counting on obtaining your tax transcripts — or recovering your IP PIN — through the IRS’s own Web site. According to the IRS, people with a credit freeze on their file must lift the freeze (with Equifax, at least) before the agency is able to continue with the KBA questions as part of its verification process.


28 thoughts on “IRS: 330K Taxpayers Hit by ‘Get Transcript’ Scam

  1. Stuart

    Good point in the last paragraph. My credit has been frozen for years, and neither the IRS or Social Security websites would let me register for accounts because they couldn’t access my credit report. Made me feel much better.

  2. Mike

    I think you mean you warned us in in March 2015, not 2013.

  3. Waterford

    If you have heeded Mr. Krebs past advice and have placed a freeze with the credit bureaus, then you nor anyone else can open a my-social-security account online. SSA is not able to access the verification data maintained by the credit agencies. The credit freeze works as it should. Thank you, Mr. Krebs.

    1. Doris Walker

      You can establish a My Social Security account even WITH a credit freeze, just not online. If you visit a SS office, they will set an account up for you, which you can then access online.

      1. Waterford

        Ms. Walker: Thank you for your reply to my note. Do you know what documentation someone would need to do so? Simply curious. For instance, let’s say I live in Lincoln, NE and someone walks into an SSA office in Miami. They simply need forged IDs I assume. Seems like more trouble than multiple forgery attempts online. I guess the thieves would go for volume more so than high quality pigeons like you and me. Regards, ~Waterford

  4. JCitizen

    Good thing I don’t have a tax refund to receive anyway! I never pay into the system ahead of time. I pay later. I never get a refund, so there is nothing they can steal from me that way. I figure everybody’s ID is already compromised with so many breaches everywhere now!

    They need to pass a law, that if you are going to offer credit watch services, that they also need to have available whether tax returns have been file for refund, or from other sources of fraud that can not ordinarily be monitored by these credit watch services. They only watch a small window of areas that can impact a victim. I also feel if such a service has so much access to your information, that they meet or exceed security standards, or get out of the business. Of course even banks are sloppy, so fat chance my dream with come true!

    1. BrianKrebs Post author

      You of all people should know this by now, JCitizen: You don’t have to be actually owed a refund by the IRS to be the victim of tax refund fraud. The bad guys just have to file a refund request in your name before you actually file your taxes. That is, the first time most victims find out they’re victims is when they go to file their return (refund due or taxes owed, doesn’t matter) and learn from the IRS that someone has already filed it for them.

      1. Jersey Danielson

        It’s true that you don’t have to be actually owed a refund by the IRS to be the victim of tax refund fraud. However, this strategy at least limits the short-term potential for lost cash out of pocket while you and the IRS figure out what happened…if you were expecting a refund. The IRS won’t pay out your actual refund until you go through their victim process.

  5. AFH

    What protection is there if you already have an account at IRS.gov to view your transcript? We set ours up during this period – Feb through mid May – when these accounts were being accessed. But I thought I also remembered someone posting that anyone could still attempt to access your account – reseting the password or some such approach meant they could restart the “identity verification” process that is so weak. I would have hoped that at least some email notification would be sent to the account holder under this scenario.

    Kudos to those who had already protected themselves by freezing their credit files. This is really bad.

    I noticed in June that I could no longer access my IRS transcripts on-line. I wanted to see the results of the 2014 filing. Now I know why I was no longer able to log in.

    1. Robert

      I was a victim of IRS tax fraud this year. Someone filed with my info before I tried to file. If you have already set up an IRS E-services account with IRS.gov for “Get Transcript”, this IRS.gov ‘Profile’ account’s ID, Password, and registered email address will allow you to get a transcript (when this service is resumed by the IRS), AND the same account can be used to obtain an IP PIN (Identity Protection #) to allow you to file your next year’s IRS Federal Return. If you lose the PIN # that the IRS sends in December, this is how you can retrieve it online with your personal E-Services Account.

      Now to your question- a hacker can currently ‘RESET’ your account info- using his own password, ID, and Email address- on the same IRS ‘Get Transcript’ site! He needs your SSN, birth date, and current address, and he will have to guess (or know) four out- of-pocket questions provided from Equifax. Not hard to do. However, If you ‘Freeze’ your credit access at Equifax, the four questions from Equifax will not be provided, making it impossible for the hacker to reset your IRS.gov ‘Profile’ Account and change your registered email address. The only time a confirmatory email is sent, is when setting up or resetting an IRS.gov Profile Account. The IRS believes that it is a convenience for us to be able to set up an account, so that the next time that we return to the website, we get to skip over all those pesky out-of-pocket Equifax security questions, and will not have to be verified by email again. Instead, we can just provide an ID and Password, and request that our IP PIN # or Federal Return Transcript be sent to our email address. The weakness is with the RESET feature and a problem if the hacker thief sets up the Profile Account before you do! My hacker had already setup an account with his email, so I had to reset my own account, and then ‘Freeze’ my Equifax credit info to block anyone else from resetting it again! Kasper was able to have the IRS ID Theft Dept block all E-Services access on his account. They refused to do this for me, and even said it was not possible. Nor would they reset the fraudulent profile account for me. I had to do it without their assistance on their largely dysfunctional non-user friendly website. This was difficult to say the least! It is unknown what changes will be made by the IRS to resolve these deficiencies.

      1. Robert

        What happens if a hacker has already gone to the IRS.gov and setup a fraudulent ‘Profile’ Account before you did? Creation of this account login was designed by the IRS for future easy access to ‘Get Transcript’ or ‘Obtain IP PIN’ without having to answer the Equifax security questions. The hacker used your name and SSN but used his own fake email address. Since he has setup the account before you, even if you have ‘Frozen’ Equifax credit access (therefore no Equifax security questions), he can still get your new IP PIN # online by just logging in with the password and ID he previously created. Equifax security questions will no longer be needed for him to login. You- on the other hand- can’t log in! He gets your IP PIN and can file a fraudulent return again next year before you. When he files early in January, you will likely still be waiting for documents like your W2 or K1 statements. It’s messed up.

      2. Robert

        Having gone through this, I have one more thing to point out. If you file jointly with your spouse, even if you setup or reset your own IRS.gov ‘Profile’ Account, and then ‘Freeze’ YOUR Equifax credit file, hackers can still submit an early fraudulent federal tax return using just your wife’s name and SSN from your previous stolen tax return, and this will block you when you later attempt to electronically file your joint return, or make you wait 9 months to get your refund, if it is due. Your spouse has to setup her own IRS.gov ‘Profile’ Account using her SSN and then ‘Freeze’ her Equifax credit file too. Most people who filed joint returns and experienced federal tax fraud forget that the spouse is still at risk for ID theft as well. All of the fraud forms, freezes, etc must also be done for the spouse. Rarely mentioned. Double the work!

        1. Robert

          And…for the joint filer scenario above, you must obtain an IP PIN# for your spouse to prevent the hacker from using just her SSN to file a tax return in future years. Having that IP PIN# effectively blocks them from filing in her name only, as the fraudulent return would not be accepted- with either electronically or paper filing. When you file your joint return, as of 2015, you only have to provide the primary tax filer’s IP PIN#, but the spouse needs the IP PIN# to stop a fraudulent individual federal tax return using their SSN.

      3. In circles

        Robert,
        How were you able to reset your account online?
        I am stuck in the circle you describe.
        My info was compromised and a fraudulent return filed with my info.
        I can’t reset my password because the reset password link goes to the criminal’s email account.
        I called the IRS Identity Protection Specialized Unit at 1-800-908-4490 and they said they couldn’t help me and I should call the IRS.gov support line at 1-800-876-1715, and of course they said they couldn’t help either.
        Mind you, I was on hold for over an hour to get through.
        Please advise us of your technique to reset the account online.

    2. Robert

      My wife and I setup our E-Services IRS.gov accounts before the IRS suspended ‘Get Transcript’ and I’m not sure if they have currently placed further restrictions on setting up or resetting these accounts based on heightened security.

      Try this:

      Make sure that your Equifax credit file is NOT frozen

      Start here:
      https://sa.www4.irs.gov/eauth/pub/login.jsp and click on ‘Forgot User ID’

      This will not be intuitive, but…on the next page that comes up, do not fill in the requested ID info, ignore the buttons to ‘Send User ID’ button and ‘Return to login page’. Just click on ‘reregister’

      On the subsequent web pages, you will verify your identity, and answer the Equifax out-of-pocket questions. You will set up password, User ID, and Email. Remember to keep the login info in a safe place for future reference.

      Test the login to your IRS.gov account

      Then… freeze Equifax so that hackers can’t reset your account with the info that they already have

      Have your Spouse repeat the process for their account setup/reset, and to keep other’s out. Spouse needs to freeze their Equifax as well to prevent an unauthorized reset

      IRS may be making changes to their website and IRS.gov webpages, and the above information may be outdated in the months to come.

      Good Luck. Hope this works for you.

  6. jamie

    Looks like the IRS.gov transcript feature is no longer available as an online feature. It’s through snail-mail now.

  7. d

    Are students required to send a transcript after completing their Free Application for Federal Student Aid?

    1. timeless

      https://studentaid.ed.gov/sa/fafsa/filling-out#documents
      “Transcript” is ambiguous.

      If you have copies of the original documents you used to file your taxes, you shouldn’t need to ask the IRS for a copy of your filing. And you *should* keep a copy of those documents.

      (There are also “high school transcripts”, “college transcripts”, “interview transcripts”, …)

    2. EstherD

      In this context, “timeless” is also slightly “clueless”.

      Better info can be found here:
      “Providing Financial Information (Before or After Filing Taxes)”
      https://studentaid.ed.gov/sa/fafsa/filling-out#providing-financial-information

      Executive summary:
      Q: Do I have to supply a real IRS tax return transcript?
      A: It depends.

      IF you can use the IRS data retrieval tool when initially filling out the FAFSA, then you will probably NOT have to submit a real IRS tax return transcript. Chances are the college(s) will accept a copy of whatever tax return documentation you happen to have handy.

      BUT… IF you CANNOT use the IRS data retrieval tool when initially filling out the FAFSA, AND your FAFSA is one of those selected by lottery for audit, then YES, you WILL have to submit a REAL IRS tax return transcript.

      1. timeless

        Aww, clueless is a bit harsh… My answer was probably accurate for the average person 🙂

        Afaict, congress requires 30% of FAFSA filings be verified (schools may verify more/all).

        However, apparently if you use FOTW (FAFSA on the Web), your tax information is imported automatically, and thus pre-verified, which should mean you won’t need to verify it later (unless you amend your return or change the data in your filing – I don’t have statistics for this)…

        “More than 20 million FAFSAs are submitted using the FOTW each year, 98% of the total number of FAFSAs filed.” – See more at: https://www.edvisors.com/fafsa/forms/online-application/#sthash.MpveatoY.dpuf

        That means that we’re talking about ~1/3 of 2% to 2% (upper limit) of FAFSA filers (those who didn’t use FOTW) plus anyone who amended a tax return / changed marital status (cases where you would want to keep copies as I suggested anyway) would need to retrieve their IRS forms, assuming they’d actually need to retrieve them in the first place.

        http://ifap.ed.gov/fsahandbook/attachments/1415AVG.pdf appears to be canonical advice to schools for verification for 2014-2015.

        According to AVG–83, you may only need to provide W2s for parents/spouses and possibly a signed copy of your tax return along with other documents instead of actual transcripts. There are other amusing edges (people w/ non US tax returns) too.

        According to AVG–84, you may need to provide a signed copy of your submitted return (instead of using the transcript tool which won’t work), which is the point I was stressing.

        Perhaps the most relevant edge:
        «*Victims of identity theft* who cannot get a return transcript or use the DRT must call the IRS’s Identity Protection Specialized Unit (IPSU) toll-free number at 800-908-4490. After the IPSU authenticates the tax
        filer’s identity, she can ask the IRS to mail her an alternate paper tax re-turn transcript known as the TRDBV (Transcript DataBase View) that will look different than a regular transcript but that is official and can be used for verification. Unless you doubt the TRDBV’s authenticity, you don’t need to get an IRS signature or stamp or any other validation. See DCL GEN-14-05 for a sample TRDBV.»

        Anyway, it’s fairly clear from the instructions that you don’t need a transcript, since pretty much all of the instructions say that schools can verify with (copies of) originals, or in the aforementioned worst case of identity theft, things that aren’t standard transcripts.

  8. Dave

    I did go and setup the IRS.gov account as Brian recommended back in May without issue, but the bad guys may have gotten my info and filed anyway. We recently received a letter saying the IRS had “found” our return from 2014 (it was never lost and we filed via our CPA on time in 2014). A week later we received an $852 check from the IRS. We were perplexed. We will be contacting them to clear up the matter, but reading this made me realize perhaps why we got the check. We have an armored mailbox. We have had a lot of mailbox hits on our street the same time the check appeared. I’m wondering if this is much more organized and the people behind it have mules who hit mailboxes of the victims to grab the checks before the victim receives it? They cash it and the victim is non-the-wiser that it happened if they can intercept the notice and check before the tax payer.

    1. TErickson

      Likely the IRS ‘found’ something was amiss and re-directed it to the address on file and not the one the bad guys wanted. These forgers often hit many folks and don’t want to meddle with trying to intercept the check, they request pre-paid Visa or easy money to transfer. A check in your name ads more complexity than they want.

  9. Curious

    When I am reading about how many people are affected by some breach in security, I am inclined to speculate that it might be convenient to tamper/compromise data/security for a lot of people at the same time, to try mask an attack on an intended target that otherwise might be few or one in number. So, if the security of a lot of people is compromised, it might hide someone’s interest in a particular target, and thus perhaps make an investigation into motives into a moot point. Assuming ofc, there might be many interesting “targets” affected by a hack, or that the severity of a hack affects everyone involved.

  10. timeless

    Speaking of FOTW and the DRT:
    https://www.sscwp.org/ivi/student/ivi/info/drt.pdf

    @Brian, is the information exposed via DRT useful to anyone else? Afaict, DRT doesn’t have any “out of wallet” questions. (See “Get My Federal Income Tax Information.”)

    The FSA ID (which replaced the FSA PIN) doesn’t seem to have much verification: https://studentaid.ed.gov/sa/fafsa/filling-out/fsaid#how — heck, email verification is optional

    Presumably setting up an FSA ID with another person’s information is illegal, but that doesn’t seem to stop criminals (or snoops). I’m unsure how much value there is in knowing the field values retrieved by DRT (beyond FAFSA purposes).

    … In some countries, income levels/taxation are public records (available to all, and with the top earners typically reported by newspapers).

  11. Olivia Solon

    Fraudsters are everywhere and they are doing their job with dedication, but the problem is their jobs interfere and destroy our life and empties our bank accounts. The problem is, we also want to make money and because of that we fall for these scams on internet. Please never share your details with a stranger. I don’t understand only one thing, why people believe a person who is just want to know your account details or other important details. Don’t fall for these scams. Please be aware of these fraudsters.

  12. Jerry Leichter

    The use of “knowledge based authentication” is much broader than the IRS. I recently had to get copies of birth certificates. You can order them on line – and most states send you off to a company called Vital Check to handle the nuts and bolts. (They cover your full life – I’ve also been to their site to get a death certificate. They likely cover other kinds of government requests as well.)

    To prove who you are, you are asked those KBA questions. They are not hard for a serious attacker to answer. Worse, in two visits, I was asked exactly the same questions.

    The basic idea of KBA is great. As originally proposed, it was supposed to include questions like “where did you have breakfast this morning?” (based on your credit card charge at a local restaurant). I don’t know whether people had too much trouble with those questions, or found them “spooky” and intrusive, but they seem to have been dropped in favor of the kind of static information that’s all too easy to obtain about a target. It’s not as if credit reports are somehow magically only available to the good guys! So questions whose answers would appear on a credit report will only stop the unsophisticated attacker.

    Meanwhile, this weak form of authentication is serving as the only gate to some pretty important stuff. Your birth certificate is the root of most paths to establishing your other documentation.

    — Jerry

  13. Jami

    A transcript was obtained in my name. I am most concerned with the fact that my children’s SSN’s and my bank account number (for direct deposit) may have been compromised. Does anyone know if the transcript contains that level of detail?

Comments are closed.