The Internal Revenue Service has re-enabled a service on its Web site that allows taxpayers to get a copy of their previous year’s tax transcript. The renewed effort to beef up taxpayer authentication methods at irs.gov comes more than a year after the agency disabled the transcript service because tax refund fraudsters were using it to steal sensitive data on consumers.
During the height of tax-filing season in 2015, KrebsOnSecurity warned that identity thieves involved in tax refund fraud with the IRS were using irs.gov’s “Get Transcript” feature to glean salary and personal information they didn’t already have on targeted taxpayers. In May 2015, the IRS suspended the Get Transcript feature, citing its abuse by fraudsters and noting that some 100,000 taxpayers may have been victimized as a result.
In August 2015, the agency revised those estimates up to 330,000, but in February 2016, the IRS again more than doubled its estimate, saying the actual number of victims was probably closer to 724,000.
So exactly how does the new-and-improved Get Transcript feature validate that taxpayers who are requesting information aren’t cybercriminal imposters? According to the IRS’s Get Transcript FAQ, the visitor needs to supply a Social Security number (SSN) and have the following:
- immediate access to your email account to receive a confirmation code;
- name, birthdate, mailing address, and filing status from your most recent tax return;
- an account number from either a credit card, auto loan, mortgage, home equity loan or home equity line of credit;
- a mobile phone number with your name on the account.
“If you previously registered to use IRS Get Transcript Online, Identity Protection PIN, Online Payment Agreement, or ePostcard online services, log in with the same username and password you chose before,” the IRS said. “You’ll need to provide a financial account number and mobile phone number if you haven’t already done so.”
The agency said it will then verify your financial account number and mobile phone number with big-three credit bureau Equifax. Readers who have taken my advice and placed a security freeze on their credit files will need to request a temporary thaw in that freeze with Equifax before attempting to verify their identity with the IRS.
According to Federal Computer Week, central to the new setup will be knowledge-based authentication that uses supposedly harder-to-answer questions than the tests that led to the compromise of Get Transcript.
Mike Kasper, the tax fraud victim whose story ultimately earned him a chance to testify about the experience before the U.S. Senate Committee on Homeland Security & Governmental Affairs, called the new authentication methods a good step forward. But he worries that they will simply encourage tax refund thieves to commit more acts of identity theft in victim’s name.
“Looks like the investment for a $6,000 refund went from $10 to purchase credit data or now a card number for the victim, up to about $30 to buy a prepaid number although it’s probably even cheaper now,” Kasper said. “I think the ID thieves might simply open new cell phone or credit card accounts in the name of the victim or even keep changing the name on prepaid cell phone accounts acquired just for this purpose.”
Kasper notes that the same lame authentication methods that led to the Get Transcript debacle are still used by annualcreditreport.com, a site mandated by Congress as the only site where consumers can get their by-rights guaranteed free copy of their credit report from each of the major bureaus. Credit reports contain quite a bit of information that may allow thieves to glean the mobile and credit card account numbers for the taxpayers they’re targeting.
Annualcreditreport.com asks consumers to provide a bunch of personal data that can be bought for about $3-$4 from cybercrime shops online — such as date of birth, Social Security number, address and previous addresses. The site also asks the visitor to answer a series of so-called knowledge-based authentication (KBA) questions supplied by the credit bureaus.
These KBA questions — which involve four multiple choice, “out of wallet” questions such as previous address, loan amounts and dates — can be successfully enumerated with random guessing. In many cases, the answers can be found by consulting free online services, such as Zillow and Facebook.
Fraudsters also may opt to simply phish the phone and credit card information from victims, or turn to criminal data brokers in the underground that specialize in selling these dossiers on consumers, Kasper said.
“The real question is, when will more banks start to check that the incoming transfer from the IRS is for an account under the name of an actual customer,” Kasper said. “Most banks do not do this, but even if they did that is not a complete solution unless they also know their customer. There were probably thousands of fraudulent tax refunds last year where the [perpetrators] just opened up bank accounts in other peoples’ names to receive a refund from the IRS. Because if you’re a thieve and you open an account in the victim’s name, it’s a little harder to trace.”