07
Mar 16

IRS Suspends Insecure ‘Get IP PIN’ Feature

Citing ongoing security concerns, the Internal Revenue Service (IRS) has suspended a service offered via its Web site that allowed taxpayers to retrieve so-called IP Protection PINs (IP PINs), codes that the IRS has mailed to some 2.7 million taxpayers to help prevent those individuals from becoming victims of tax refund fraud two years in a row. The move comes just days after KrebsOnSecurity first exposed how ID thieves were abusing the service to revisit tax refund on innocent taxpayers two years running.

irsbldgLast week, this blog told the story of Becky Wittrock, a certified public accountant (CPA) from Sioux Falls, S.D., who received an IP PIN in 2014 after crooks tried to impersonate her to the IRS. Wittrock said she found out her IP PIN had been compromised by thieves this year after she tried to file her tax return on Feb. 25, 2016. Turns out, the crooks beat her to the punch by more than three weeks, filing a large refund request with the IRS on Feb. 2, 2016.

The problem, as Wittrock’s case made clear, is that IRS allows IP PIN recipients to retrieve their PIN via the agency’s Web site, after supplying the answers to four easy-to-guess questions from consumer credit bureau Equifax. These so-called knowledge-based authentication (KBA) or “out-of-wallet” questions focus on things such as previous address, loan amounts and dates and can be successfully enumerated with random guessing. In many cases, the answers can be found by consulting free online services, such as Zillow and Facebook.

In a statement issued Monday evening, the IRS said that as part of its ongoing security review, the agency was temporarily suspending the Identity Protection PIN tool on IRS.gov.

“The IRS is conducting a further review of the application that allows taxpayers to retrieve their IP PINs online and is looking at further strengthening the security features on the tool,” the agency said.

According to the IRS, of the 2.7 million IP PINs sent to taxpayers by mail for the current filing season, about 5 percent of those – approximately 130,000 – used the online tool to try retrieving a lost or forgotten IP PIN. The agency said that through the end of February 2016, the IRS had confirmed and stopped 800 fraudulent returns using an IP PIN.

“For taxpayers retrieving a lost IP PIN, the IRS emphasizes it has put strengthened processes and filters in place for this tax season to review these tax returns,” the statement continued. “These strengthened review procedures – which are invisible to taxpayers – have helped detect potential identity theft and stopped refund fraud. Taxpayers who have been issued an IP PIN should continue to file their tax returns as they normally would. The online tool is primarily used by taxpayers who have lost their IP PINs and need to retrieve their numbers. Most taxpayers receive their IP PIN via mail and never use the online tool.”

Eight hundred taxpayers may not seem like a lot of folks impacted by this security weakness, but then again the IRS doesn’t release stats on fraud it may have missed. Also, the agency has a history of significantly revising the victim numbers upwards in incidents like these.

For example, the very same weakness caused the IRS last year to disable online access to its “Get Transcript” feature (the IRS disabled access to the Get Transcript tool in May 2015). The IRS originally said a little over 100,000 people were impacted by the Get Transcript weakness, a number it later revised to 340,000 and last month more than doubled again to more than 700,000 taxpayers.

Tags: , , , , ,

70 comments

  1. Thanks for posting this, Brian. Glad I did not request this so called “secure” PIN a few weeks back as I was planning to. Instead of being more secure, one steps into a possible trap.
    This reminds me of one of those situations: “despite all the extensive care provided by many doctors, the patient is still alive”….

    • JK, don’t see how it’s a trap. You’d be no worse off if you asked for and got an IP PIN, in fact you’d be better protected. Without one there’s absolutely nothing stopping someone from submitting a return if they have enough of your personal information to do so. You’re dependent on the IRS noticing the fraud and stopping it. If you got an IP PIN and the thieves did not know you had one or if they could not or did not steal your PIN then you were protected by it. If they DID steal your pin it’s no different than not having one at all. The PIN is a good idea in theory and the IRS should have done a better job at implementing it.

    • I like that!

  2. Brian, in cases where identity thieves submit a fraudulant tax return, does the IRS then take responsibility for the lax security and subsequently accept the genuine tax return (including any refund that should be given based on that)? Or do they entirely blame the victim and refuse to process the real return/give any refund due?

    • Unfortunately, the process is more like the latter. The victim must prove their real identity before the IRS will accept his or her return. That can mean weeks to months. See some of the other articles Mr Krebs wrote about this.

    • I’m still waiting on my return from last year. Someone filed before me. This year looks like it’ll be just as much fun.

  3. Another good reason to have a freeze on one’s credit reports–no access to them to obtain the knowledge based questions.

    • Yes, and No. I’ve heard that ‘getting a credit report’ costs money, and some institutions (no idea how many) don’t request one. I once (long long ago) got a Sears credit account on the basis of having a valid credit card.

      So, yes, it’ll stop some fraud. No, it won’t stop it all. But, Defense in Detail. Take what steps you can, and continue to look for ways to stop criminals. (and this time, I’m not actually talking about politicians for a change).

  4. I’m curious if having an Equifax credit freeze would eliminate the kb question and answer weakness that allowed the IP PIN theft. Does the IRS make a realtime verification of the answers?

    • It did for me, so I assume it would work for everyone. After I put on the freeze (all 4 credit companies), I tested it by applying for an IRS account. It was rejected on the basis that my Equifax acct was frozen and therefore they could not complete the verification process.

      • I’ve had a credit freeze in place for year but it did not stop someone from creating the irs.gov account in my name on February 16th. I was able to reregister and subsequently freeze the account just by providing some basic PII. I never saw any questions you might associate with data from a credit agency.

    • From what I could tell from their disclaimer the freeze should work and I wrote about it here:
      http://www.lessismoreorless.com/2016/03/02/your-irs-ip-pin-might-give-your-refund-away-to-criminals-unless/

      Unfortunately I couldn’t test this because I already registered an account with them and this prevents me from getting to the KBA step of the PIN retrieval tool. But their own description makes it sound that they clearly use one of the big 4 credit companies:

      “””
      What will we do with your information?
      The IRS may use third party data to verify your identity. The third party provides the IRS with information to generate questions used to help authenticate your identity. This action may create an entry called a “soft inquiry” on your credit report. The soft inquiry will be listed as an IRS inquiry with the date of the request. Only you can see the IRS soft inquiry. Soft inquiries do not affect your credit score and are not reported to lenders. Learn more about soft inquiries.
      “””

      • While a freeze won’t prevent thieves from claiming to be you to the IRS, it will prevent thieves from being able to answer the 4 KBA questions from Equifax in order to get your IP PIN if you were assigned one by the IRS.

        • Bruce Bartolf

          Brian, officially hit with this. Second year in a row they filed early on me. Also, they tried to pull a full transcript, but IRS blocked this.

          • Curtis Benningfield

            Me too! Obviously the IPPIN is useless! I’m getting really tired of this! Every year a police report and an IRS 14039. My computers are protected, and I have credit freezes and fraud alerts in place. I file a joint return and have kids. Is there any way to find out whose data was breached, and when the fraudulent return was filed? The IRS is a joke, and not a funny one!

        • They may not be able to get directly from Equifax, but other information that is publicly accessible can give them information that improves their odds of random guessing. For instance, if you have a mortgage, it almost always seems to be one of the questions. Information about someone’s mortgage (guarantor, etc) can be found in the county records for the property.

          But, even with random guessing, that translates to about 2 out of every 1000 they try, which, with some scripting, isn’t so bad. And then, if they can narrow down certain questions for many individuals with information that is known publicly, odds can be significantly improved for obtaining more PINS.

          The freeze can help in one way, but it doesn’t prevent the issue.

          • Guessing the correct answers will not work. The verification process is multi-step. Your claimed identity is sent to Equifax, Equifax provides the IRS IP PIN retrieval site with the questions and answers from which to choose. The site gathers the answers selected by the user then sends them to Equifax verifying them as correct or not.

            With a credit freeze, the verification of answer correctness fails. The first reply from Equifax containing the questions does not fail.

            I suspect that the IRS pays per attempt, so the first step is not blocked by the credit freeze to increase billing to the IRS. Technically, the credit freeze should block the first step, since it can only happen by accessing the consumer’s credit record.

            • Jackson Sieger

              What you just wrote is a load of bull. Credit freeze does not effect ID verification services that Equifax provides, and Equifax is not the only source of OOW questions that IRS presents to the taxpayer. Credit freeze does nothing but put a block on hard pulls. Soft pulls (such as an ability for you to view your report thorough ACR or an ability for Equifax to generate ID verification questions) are not at all effected. IRS does pay Equifax, and there is no “2nd attempt”, if you do not answer questions correctly (all of them), you are not retrieving your PIN. Last year they would give you 2 attempts, and require you to answer 2 out of 4 correctly. This year it is very strict.

              • @Jackson Sieger

                Could you elaborate on who and what you were responding to about the BS comment?

                I tried to hack my own IRS account and was unable to because I had registered with an IRS account and created my own challenge questions and answers. Others here with credit freezes mentioned they tried to replay the attack and were not able to get the challenge questions online. Furthermore, I called the IRS hotline and specifically asked if a credit freeze would have prevented the questions from being generated and the representative affirmed so.

                I totally agree that other sources of challenge info can be drawn outside of the major credit bureaus (in fact the IRS rep said phone calls to them use other factors to verify identity not used in credit reports), but from the evidence I see in this particular case it does look like freezing your credit prevented the questions from ever being generated for the online tool.

                Did you try to attack your own account while the tool was available?

        • @BrianKrebs

          FWIW:

          I called the IRS hotline and specifically asked if a credit freeze would have prevented the questions from being generated and the representative affirmed so.

          Also, when the tool was up I tried to replay the attack, but since I had already registered my name and email with the IRS I was presented with the challenge questions I created custom answers for instead of the the credit based ones. So a nice tip for everyone would be to create an acct at the IRS before attacks like this are possible.

          Thanks again for the reporting and the PSA on this issue!

  5. Brian,

    You are wonderful. You wake everyone up.

  6. I wonder what happens if someone OWES the IRS money and someone else already filed for a refund. If you are delayed in trying to get a refund, can you also be delayed in trying to submit a payment? And if that is delayed will you be charged a penalty? Maybe if everyone starts underpaying the deductions, so that a small payment is due at the end of the year, then the IRS will make things more secure.

  7. The IRS has two functions being serving as the federal taxing authority and as fiduciary for income tax withholdings. the problem the IRS has with being a banker is that they have no real knowledge of their depositor’s status other than their name, SSN, date of birth and prior year filing information. By using filters in their programs that are trying to pretend to be a “home town” banker that knows all about the changes in their depositor’s lives such as relocation, change in employment, divorce, and the like. No matter how well constructed the filters or knowledge based surveys are, it is impossible to simulate actual awareness. This requires having a database that is updated much more frequently than once a year. On December 31 of each year the IRS holds 30 times more deposits than all the FDIC insured financial institutions combined and yet they are helpless in preventing imposters from cleaning out a customers account.
    Long before E-file, the IRS knew they had a significant internal control weakness in that the verification information for depositors accounts was not available until well into tax season. This has never been corrected and it is unlikely that Congress will ever muster the political courage to delay tax season until the verification information is available. Knowing this internal control weakness was present the IRS proceeded with E-file which makes it so easy for identity thieves to take advantage.
    The IRS created this mess and to blame it on taxpayers for not adequately protecting their SSN is completely disingenuous, given the where volume of backing that has occurred on institutional computer systems, including their own systems.
    To date, the commissioner has yet to encourage taxpayers to file early to avoid SIRF simply because of the added cost of processing corrections that are likely to occur. Filing any tax return on the first day of tax season, even if it is wrong, is the only successful protection that a taxpayer can rely upon.

    • The government has been part of whoring out everyone’s information: in 2014, healthcare.gov had been allowing no less than 14 different marketers to observe every entry in every field that applicants filled when they applied for healthcare. (See the EFF’s research confirming that:
      HealthCare.gov Sends Personal Data to Dozens of Tracking Websites). There is no way that they can say with a straight face that they had informed consent from everyone applying for HEALTHCARE. Explain to me why Optimizely.com needs to know my social security number? Or better, explain to me why the people over at healthcare.gov thought it was a good idea to “share” (read: SELL) this information in the first place?

      Breaches aside, the government can’t say it wasn’t they themselves who gave away social security numbers for a very small fraction of a penny each.

    • I blame Congress, but your writeup is very good.

      I’m not sure how much the IRS can do w/o an act of Congress.

      I found the Internal Revenue Code of 1986 [1], but can’t figure out if it mentions electronic filing (meaning if it was established by an act of Congress) or whether it was something the IRS did on its own. I naively assume that Congress instructed the IRS to do it.

      Certainly the requirement to issue refunds promptly is by an act of Congress and thus not something the IRS can fix on its own.

      [1] http://legisworks.org/congress/99/toc-pl-99-514.html

  8. And all Congress is worried about is Hillary’s emails. Seems like hers was the only system that wasn’t hacked.

    • Except that a hack was the very thing that revealed her use of the secret/private server.

      • Except the hack was against a commercial email account, not the private server. If you want to see a great government hack look no further than the OPM. It’s always funny to hear the moans and groans about the Clinton email issue when the congress can’t keep it’s own stuff safe. Such a non-issue for anyone who cared to look past the ridiculous Fox News reporting.

  9. I was not a previous victim of IRS tax refund fraud, but I came very close to requesting an IP pin anyway, as part of a experimental pilot program in three southern states. However I was slowed down because I would have to lift the freeze on my Experian credit file. Now that I’ve read about the loophole in the IP pin system, I have to say “Wow, am I glad I didn’t go through with it.” Thanks for the article Brian.

  10. Great job Brian, you and your reporting almost certainly stopped this.

  11. I’m sorry, but being the king, doesn’t create a mess. And Congress, being the ruler of the pocketbook, aren’t expert enough to see the ramifications of a change of a comma or a period. But, they are the easy ones to blame. So someone cut in line, and got your refund. It aught, to be illegal. And they did it over a computer. Gee, everyone tells me it’s unspoffable, so there must be a trace element that is provable somewhere. Maybe, by not paying more returns to the same Bank? Or even the same Bank account ? Is it time too push for one I’d again? Or food one central bank? But my question is why do conspiracy theories sound so logical?

  12. I applied to the IRS using their form along with my photoID…finally got a letter and it turns out the PIN# was assigned to my son who never applied for a PIN#…I attempted to contact the IRS but they could not verify the info as they claimed they could not access his account without speaking to him…So much for including a photo ID.
    My son now has a PIN# and I don’t. I don’t know how my info is tied to his PIN#. Perhaps it may be more secure this way as the bad guys may have a tougher time figuring out what the IRS screwed up.

    Questions: If two people were to file a joint return an only one uses a PIN#, what prevents a bad guy from submitting a second filing using fake W2 information for a refund without a PIN# ????

    If two people file a joint return, are two PIN# required?

    What would happen if two people file a joint return where one has a PIN# and the other one does not; and the return is filed without the PIN# from the second person?

  13. Hi All,

    Does filing paper returns makes one any safer?

    In the years past, I have tried to file early. However, the earliest that I am able to file is Mid-march: several tax docs, corrections etc only make it by the end-of-february or sometimes early march. This has been the case for me for my 2015 returns as well. So while filing early, is helpful in principle, it is not implementable in practice. Hence the search for an alternate mechanism to be safe.

    I have frozen my credit report for what that is worth.

    Thanks in advance.

    • No, filing paper returns does not make you any safer. I know of at least one individual who filed by paper by still had an early fraudulent return filed with his SS number.

      • Thanks for your reply Marv.

        As I see it, beyond freezing one’s account with the credit bureaus, there is nothing else that one can reasonably do (unless one’s taxes are real simple and they can file early).

    • It may be possible to file earlier, then do an amended return file.

  14. Robert Scroggins

    I suspect that Brian’s mention of the problem is responsible for the lRS doing something about it.

    Good work, Brian!

  15. We, the victims, of careless companies and careless government agencies, OPM and IRS, are given the illusion of caring and help after the fact. OPM offered several years of credit monitoring for the employees, which of course is NOT protection. Writing your representative in Congress only gets you back a form letter. I know, we did (and went in person as well). It didn’t affect them so, why care. OPM contracted with a credit monitoring service for millions of tax payer dollars. What a waste. The only thing that helps victims is a credit file freeze, not monitoring. No it’s not perfect, but I sleep better at night. Why should any victim have to pay for this protection. Congress needs to step up to the plate and say with new rules, victims get to have their credit file frozen and unfrozen for “free” or the careless company, government agency pay for it. Hard to believe most folks over 65 can have it free, but not ID theft victims. One last thought. You receive a letter from the company or federal agency (OPM) stating your personal information has been stolen, but you are not considered a victim until -after- that information is used by someone else to commit fraud or a crime. Now that’s crazy! You become a victim as soon as the information is stolen. Sorry Mr. Bank, the robber held up your bank and stole all the money, but until that person uses the money you are not a victim of a crime.

  16. The IRS can reduce tax fraud literally over night by more than 60% by simply allowing people with bank accounts to block/reject any refund to a prepaid card (or to any previously unauthorized bank accounts). Why they don’t do it? At first I thought it was indifference or some other reasonable motive, but after a few interactions with them i discovered it’s actually because of the sheer incompetence that has come to define so many government institutions (and their “specially selected” contractors).

    • Jackson Sieger

      They do. Changing bank account details is one of the variables tested by the IRS during initial processing. However, there are genuine reasons for people to change their accounts or to use Netspend. Putting a cap on it would be mean millions of refunds to be stopped for no reason at all. IRS manages as huge organization that makes over 150 million refund payments in a very short time period. They need to weigh security of funds with convenience of the taxpayers.

  17. Looks like it’s time for them to require a cheek swab to be sent with every tax return!

    • Topside cheeks or bottomside cheeks?

    • Lol yes right I ‘am one of thos people was compromised by this it crazy I yried to go in person for my ip pin so they will know it me they dont do that go online they said and look what happens smh I still havent recieved my refund they say 9weeks im bout to be evicted soon I called for an irs advocate hopefully they can get my refund faster why didnt thieves have this much trouble

  18. So if you’re one of the victim and is expecting a refund, IRS will take a looooong time to process the genuine tax return.

    Hmm, maybe I should change my exemption so that I don’t get a refund, but will pay a few $$$ when I file my tax. Identity thief won’t steal my tax info (there’s no refund) and I got money in the bank, earning interest rather than giving it to the IRS for a 12-months interest-free “loan”.

    • They can/will still file a fraudulent return in your name and get a refund. And, you’ll still have to pay the IRS by April 15, or penalties will be charged (that’s how it works with extensions, I’m assuming that’s how it would work with fraud), so the only real benefit is not having to wait a very long time for the refund you were originally owed. Which may still be worth it.

    • The identity thieves don’t care if you are entitled to a refund or not. They are going to make up information so that there will be a refund. Still not a bad idea to have it so you pay a little in every tax season so that you’re giving an interest free loan.

      • Indeed, they’ll just create whatever information is necessary to give you the largest possible refund they can get w/o triggering an audit. They’re pretty good at this now.

      • Jackson Sieger

        It is that not easy. IRS does check your figures against last years during the initial stages of processing.

  19. This is just another example of the broader problem of identity verification. For example, if you lose your gmail password, you have a limited set of options for recovery – if you have something set up ahead of time, it can be easier. But there is no office or place that you can go to prove identity, so we are left with these stupid questions.

    Even if the IRS were to mail out cards with a PIN of some sort to every taxpayer, you know some people would lose the stupid things, some would get lost due to moving, fire or natural disaster.

    The old-fashioned way of dealing with this was to use a notary public, who could use various types of identification to prove identity and then affix a seal. But the seal itself isn’t something that can’t be forged – if there were enough money in it to make it worth the while, someone could manufacture counterfeit notary seals.

    Since the IRS is a government agency, they *could* somehow leverage the nationwide network of post offices, but there is no notary service at the post office, and there isn’t anything else I can think of off the top of my head that the post office currently does that would be of use here.

  20. Bracket Creep

    A consumption tax would eliminate identity theft related refund fraud. As long as we continue to tax income instead of consumption, we will require the IRS to dedicate customer service and enforcement resources to refund fraud.

  21. Brian, one comment referred to cheek swab which is not an extreme suggestion. The use of a mobile application like GoVerifyID biometric voice and Facial recognition, is readily accessible using a mobile device. Biometric authentication could support the objective. This mobile messaging, requiring a biometric check, prior to releasing the IP PIN is clearly stronger than KBA.

    • >>Brian, one comment referred to cheek swab which is not an extreme suggestion.
      Yes it is. The federal government may have my fingerprints because I’ve done DOD work, but that was my choice. Plus fingerprints are not foolproof.
      Being required to give the federal government my DNA to get my IP PIN online is way over the line.

  22. Abdullah Keita

    I need pin on my social security number

  23. For the amount of money spent on credit monitoring, which is a reactive method of giving the feeling of security, we could place a mfa device (ubikey, etc) in the hands of all taxpayers and give them a proactive means to protect access to their data.

  24. One last two bits from me…apparently the IRS is not in compliance with their required federal agency requirements for Risk Management Framework, and several other laws/regs. Federal Agencies, Civilan and DoD, are required to comply with the RMF and controls required under NIST SP800-53.

  25. There’s anecdotal evidence that one of the IRS’s controls over tax refund ID theft — imposing a limit of three direct-deposited refunds per deposit account — isn’t working as it should, either.

  26. I always enjoys these important article, Mr Krebs.

    Can someone please tell me why Mr Softee sends updates
    for OSs that people do not have?

    I just went through 17 updates and none them pertained
    to Dows Seven.

    Thank you in advance.

  27. Jackson Sieger

    Krebs is completely clueless as always.

    1. Credit reports can still be viewed even if you freeze the report. Freezing your report means that “hard pulls” are rejected, in other words, you will not be able to apply for credit. However, AnnualCreditReport.Com still allows you to view your report online.

    2. In addition to IP PIN, ID theft victims get a permanent ID theft marker on their IRS tax account. This means that additional business rules are applied when your refund is processed. For the thieves it means that chances of success are 0 as the EFDS does a thorough check, comparing the present return to past returns, checking against certain tolerance figures known only to the IRS.

    3. The real vulnerability at this time is NOT the IRS PIN, but the online IDVerify feature that the IRS implemented. It allows ID thieves to “remove” ID theft indicators from their accounts by answering the same OOW questions as IP PIN. Removal of ID theft indicator “pushes” the refund that has been flagged as an IDT refund through the systems within 1 week.

    Brian, I think you should do more “journalism”, and stop merely reprinting someone else’s news.

  28. I was a victim last year and received a PIN from the IRS. I attempted to submit my return yesterday and found, once again, someone had already submitted a return.
    I talked with the IRS this morning and asked how they could do that when I have a pin. She didn’t have an answer. Someone had submitted a fraudulent return on March 1. She did say it was flagged and no money was sent.
    However, I’m still the victim who now has to do more paperwork and mail in my return. This is our tax dollars at work???

    • Jackson Sieger

      The purpose of IP PIN is revenue protection, not the convenience of the taxpayers. From the point of view of the IRS, they have prevented revenue from being stolen, again. Your PI is obviously compromised, I would consider changing SSNs.

  29. I’d like information on who to contact with identified hackers, potential harmful intent nationally…. Thank You, Sincerities…. R.whyholt -03/15/2016-

  30. This will never happen, but the best way to stop criminals from filing fraudulent tax returns is to eliminate withholding altogether.

    Let people be responsible for putting away enough money to be able to pay their taxes in April. If there is no withholding, there are no refunds. If there are no refunds, there are no fraudulent returns.

    OK – I know there are a few flaws.

    1. how to accomodate the situation where credits push you into a refund situation?

    2. do most folks have the discipline to sock away enough money to pay, or will we have to set up an escrow account under the control of the individual taxpayer.

    3. probably some other flaws as I’m not an accountant.

    ft