March 1, 2016

Last year, KrebsOnSecurity warned that the Internal Revenue Service‘s (IRS) solution for helping victims of tax refund fraud avoid being victimized two years in a row was vulnerable to compromise by identity thieves. According to a story shared by one reader, the crooks are well aware of this security weakness and are using it to revisit tax refund fraud on at least some victims two years running — despite the IRS’s added ID theft protections.

irsbldgTax refund fraud affects hundreds of thousands — if not millions — of U.S. citizens annually. It starts when crooks submit your personal data to the IRS and claim a refund in your name, but have the money sent to an account or address you don’t control.

Victims usually first learn of the crime after having their returns rejected because scammers beat them to it. Even those who are not required to file a return can be victims of refund fraud, as can those who are not actually due a refund from the IRS.

The IRS’s preferred method of protecting tax refund victims from getting hit two years in a row — the Identity Protection (IP) PIN — has already been mailed to some 2.7 million tax ID theft victims. The six-digit PIN must be supplied on the following year’s tax application before the IRS will accept the return as valid.

As I’ve noted in several stories here, the trouble with this approach is that the IRS allows IP PIN recipients to retrieve their PIN via the agency’s Web site, after supplying the answers to four easy-to-guess questions from consumer credit bureau Equifax.  These so-called knowledge-based authentication (KBA) or “out-of-wallet” questions focus on things such as previous address, loan amounts and dates and can be successfully enumerated with random guessing.  In many cases, the answers can be found by consulting free online services, such as Zillow and Facebook.

Becky Wittrock, a certified public accountant (CPA) from Sioux Falls, S.D., said she received an IP PIN in 2014 after crooks tried to impersonate her to the IRS.

Wittrock said she found out her IP PIN had been compromised by thieves this year after she tried to file her tax return on Feb. 25, 2016. Turns out, the crooks beat her to the punch by more than three weeks, filing a large refund request with the IRS on Feb. 2, 2016. 

“So, last year I was devastated by this,” Wittrock said, “But this year I’m just pissed.”

Wittrock said she called the toll-free number for the IRS that was printed on the identity theft literature she received from the year before.

“I tried to e-file this weekend and the return was rejected,” Wittrock said. “I received the PIN since I had IRS fraud on my 2014 return. I called the IRS this morning and they stated that the fraudulent use of IP PINs is a big problem for them this year.”

Wittrock said that to verify herself to the IRS representative, she had to regurgitate a litany of static data points about herself, such as her name, address, Social Security number, birthday, how she filed the previous year (married/single/etc), whether she claimed any dependents and if so how many. 

“The guy said, ‘Yes, I do see a return was filed under your name on Feb. 2, and that there was the correct IP PIN supplied’,” Wittrock recalled. “I asked him how can that be, and he said, ‘You’re not the first, we’ve had many cases of that this year.'”

According to Wittrock, the IRS representative shared that the agency wouldn’t be relying on IP PINs for long.

“He said, ‘We won’t be using the six digit PIN next year. We’re working on coming up with another method of verification’,” she recalled. “He also had thrown in something about [requiring] a driver’s license, which didn’t sound like a good solution to me.”

Interestingly, the IRS’s own failure to use anything close to modern authentication methods may have contributed to Wittrock’s original victimization. From January 2014 to May 2015, the IRS allowed anyone to access someone else’s previous year’s W-2 forms, just by supplying the taxpayer’s name, date of birth, Social Security number, address, and the answers to easy-to-guess-or-Google KBA questions.

The IRS killed the Get Transcript function in May 2015 after it was revealed (first on this blog) that crooks were abusing it to hijack consumer identities and refunds. But here’s the problem: the agency requires IP PIN holders seeking a copy of their PIN to jump through the exact same flawed authentication process that afflicted its now-defunct Get Transcript service.

According to the IRS, at least 724,000 citizens had their tax data stolen through the IRS’s Get Transcript feature between January 2014 and May 2015. This may in fact be a lowball number: The IRS previously said the number of those affected was 334,000, figures that were sharply revised from an initial estimate of 110,000 taxpayers.

The IRS did not respond to requests for comment for this story. But in a related story by Quartz last year, the IRS said access to an IP PIN itself “does not expose taxpayer Personally Identifiable Information.” However, this may be of small solace to taxpayers who had their tax and income data stolen directly from the IRS in the first place.

The IRS told Quartz that taxpayers who use IP PINs will be sent a new one in the mail each year, prior to each tax season—making it much harder for an identity thief to access this information.

“That is, hackers would have a small window—between the end of the tax year and the moment a taxpayer files a return—to try to steal the IP PIN,” Keith Collins wrote. “The statement added: “In addition, we carefully monitor IP PIN traffic in order to respond swiftly to any potentially suspicious activity.”

I suppose time will tell how swiftly the IRS is moving to respond to suspicious IP PIN activity. In the meantime, if you’d like to know more about tax ID theft and what you can do to minimize your chances of becoming the next victim, check out Don’t Be a Victim of Tax Fraud in ’16.


93 thoughts on “Thieves Nab IRS PINs to Hijack Tax Refunds

  1. mad dog

    I’m from the government and I’m here to help.

    1. Brian

      I filed my return on January 30th via Turbo Tax. I used my IPPIN in the return. My return was accepted that same day and Turbo Tax said I should have the money by February 21st. Nothing out of the ordinary as this always happened for my previous tax returns. The 21st came and went no refund. The IRS Refund tool said my return was still being processed. That didn’t seem right so I called the IRS and sat on hold for 60 minutes. They looked up my return and told me to call another number to verify my identity. I called various times over three days and got a pre-recorded message that they were overloaded with calls and to try later. On the third day I got through and sat on hold for 60 minutes. I talked to a rude woman and I had to verify my name, address, SSN, wife’s name and SSN, refund amount and that’s it. It got verified and said my refund would come in up to nine weeks. Luckily the IRS Refund tool says it will be in my bank account by Friday, so we’ll see. I was expecting more of an identity verification like W2 information or even repairing my IP PIN.

      1. Margaret

        I filed mine on 1/26. Said I will get it February 10th. It went as far as saying deposited in my bank account. I still haven’t received it. I called them it says it was delayed. Call them said I should wait for a letter. Nothing tet. I called back on 2/26. She said they are not sending you a letter. She said u live on florida there are a lot of scams there. Still didn’t give me an answer yet. She said I have to wait 60 days. That will be April 26th. Good luck to you. I hope you get ur refund.

      2. Lisa

        I had the same problem and response but still waiting on my return

        1. Kandy

          Will I am still waiting on both of my checks one is on hold smht then I have 2 wait 90 days for one its crazy I have a IP pin y I have 2 wait still long

  2. null

    Do the easy ones first.

    Identity theft is out of control everywhere and it is time for, to some, drastic measures. It is Not difficult to change withholdings to prevent a large refund. If the tax return has a changed address or bank account, a large refund should be delayed until some of the return is matched to information received from a known employer or bank or agency.

    We should also be able to choose that no refunds be issued for our own identity until data matches including addresses be done.

    1. Derrick

      YES. I WAS ALSO A VICTIM OF TAX REFUND FRAUD IN TY2012.

      HAVING TO GO TO THE IRS SERVICE CENTER. TRUE, THERE SHOULD BE SOME TYPE OF DUE DILIGENCE ON THE FILING OF RETURNS AND MOSTLY ON SCHEDULE C RETURNS FROME SUPPOSED SELF-EMPLOYED SALONS WHICH DO NOT HAVE THE REQUIRED RECORDS AS PROOF OF INCOME. BUT THE NETSPEND TYPE ACCOUNTS SHOULD BE MONITORED FOR THAT IS THE SUREST WAY TO GET A DIRECT DEPOSITED TAX FRAUDED REFUNDS

    2. Tia

      I’m a former IRS collector…
      I file the old fashion way…snail mail… I’ve had no issues with getting refunds except this year… I filed 3yrs of taxes at one time… (12,13,14)rec’d 13 &14 checks via mail… But 12 hadn’t showed up.. So I called… Come to find out 12’s check was issues with 13&14 on 2/6/16.. So now you have to wait 30 days from that date.. Which will be 3/6/16.. Fill out a form for them to track that check for 12..
      Ok I had to answer numerous questions which was expected…
      With all that being said… With me being a former employee as well as a private sector collector..
      Why oh why can’t they have someone to call to verify the names on these accounts before the refund is transmitted… ??
      I had an acct where this guy was in the army.. On a tour of duty.. But we rec’d a tax return for him claiming 3 kids.. Which wasn’t the case year before.. So where did these exemptions come from.. It was my job to find this out once that refund had been issued but it 5 yrs for this to come to light .. He returned home married and had twins.. Ok.. We received duplicate returns after he came home.. I called after letters were sent to him..
      Here’s what went down…
      The female roommate he had… Prior to going to war.. Those 3 kids were hers.. He had no knowledge of that return being filed.. She had the funds put on a debit card
      Which totaled close to 13k…each year… She was on Sec 8.. And food stamps…
      He had to supply me proof he was in the military and out of the country for those yrs and did so..
      But the damage was done… To recoup those funds … It’s going after her… So IRS, welfare fraud, identity theft.. She went to jail for 10yrs…

  3. null

    It is unlikely that CPA needed a tax refund right away, why should people like that be subjected to refund fraud ? A CPA could easily adjust their estimated taxes to minimize a refund.

    We should have the option of No Large Refunds to new addresses or bank accounts. Just another checkmark on the tax form. One that cannot be revoked without consequences such as long delays until forms are matched up.

    I would go for it, I think many others would also.

  4. tax guy, CPA

    It is unlikely that the actual withholding or estimated tax payments made have much to do with the large refunds. Much more likely that the returns are submitted with fake W-2 forms with large withholding. If you were a fraudster, why would you take a chance at identifying taxpayers with actual large withholding?

  5. MC

    Aside from having a proper authentication system instead of a ‘how well can you Google’ test, they need some basic checks that are not too hard to implement.
    Changes to address are obvious signs of fowl play, as are having multiple returns to one address.

    1. Tohu to Bohu

      Don’t worry boy, you gona get microchip soon under your skin as everybody else in USA then nobody can’t steal from you you will be protected by government so relax And wait microchip coz this is only solution

      1. anonymous

        You have a computer that spell checks. Why can’t you use the english language to express yourself?

    2. timeless

      nearly 15% of Americans move annually [1]

      You can’t use “moving” as a red flag when ~1 in 7 do it.

      Solutions aren’t as easy as you might wish.
      The simplest thing is for Congress to remove the requirement for super fast refunds and have the IRS wait until it receives the employer W2s.

      But that

      [1] http://avrickdirect.com/homedata/?p=31

      1. timeless

        … requires congress to do work, which is expecting too much of late, sadly.

  6. Khasf

    Problem solution problem solution and so on so the final end game will be microchip under skin where all the money is tracked and the person who got that is trackeble too !! And that’s what I want then no more crimes no more stealing couse everything is on the microchip then I don’t have to worried about tax aymore couse money will be on chip and if I work then I can be always sure I have enought food and so , but first all the old system needs to collapse totally before we can get this chips and people will start begging for solutions in western countries coz there will be so much fraud and identity theft that the micro chip rfied will be only way ! Anyways I think wverybody in USA should have chips and if they don’t then they gona loose everything

  7. Bohu

    Problem solution problem solution and so on so the final end game will be microchip under skin where all the money is tracked and the person who got that is trackeble too !! And that’s what I want then no more crimes no more stealing couse everything is on the microchip then I don’t have to worried about tax aymore couse money will be on chip and if I work then I can be always sure I have enought food and so , but first all the old system needs to collapse totally before we can get this chips and people will start begging for solutions in western countries coz there will be so much fraud and identity theft that the micro chip rfied will be only way ! Anyways I think wverybody in USA should have chips and if they don’t then they gona loose everything

  8. Gamma

    I’m not familiar with this all IRS fraud thing cause I’m not from the USA but the perfect solution for this I think would be 2fa. When tax refund is filled/requested SMS is sent to person’s mobile phone to verify his/her identity. To make things clear I would make 2fa mandatory.

    Driver’s license is not the solution because crooks will fake driver’s license and IRS will be facing the same problem.

    2fa is not hard to implement and it is not expensive.

    1. timeless

      So, I’m a big proponent of 2FA, and I’d definitely like the IRS to use it, but things aren’t anywhere near as simple as you expect.

      First: 10% of adults don’t have cell phones [1], of those who do, ~20% don’t send/receive SMSs. It’s possible to do 2FA using a voice call, but that takes a /bit/ more effort.

      Second: it’s possible to hijack phone numbers too (call forwarding isn’t particularly hard to establish, and last I read, the attacks were fairly trivial social engineering exploits).

      Some countries issue smart cards w/ standard PKI support. But, 15% of Americans don’t use the Internet. And the percentage of people who use PKI (SSL Client Certificates) is really small in North America (it wasn’t particularly high even within tech companies, although many do use issue certificates for VPN usage).

      I’d rather the IRS issue everyone a Yubikey [3] or similar. Some of these don’t require batteries, and they can generally be safely used wherever. (You still shouldn’t use an insecure/untrustworthy computer.)

      [1] http://www.pewinternet.org/fact-sheets/mobile-technology-fact-sheet/
      [2] http://www.pewinternet.org/fact-sheets/broadband-technology-fact-sheet/
      [3] https://www.yubico.com/products/yubikey-hardware/yubikey4/

      1. Gamma

        @timeless your arguments are valid. But 2fa is not easy to bypass. For example I never heard that any Gmail user who uses 2fa got his account hacked. It is true that 2fa can be bypassed with 0day exploit or in rare cases with brute-forcing 2fa security digit code but overall it is secure solution.

        Smart cards are way to go like you mentioned as well as security tokens. I think that every American has $30 or so for security token. If not government can subsidy distribution and use of them.

      2. q

        You’re missing the point. He’s not suggesting everybody *must* use 2FA, only that everybody *should be able* to use it if they want additional security.

        Unfortunately unless you’re rich or famous (aka politician) you as an individual are completely irrelevant to IRS or the government in general, other than a revenue source.

        1. eyebeam

          “To make things clear I would make 2fa mandatory.”

          You are right, it couldn’t be mandatory, but it should be an option.

        2. timeless

          @eyebeam already corrected your reading (Thanks!),

          But fwiw, I don’t think that being rich protects you much here. (You can’t get an Identity Protection PIN just by being rich, unless you count living in “Florida” as being rich, and it wasn’t very secure anyway.)

          The best protection is locking down KBA by adding credit freezes to the 4 major bureaus, and that isn’t any easier for someone who is rich than someone who is poor (admittedly, paying $60 involves spending a bit of money, but at ~$1.15/week, it isn’t a huge cost, and it’s a onetime thing.

          And as for being a revenue source, at tax filing time, ~80% [1] of filers are due a refund. Sure, the IRS collects money, but it generally isn’t at filing time from your average person.

          The IRS isn’t beholden to rich people per se, it’s mostly beholden to Congress, which in turn is bought on individual things (e.g. strangling its budget so that it can’t audit as many rich people), or forcing it to issue returns before it can reasonably have access to the necessary forms in order to validate a tax return’s filing.

          As members of the non-wealthy, we should gather together and demand local representatives make Credit Freezes (and Thaws) free, and that’s something that’s probably easier for the middle+lower class to do than just members of the upper class… — Please write to your state representatives asking them to lower the limits for credit freeze charges (like [2] Indiana, Kansas, and South Dakota) !

          [1] http://money.cnn.com/2015/02/26/pf/taxes/average-tax-refund/
          [2] http://www.creditcards.com/credit-card-news/credit-card-freeze-data-1276.php

          1. lessismoreorless

            Hi @timeless,

            Could you expand on how implementing a credit freeze will prevent KBA checks? Does KBA require some explicit access to a credit file locked down by a credit freeze? I still have KBA credit type questions sent to me on various websites even though I have frozen my credit for many months now @ the big 4. I’m guessing there are other vendors of KBA being used here outside of the big 4, or that freezing your credit doesn’t actually prevent KBA inquiries?

            1. timeless

              > Does KBA require some explicit access to a credit file locked down by a credit freeze?

              Generally. KBA works by retrieving answers from something (typically a credit bureau), generating (potentially horrible) alternate answers, and then asking the person to answer the question, validating it against the answer from the bureau.

              If the bureau’s report for you is locked, then the system fails to start, and you (or the person impersonating you) get(s) an error.

              > I still have KBA credit type questions sent to me on various websites even though I have frozen my credit for many months now @ the big 4.

              So, I authenticate with two banks by phone. They essentially ask me KBAs, but instead of using a bureau, they’re using their own internal records (who is my bank contact, what account types do I have). If an entity doesn’t have an existing business relationship with you, they typically have to use an information broker (and the credit bureaus are the largest, that’s their industry).

              I don’t use enough of the web (it’s huge…) to know of such sites. Could you possibly name some?

              > I’m guessing there are other vendors of KBA being used here outside of the big 4, or that freezing your credit doesn’t actually prevent KBA inquiries?

              In general, it works, the IRS used Equifax (quoting from this article):
              “As I’ve noted in several stories here, the trouble with this approach is that the IRS allows IP PIN recipients to retrieve their PIN via the agency’s Web site, after supplying the answers to four easy-to-guess questions from consumer credit bureau Equifax.”

              — You can read the other articles @krebsonsecurity.com about the IRS mess to see people noting that by locking their report the various services wouldn’t allow accounts, and also articles about the SSA w/ similar results. — I’m not going to include citations, the more articles you read here, the better 🙂

          2. lessismoreorless

            @timeless

            Ok a look at this page here describes exactly the credit file touching we thought might be happening:

            “””
            What will we do with your information?
            The IRS may use third party data to verify your identity. The third party provides the IRS with information to generate questions used to help authenticate your identity. This action may create an entry called a “soft inquiry” on your credit report. The soft inquiry will be listed as an IRS inquiry with the date of the request. Only you can see the IRS soft inquiry. Soft inquiries do not affect your credit score and are not reported to lenders. Learn more about soft inquiries.
            “””
            https://sa.www4.irs.gov/eauth/pub/registration/prereg1.jsp

            Unfortunately I cannot test that freezing your credit prevents this because I have already registered for at the IRS site so I can’t get to the next step. But the description indicates that it wouldn’t work with a freeze in place. Cool beans!!!

          3. lessismoreorless

            to be clear, i don’t think freezing your credit at the big 4 is a pancea for this weak KBA questions, but the freeze seems to work at the IRS because they use KBA from one of the big four. I don’t know what would happen if they use KBA from a smaller firm like Lexis-Nexus or something.

      3. Ken Robinson

        The question is also, what is a valid phone number or email address? Many people change numbers for whatever reason (some just because, some because they were being harassed and went to a new, unlisted number, and others for other reasons). And, email addressees are even worse (and adding to that the email is amongst the most insecure protocols).

        How are people going to submit their phone information or email address? With the tax return? Through the nice secure IRS website?

        If companies have to submit copies of their employees W-2s, there may be another backend solution that could help cut down on theft: matching employer submitted W-2 information with employee submitted W-2 information. This can be done within the system in an automated fashion.

        And then, to combat fake employer-side submissions, when the W-2s are submitted, the total withheld for all employees is compares to the total receipts from that company (taxpayer ID) for a match to be considered valid.

        It isn’t perfect, but if the IRS is supposed to be good at accounting, it should leverage that skill set to helping to combat fraud.

        But, every leader within the IRS must be made to be held accountable for negligent behavior when it comes to protecting the American taxpayers and citizens.

    2. Mike

      You are not alone. December 22, 2015:

      https://www.treasury.gov/tigta/press/press_tigta-2015-45.htm

      In addition, authentication methods used for current online services do not comply with Government Information Security Standards. For example, TIGTA analysis of the e-Authentication processes used to authenticate users of the IRS online Get Transcript and Identity Protection Personal Identification Number applications found that the authentication methods provide only single-factor authentication despite the Government standards requiring multifactor authentication for such high-risk applications. As a result, unscrupulous individuals have gained unauthorized access to tax account information.

      “It is critical that the methods the IRS uses to authenticate individuals’ identities ensure that tax information and services are provided only to individuals who are entitled to receive them,” said J. Russell George, Treasury Inspector General for Tax Administration. “The unauthorized disclosure of tax information can enable identity thieves to prepare identity theft tax returns that more accurately reflect a valid return increasing the risk that fraudulent returns will not be detected by the IRS,” he added.

      TIGTA recommended that the Deputy Commissioner for Services and Enforcement develop a Service-wide strategy that establishes consistent oversight of all authentication needs across IRS functions and programs, ensure that the level of authentication risk for all current and future online applications accurately reflects the risk, and ensure that the authentication processes meet Government Information Security Standards. The IRS agreed to implement all three recommendations.

  9. StariVojnik

    simple, quit sending checks out/elected direct deposit….refund money back to account used to pay tax in (employer/bank) let them add it to next paycheck/deposit.

    1. David

      That was exactly my thoughts when I started reading the article. I think that is a great idea!

      1. Mark

        Exception – What if you’ve left the employer that provided the W2? Now you’ve got to go back to that employer to be issued a check after your return is completed.

        How about if you had multiple employers over the year? Or are a retiree?

        Sounds great up front, but these are some examples of why it’s not quite that simple.

    2. q

      Great idea, except that millions of Americans don’t have checking accounts.

      1. Diane Wilkinson Trefethen

        @q & eyebeam, et al

        The TAXPAYER doesn’t need to have a checking account. The “refund” is sent to the bank account that paid the withholding to the IRS.

        Re multiple employers: the refund goes to the bank account belonging to the employer who paid the most recent federal withholding for the Taxpayer.

    3. eyebeam

      What if you are no longer at the same employer at tax time? That means employers need to maintain workers on their payroll up to a year after severance.

      Many people have no checking account, and those tend to be the same people who change addresses frequently.

    4. timeless

      @eyebeam again has good feedback.

      The short of it is that no “solution” is “foolproof” or “simple”.

      Sometimes people move, or die. Just because an account was valid when you paid in doesn’t mean it’s valid later (my accountant just called me and happened to ask if mine was still valid).

      Also, some people file taxes from overseas (which typically involves hefty wire fees). They could be paying by cashier’s check. There’s no useful return for such a thing, and again, they could have moved and have no business with the bank at the time of a refund.

      The biggest problem in the system is that there are companies which will let someone open an “account” tied to a debit card which can accept direct deposit. Things like these were when I last checked (a year ago?) how criminals were “cashing”‘ refunds. They weren’t having the IRS send checks (cashing a check sent via the mail adds an extra federal crime — USPS, and it makes it much riskier).

    5. kelly

      When so many early filers are “self employed” and the refund is made up of huge refundable credits, that system will not work.

    6. Ken Robinson

      As many point out, many people don’t have the same job they may have had the entire previous here. And then, what about those situations where someone had multiple jobs where taxes were withheld. Do all of them get a piece to redistribute, or just one?

      But, there is also the question as to how much personal information that an employer or other entity should be able to have. With the information a typical employer already has, they can surmise a number of personal financial and life characteristics about a person based on their return. If you think of the data mining that is already in play for consumer data available elsewhere, it is not a stretch for a company to figure out personal characteristics of employees’ lives using that info (including potentially ‘moonlighting’).

      The best thing for anyone to do to protect themselves is to withhold for an amount where you may owe a little money at the end of the year, and not be owed a refund. After all, it isn’t working for you if the government is holding it for months on end. And, you can’t be hit with not getting your refund in a timely manner if there isn’t any to get.

  10. DaveT

    Why can’t the IRS verify with the bank that the contact information on the bank account matches what’s on the tax return? Banks already have a lot of process in place to verify the identity of their customers.

    1. Bob

      DaveT,

      There are a lot of people who don’t have bank accounts. Which employer is going to get the refund to send to the taxpayer? A lot of people work multiple jobs. What happens if the taxpayer changes jobs and moves after they file their tax return?

      1. Sasparilla

        You’re right Bob.

        We should just have the IRS send payouts after all submissions have been accepted (i.e. sent payouts on April 20th) and then they can run down issues with any double/triple returns prior to paying any money and this issue goes away.

    2. eyebeam

      They can easily open an account with all of your contact information, and transfer the money to another account for withdrawal.

    3. kelly

      So many of the refunds are going to money cards, Green Dot or H n R Block Emerald Card. Real banks do match the name, SSn and bank account number all have to match.

  11. Bob

    Let me get this straight. The Federal government in general can’t keep data safe, so they want us to give them our driver’s license number, which would make identity theft easier?

    1. TG

      One of my friends had her ID stolen and tried to warn the IRS of that. The IRS had her submit a form with a photocopy of her driver’s license. The IRS then said it could not read the photocopy of the license. She scanned the license, printed it, and submitted the print. The IRS eventually responded saying the scan was no good and to re-re-submit. She photographed the license and printed the image at the highest quality she could and sent that to the IRS.

      Still waiting on the response and she does not know whether, in the meantime, the IRS has flagged her account as a possible target for criminals or if it remains wide open to abuse.

      Though the IRS did not say what was wrong with the images of her license, it looks to me like the anti-forging holographic patterns the state issuing the license uses under federal mandate make licenses hard to scan or photocopy clearly.

      We iz all doomed.

  12. Stephen

    I am a novice computer user. I am a 20th Century man in a 21st Century world. I read all your solutions and think that for every solution that technology has come up with, it is shortly used by the miscreants to line their own pockets. We never had problems as wide spread back then as we do now. Technology is not a blessing. It is a curse. As many solutions as you folks come up with, a smart criminal will circumvent shortly after your solution is initiated. I read this column regularly and from what Brian writes about is how smart criminals are and I am afraid that modern society is losing the battle to protect itself. The future is only going to be more of the same.

    1. DD

      Brings to my mind “Catch Me If You Can”. I believe that Frank Abagnale, Jr. was a true 20th century man… Where is a will there is a way. We just hear about it more often.

  13. Mary

    The hubby and I were in the May batch of IRS breaches and have done everything anyone with identity theft can do to protect ourselves. The last thing I want to do would be to entrust the IRS with any more of my personal information such as my drivers license number which, in my mind, seems like the perfect storm for more identify theft. They need to fix this and fix it now. Seriously, why is it that people can file their returns well before employers, banks, etc. have a deadline of mailing your information to you. It just makes it so much easier for the thieves to get a jump start on honest taxpayers. Start by pushing the opening of filing season to a couple of weeks after the deadline to mail stuff. That hopefully gives those of us who want to file as early as possible, maybe, just maybe, an edge of these thieves. If we can beat them to it? I know how p’od we were about the breach, I cannot imagine how p’od we would if our PIN was taken too, which thank God didn’t happen. It just never ends.

    1. Ella

      I’ve wondered that too – I wanted to file my tax return as quickly as humanly possible, but had to wait for some of the forms to slowly trickle in. If companies have a deadline of Jan 31 to provide you with all the necessary information, tax season should start a few days after that!

  14. Kevin

    SO, when we file our taxes….or don’t file our taxes, or make a mistake and get audited….the IRS can go back 3 yrs and collect and add any penalties or interest associated. YET when they have lax security and false returns are filed which they pay then make us jump through hoops when these events happen we should be able to hold them accountable and charge them for allowing this to happen.
    Why is it so hard for the US Government to 2FA? OR use a simple method of using a call to validate your submission from your Cell/LAN line? (Call from one of these listed numbers, Caller ID and enter the 6 digit PIN)??? “Lower form of 2FA.”

    We consistently see these issues with government agencies and companies not being held accountable by the consumer. It seems to be a complete double standard. If the consumer is at fault there’s a ‘charge or penalty’ why cannot we as the consumer also charge them for their lack of security we entrusted them to have?

    When these events occur there are long term affects to the consumer that take time=money for us to get SS #’s reissued, freezing credit with the big 3…etc. The agencies and companies that decided it was a risk vs $ to not put in better security and offer credit monitoring is total BS. Something needs to be passed to hold these places accountable.

  15. Bill Clinton

    Thanks Obama, you’ve allowed your secretary of state to knowingly run her own email server, you had the IRS sock it to republican based political groups and you can’t secure our personal identity info with the tax department. While you’ve been at the helm, every single top secret government network (NSA, FBI, DOD…etc) has been compromised. And Snowden destroyed nearly ever government infosec project that cost tens of thousands of government employees years of effort to create and cost Billions. Yet when it comes to our own government needing access to a terrorist’s phone, you ENSURE it won’t get unlocked through your deafening silence on the subject of your lack of support for the FBI.

  16. Peter

    Considering not long back, the Fed’s OPM (i.e. Office of Personnel Management) failure to properly secure the personal info of some 18 million current and former Federal employees (of which I was one), this mess with the IRS is hardly surprising.

    I wonder how many of our ‘esteemed’ politicians, Cabinet Secretaries, etc had THEIR returns/refunds compromised?
    Oh…I forgot……over 55% of the members of the current sitting Congress are millionaires!

  17. Big-D

    There is a thousand ways to skin this cat but the issue is that the government has tons of data at their hand but they may or may not use it. How did you get your refund last year? Name, Address, account info are all stored. I am sure the government can get some (actually they already do) information from Equifax, so validate checking account info (all accounts are listed on your credit reports). Doesn’t match, then additional validation must occur. Give them a pin but not make it available online, just by phone in from the number you put on your taxes. Make the process just like calling for anything with health care or credit card.

    The issue is not us, it is leaking information from them and their utterly low bar they are using to dole out money in the name of expediency. If I get a refund, I would rather it wait a few weeks, than have fraud. Also in this computer age, how can they not check reports already provided. I mean all information should be delivered to IRS by February 1 from banks, employers, etc. No one should be able to provide their taxes until that information has been delivered to the IRS. Then they can do true cross referencing, before a refund is issued.

    These are not hard issues, it is just special interests and expediency have overcome basic common sense.

  18. Anon

    I called the number on the “retrieve your PIN” link Brian included in this article. After verifying some information they were able to tell me if my SSN was flagged as being compromised, whether or not I already have an IP PIN, and if a return had already been filed for this year. So, at least you can get a current status and determine if you’re a sitting duck (because you have minimal recourse with ID theft) or are already compromised.

    All IP PINs for the 2015 tax year have been issued. If you want one for your 2016 tax return I would recommend completing form 14039 as opposed to obtaining one on-line. The IRS agent I spoke with confirmed married couples should both obtain an IP PIN even though only one might be used for the return in certain situations (e.g., married filing jointly).

  19. Jack

    There is a solution the IRS can easily handle and that is the verification of bank account used to deposit monies into.
    If it is not in the individuals name no deposit.
    They have that capability right now to do this.
    As for checks, if the banks cash checks made out to someone without verification that bank is on the hook for the money then.
    Simply put, a bit of enforcement of their own rules they (the IRS) had in place several years ago would help this situation.

    1. eyebeam

      If someone has enough information to steal your tax return, they probably have enough information to open a bank account in your name.

  20. Dee

    Behavior Analytics software would help in weeding out the anomalies, such as different address, bank account, amount of refunds, from the previous year.

  21. Diane Wilkinson Trefethen

    On the front page of Form 1040, starting at the top, are blocks for
    1) Personal identifying information
    2) Filing Status
    3) Exemptions and
    4) Income

    The IRS should insert a block between #3 and #4 labeled “Identity Verification”
    The first thing in that block should be: WARNING: YOU WILL NEED A COPY OF THE LAST FORM 1040 YOU FILED TO COMPLETE THIS YEAR’S 1040.
    The block would then elicit the information that appears on a specific line from the previous return. The line requested would change each year.

    Notes on the actual refund.
    The information on an electronic refund would have to be verified by Taxpayer. The IRS could send a notice to the Taxpayer at her/his address as it appeared on last year’s return. I believe that the USPS forwards mail for one year. Taxpayer would then have to contact the IRS to acknowledge that s/he requested the refund. Alternatively, the refund could be a paper check, also mailed to the address on the previous return. The new block referenced above should note that if Taxpayer moved from the address that appears on her/his prior return over a year ago, s/he will need to appear in person at a local bank to obtain her/his refund.

    Is this less convenient? Yes. Would it be 100% effective? No. Would it cut tax refund fraud by over 90%? I think it would.

    1. Mary

      When we were slogging our way through protecting ourselves after the May breach, I reached out to the Wisconsin Department of Revenue (we live in Wisconsin) and filled out a form letting them know we were victims of ID theft. So, we were then informed of a new procedure for us. We were to file our 2015 return as always. However, a refund would not be issued until we verified everything. In the mail, we received a letter with specific instructions and PIN information. We went out to the DOR’s site, entered all the PIN info as well as some other very specific info specific to the 2015 filing. Once we did that, we waited about two weeks for the DOR to match/review everything, and then our refund was electronically sent to our bank. All in all, it took about a month to get this done. This worked really well.

    2. timeless

      FWIW, I’m not actually opposed to this idea, but it’s worth being aware of some of the edge cases.

      A. On any given day, nearly 2‰ of the US population is homeless [1]. If you’re itinerant, Premium Forwarding Service® [2] costs nearly $1000 annually that can redirect your mail to a new location weekly. But you almost certainly don’t have the resources for that.

      B. Nearly 15% of residents who have will move over the course of the year. You’re correct that you can do mail forwarding [2], it’s in fact free (although, an identity thief willing to break a number of federal mail laws can do it too) — there’s a small credit card charge made online (I think it’s effectively an “identity verification” thing).

      C. If you die 8‰ (do [3]), taxes still need to be paid by the estate/refunds returned to the estate, and mail forwarding is available [4].

      If you live outside of the USA, then mail forwarding is its own adventure. The USPS is actually pretty good about mail forwarding. Other countries have differing rules.

      D. There don’t seem to be many homeless Americans abroad, but it also doesn’t seem like they get much support if they’re in that state [5].

      E. While perhaps 34–43% of Americans have no income tax liability [6], a smaller percentage didn’t earn enough to have to file a return (it was ~15 million around 2003 [7], or roughly 5%). For these people, the IRS can easily have no address on record. But even w/o an obligation to file, if they have an SSN, they’re eligible to have income tax returns filed by fraudsters.

      F. I think that immigration is about 1.3% annually [8], in general they wouldn’t have filed a tax return in the previous year.

      I have no idea about the overlap between these groups. I think it isn’t particularly large, so perhaps 21% of the “population” (including dead people makes for an odd percentage) may have trouble with such a requirement. But the number is probably smaller.

      [1] http://www.endhomelessness.org/library/entry/the-state-of-homelessness-in-america-2015
      [2] https://www.usps.com/manage/forward.htm
      [3] http://www.cdc.gov/nchs/fastats/deaths.htm
      [4] https://www.usps.com/manage/mail-for-deceased.htm
      [5] http://www.independent.co.uk/news/uk/home-news/why-are-so-many-westerners-homeless-in-thailand-8830302.html
      [6] http://money.cnn.com/2013/08/29/pf/taxes/who-doesnt-pay-federal-income-taxes/
      [7] http://taxfoundation.org/article/number-americans-outside-income-tax-system-continues-grow
      [8] http://www.migrationpolicy.org/article/frequently-requested-statistics-immigrants-and-immigration-united-states

  22. Jeff

    For more info on this subject check out the CSPAN News Makers podcast with John Koskinen. He is an IRS commissioner. 2/25/16.

  23. Porter Jervis

    So, what happens to the people who have been defrauded? If they are entitled to a refund, do they get it? And if so does it take an eternity to claim it?

    1. kelly

      Yes they get it 120 -180 days later. Sometimes with added interest.

  24. Bill

    It seems to me that placing a security freeze on your accounts at the big 4 credit reporting agencies would go a long way to preventing you from becoming a victim. The IRS could no longer access your Experian account to ask static questions, and thus would deny the fraudster’s efforts to obtain prior year tax transcripts, or your IP PIN. I froze my accts, and tested the effectiveness with the IRS, and sure enough, was not permitted to set up an IRS acct because they could not ask static questions.

    1. lessismoreorless

      @Bill

      interesting, did not realize that the credit freeze shut down KBA access. I mean it makes sense to some degree, but I figured that KBA might be an exception. I still get KBA questions sometimes even though I’ve down a credit freeze at the big 4 (will have to make a mental note which website still does KBA next time I encounter it) , so I think in some cases a different vendor might be used for the KBA information outside of the big 4. Good to know it shut off IRS access though!

    2. lessismoreorless

      @Bill

      Ok a look at this page here describes exactly the credit file touching we thought might be happening:

      “””
      What will we do with your information?
      The IRS may use third party data to verify your identity. The third party provides the IRS with information to generate questions used to help authenticate your identity. This action may create an entry called a “soft inquiry” on your credit report. The soft inquiry will be listed as an IRS inquiry with the date of the request. Only you can see the IRS soft inquiry. Soft inquiries do not affect your credit score and are not reported to lenders. Learn more about soft inquiries.
      “””
      https://sa.www4.irs.gov/eauth/pub/registration/prereg1.jsp

      Unfortunately I cannot test that freezing your credit prevents this because I have already registered for at the IRS site so I can’t get to the next step. But the description indicates that it wouldn’t work with a freeze in place. Cool beans!!!

  25. Philo

    I learned everything I needed to know about the IRS IT Department when they upgraded their payment system over the Christmas holidays – the payment site was down for TWO WEEKS – I’ve never been given a two week transition window in my life, and I’ve never transitioned a public-facing site.

    I owed some back taxes for three tax years – as soon as the site was back up I went in and paid them all in full. A week later I got a letter for each tax year indicating the amount I had owed before the payment. When I called the IRS, they confirmed my payments were in processing and the letters were probably generated before payment processing.

    So the IRS payment site is down for two weeks, and when it’s brought back up the first thing they do is generate notices for every account that owes back taxes. That alone probably cost millions of dollars. I would think if they waited for two weeks the number of notices that had to be sent would drop significantly.

    Surprised that this team has security problems on their sites? Nope.

  26. Eby

    Why is my Google Authenticator not an option?
    Or at least a passphrase of my own selection?

    1. Jeff

      Because then the bad guys would just sign ‘you’ up for Google authenticator. Just like they currently file ‘your’ taxes or retrieve your pin.

  27. Cindy Poh

    Make people pick up their tax refund checks in person at a post office, consulate or embassy of their choice.

  28. Margie

    I got a letter for verification of I’d I called n now I.have to go to Alexander LA n take my I’d n birth certificate n then my refund will be str have anyone heard r done this

  29. bernard

    Anyone still wating on they’re 2014 refund?. .After verifying their identity. ..never receive mines still processing. …Now 2015 refund is still processing Wtf….is okay for the government to take they’re share every time I get paid..but never want to give it back when it’s tax season.

Comments are closed.