March 21, 2017

Citing concerns over criminal activity and fraud, the U.S. Internal Revenue Service (IRS) has disabled an automated tool on its Web site that was used to help students and their families apply for federal financial aid. The removal of the tool has created unexpected hurdles for many families hoping to qualify for financial aid, but the action also eliminated a key source of data that fraudsters could use to conduct tax refund fraud.

Last week, the IRS and the Department of Education said in a joint statement that they were temporarily shutting down the IRS’s Data Retrieval Tool. The service was designed to make it easier to complete the Education Department’s Free Application for Federal Student Aid (FAFSA) — a lengthy form that serves as the starting point for students seeking federal financial assistance to pay for college or career school.

The U.S. Department of Education's FAFSA federal student aid portal. A notice about the closure of the IRS's data retrieval tool can be seen in red at the bottom right of this image.

The U.S. Department of Education’s FAFSA federal student aid portal. A notice about the closure of the IRS’s data retrieval tool can be seen in red at the bottom right of this image.

In response to requests for comment, the IRS shared the following statement: “As part of a wider, ongoing effort at the IRS to protect the security of data, the IRS decided to temporarily suspend their Data Retrieval Tool (DRT) as a precautionary step following concerns that information from the tool could potentially be misused by identity thieves.”

“The scope of the issue is being explored, and the IRS and FSA are jointly investigating the issue,” the statement continued. “At this point, we believe the issue is relatively isolated, and no additional action is needed by taxpayers or people using these applications. The IRS and FSA are actively working on a way to further strengthen the security of information provided by the DRT. We will provide additional information when we have a specific timeframe for returning the DRT or other details to share.”

The removal of the IRS’s tool received relatively broad media coverage last week. For example, a story in The Wall Street Journal notes that the Treasury Inspector General for Tax Administration — which provides independent oversight of the IRS — “opened a criminal investigation into the potentially fraudulent use of the tool.”

Nevertheless, I could not find a single publication that sought to explain precisely what information identity thieves were seeking from this now-defunct online resource. Two sources familiar with the matter but who asked to remain anonymous because they were not authorized to speak on the record told KrebsOnSecurity that identity thieves were using the IRS’s tool to look up the “adjusted gross income” (AGI), which is an individual or family’s total gross income minus specific deductions.

Anyone completing a FAFSA application will need to enter the AGI as reported on the previous year’s income tax return of their parents or guardians. The AGI is listed on the IRS-1040 forms that taxpayers must file with the IRS each year. The IRS’s online tool was intended as a resource for students who needed to look up the AGI but didn’t have access to their parents’ tax returns.

Eligible FAFSA applicants could use the IRS’s data retrieval tool to populate relevant fields in the application with data pulled directly from the IRS. Countless college Web sites explain how the tool works in more detail; here’s one example (PDF).

As it happens, the AGI is also required to sign and validate electronic tax returns filed with the IRS. Consequently, the IRS’s data retrieval tool would be a terrific resource to help identity thieves successfully file fraudulent tax refund requests with the agency.

A notice from the IRS states that the adjusted gross income (AGI) is needed to validate electronically-filed tax returns.

A notice from the IRS states that the adjusted gross income (AGI) is needed to validate electronically-filed tax returns.

Tax-related identity theft occurs when someone uses a Social Security number (SSN) — either a client’s, a spouse’s, or dependent’s — to file a tax return claiming a fraudulent refund. Thieves may also use a stolen Employer Identification Number (EIN) from a business client to create false Forms W-2 to support refund fraud schemes. Increasingly, fraudsters are simply phishing W-2 data in large quantities from human resource professionals at a variety of organizations. However, taxpayer AGI information is not listed on W-2 forms.

Victims usually first learn of the crime after having their returns rejected because scammers beat them to it. Even those who are not required to file a return can be victims of refund fraud, as can those who are not actually due a refund from the IRS.

This would not be the first time tax refund fraudsters abused an online tool made available by the IRS. During the height of tax-filing season in 2015, identity thieves used the irs.gov’s “Get Transcript” feature to glean salary and personal information they didn’t already have on targeted taxpayers. In May 2015, the IRS suspended the Get Transcript feature, citing its abuse by fraudsters and noting that some 100,000 taxpayers may have been victimized as a result.

In August 2015, the agency revised those estimates up to 330,000, but in February 2016, the IRS again more than doubled its estimate, saying the number of taxpayers targeted via abuse of the Get Transcript tool was probably closer to 724,000.

The IRS re-enabled its Get Transcript service last summer, saying it had fortified the system with additional security safeguards — such as requiring visitors to supply a mobile phone number that is tied to the applicant’s name.

Now, the IRS is touting its new and improved Get Transcript service as an alternative method for obtaining the information needed to complete the FAFSA.

“If you did not retain a copy of your tax return, you may be able to access the tax software you used to prepare your return or contact your tax preparer to obtain a copy,” the IRS said in its advisory on the shutdown of its data retrieval tool. “You must verify your identity to use this tool. You also may use Get Transcript by Mail or call 1-800-908-9946, and a transcript will be delivered to your address of record within five to 10 days.”

The IRS advises those who still need help completing the FAFSA to visit StudentAid.gov/fafsa or call 1-800-4FED-AID (1-800-433-3243).

DON’T BE THE NEXT VICTIM

Here are some steps you can take to make it less likely that you will be the next victim of tax refund fraud:

-File before the fraudsters do it for you – Your primary defense against becoming the next victim is to file your taxes at the state and federal level as quickly as possible. Remember, it doesn’t matter whether or not the IRS owes you money: Thieves can still try to impersonate you and claim that they do, leaving you to sort out the mess with the IRS later.

-Get on a schedule to request a free copy of your credit report. By law, consumers are entitled to a free copy of their report from each of the major bureaus once a year. Put it on your calendar to request a copy of your file every three to four months, each time from a different credit bureau. Dispute any unauthorized or suspicious activity. This is where credit monitoring services are useful: Part of their service is to help you sort this out with the credit bureaus, so if you’re signed up for credit monitoring make them do the hard work for you.

-File form 14039 and request an IP PIN from the government. This form requires consumers to state they believe they’re likely to be victims of identity fraud. Even if thieves haven’t tried to file your taxes for you yet, virtually all Americans have been touched by incidents that could lead to ID theft — even if we just look at breaches announced in the past year alone.

Consider placing a “security freeze” on one’s credit files with the major credit bureaus. See this tutorial about why a security freeze — also known as a “credit freeze,” may be more effective than credit monitoring in blocking ID thieves from assuming your identity to open up new lines of credit. While it’s true that having a security freeze on your credit file won’t stop thieves from committing tax refund fraud in your name, it would stop them from fraudulently obtaining your IP PIN.

Monitor, then freeze. Take advantage of any free credit monitoring available to you, and then freeze your credit file with the four major bureaus. Instructions for doing that are here.


36 thoughts on “Student Aid Tool Held Key for Tax Fraudsters

  1. Karl

    Why can’t the IRS send your family’s AGI directly to the Department of Education without revealing it to potential fraudsters? That seems like it’d solve the problem without adding undue burden to FAFSA applicants.

    1. zboot

      How do you see this working? Keep in mind, you can submit paper forms. So, now, the DOE needs to collect enough information from you so they can effectively impersonate you to the IRS even though they don’t need some of that. To be fair, they must do some auditing of information submitted, but I’m betting they don’t check 100% of all paper submissions for gamification of the AGI.

      Now you are forcing this (likely costly and time consuming) step in the processing of paperwork, where it should be relatively simply for someone to figure out the AGI of taxes their parents filed the previous year. You’re exchanging processing time and cost for security. . .except, are you really getting that much extra security given that you are now submitting to the DOE enough information for them to pass IRS verification to gain access to *all * your past tax information. So now, instead of just a leak at the IRS revealing all my tax data, I need to worry about leaks at the DOE too.

    2. Aguy

      Or a SHA-256 hash? A simple DoE query to the IRS to compare results; seems easy. But then if putting a man on the moon was easy, anyone could do it.

    3. darlon

      IRS cannot send ANY tax info to anyone other than the taxpayer, for any reason. There are 2 laws ordering IRS to help INS grab illegal aliens; those laws are ignored because tax return privacy, including not showing a person has filed a tax return, trumps helping the cops onforce our laws.

  2. Jewtopia

    The IRS really hates scamming. Makes sense that’s they’ll jeopardize service for security.

  3. Ken

    Having filled out several of these nasty FAFSA forms, I despise it — it’s very intrusive depending on how one answers the questions. My college kid goes to a school that requires me to fill out a FAFSA even when I don’t quality for any Federal aid — they just want my data from the DoE. I hope these FAFSA folks at the DoE are encrypting my data at rest and in motion because they are a juicy target for data thieves.

    1. Zackis

      Don’t count on the both at rest or sometimes even in transit. The education sector of IT (public schools)is a HUGE minefield of MAJOR vulnerabilities at every turn. Security spending, for the educational sector, is woefully small and very underfunded. Don’t count on them as you might for a reputable bank or security firm.

    2. somguy

      You are very lucky, NOT! FTI and IRS regulations doesn’t require data encryption for data at rest, I’ve just found out. And if it’s an internal data transfer, doesn’t need to be encrypted either.

    3. Muffy

      My kids do not qualify for federal aid and I refuse to file the FAFSA with the nosy financial aid offices at their schools. They receive merit scholarships, and those do not require the FAFSA because they are given based on merit, not finances. I wonder why your school forces you to fill them out–I would refuse to do it if I were you. Your money is none of their business if you are not seeking need-based aid or federal loans.

      1. Ken

        Hi Muffy, I think the FAFSA folks (DoE) provide each school some aggregated data about those who fill out the form, thus providing the incentive. That’s my gut. My kid got a generous scholarship based on merit, but my school still wanted the FAFSA — nuts! They are drunk on data.

  4. JCitizen

    Well at least, for once, the IRS doesn’t look totally inept at online security! :/

  5. Drone

    Whew, at least I don’t have to worry about falling into this Government Student Finance trap. I’m too White and too Male to to even be considered.

  6. Pete D

    The oft-repeated advice to “file before the fraudsters” isn’t much help.

    Bad guys filed both my state and federal 2015 returns for me last year. Fortunately both the state and the feds flagged the returns as “likely fraudulent” and contacted me.

    I did find out from the state (yes, I spoke to an actual person!) that the fraudulent return was filed on Jan 1, 2016. I don’t even have my W-2s at that point. There really isn’t any way for me to file before the fraudsters.

    As an aside, due to some suspicious activity in August of 2015, I froze all my credit reports based on Krebs’ fine advice. That action has saved me considerable grief in the following months.

  7. Jack Smith

    It’s good to see that a venerability has been identified, and I think it’s clear to everyone that this hacked together system needs to be replaced. As a student who has to fill out this form every year however, I hope everyone involved realizes how critical it is that this system be built to be reliable and intuitive, two things it currently is not.

  8. Muffy

    If someone using stolen personal information can find out my tax information by filing a fake FAFSA and using the data retrieval tool, a fake income tax return might be the least of my worries. Armed with my income and family information, think of what other things the crook could do, such as apply for loans, credit cards, etc. It sounds to me that if people want to protect themselves against this sort of thing, it might be necessary to create your own FAFSA and transcript accounts, thereby creating your own id and password security information. Then if someone tries to access your data through one of these IRS tools for identity theft, they won’t be able to get your data.

      1. darlon

        By the way, as is logical, the thieves were into the IRS files 2-3 years before 2015; shown by numbers of 2014 & 13 false returns with near exact amounts from prior year w2s on them. Suspect once they got in, were cautious, sending relatively few false returns for a year or so; test cases. They then might have shared how to do it; so enough guys swarmed inside to make it noticeable even to IRS, in 2015. Or, just swooped in themselves in 2015 clearcutting as fast as they could until shut down.

  9. Eigen Heald

    The IP Pin is no longer being offered to people who have reported identity theft.

    1. Tromp

      Not true – I got an IP PIN this year from the IRS. File a form that Brian mentioned, or if you’re from Florida, Georgia or D.C. use their website to get a PIN without a form

  10. Nigerian

    I told you about this on a previous article you posted but you didn’t approve it. I read another comment you made that said ‘some comments don’t belong here’ so I figured maybe raising that alarm was part of the ‘comments that don’t belong here’. I will just keep my whistle and be a normal commenter.

    1. BrianKrebs Post author

      Yes and your comment then was held for moderation by the system and I left it there because it was a decent tip. Perhaps if you used a real email address in the future I could correspond with you.

  11. Bcrohn

    No one is forced to fill out a FAFSA. There are certain types of aid such as need based aid that may require a FAFSA. If you wish not to receive that aid, just don’t fill out a FAFSA. It’s that simple.

  12. Avr

    I am a little confused about this answer and am wondering if there is another piece of information missing.

    The IRS DRT is accessed by a student or parent signing into the FAFSA. To sign into the FAFSA you would need either a person name, social security number, and date of birth, or their FSA ID (which is a more secure way to sign in: https://studentaid.ed.gov/sa/fafsa/filling-out/fsaid#what-fsaid). However, if they can get into the FAFSA they would already have access to a person name, address, date of birth, social security, and for dependent students they would have the parents’ information as well. They would also have access to their tax information without having to access the IRS DRT tool directly (if IRS information was transferred onto the FAFSA previously).

    My question is does this mean that the IRS DRT tool itself is the source of the insecurity or is it coming from the DOE’s end and the FAFSA is the issue? Based on them shutting down the IRS DRT I’m guessing that there is a way to directly access the IRS DRT without having to get into the FAFSA? Do you have any further clarification? Thank you.

    1. BrianKrebs Post author

      Avr- SSN, DOB and address can be bought for about the price of a Starbucks coffee on several underground shops. Also, this information is being heavily phished from HR departments at countless organizations.

      1. darlon

        My Aunt works IRS. She says so far over 300,000 people wrote that their Co. says they’ve been hacked for W2 info. Some of these have ID theft returns, some dont-yet. More and more false returns show exact W2 data. Some have the true preparer name and true preparer EFIN. The only visible difference from true rtns on a particular batch was, the true preparer put cpa after his name; the thief left the “preparer’s” title off.
        The IRS managers still refuse improving their detection processes, even after 11-12 years of failure. Just now they ordered the troops to stop using a false returns for Puerto Ricans cheat sheet after a newbie idiot tax examiner complained it unfairly discriminated against Latino named people.

        1. DM

          This doesn’t surprise me, media pushing the agenda. SJW college programs have been working overtime creating mindless zombies. Everyone is so worried about how others see them vs truth these days. Its like living in a daycare run by the Joker these days.

          The reality is, you should all have freezes on your credit, you should just expect that any of the 1000’s of institutions the banks and colleges use as contractors have outsources your data handling to people with more reason to sell it vs keep it safe.

          When I worked for a bank, the IT folks would just shrug and say xyz vendor has the legal obligation to keep it safe now that we shared it with them. They all knew those xyz contractors had crap security and was just looking for a fast buck. They cheated their employee’s on living wages, and do you expect them to pass on the pot of gold ID sale?

          Kind of like the house Intel committee leader just told the world that the USA has been spying on all of you and bad players have been using the info inside our gov for personal gain. But media? Not a Peep. You all? Still uninformed and making poor decisions on bad data. While the perpetrators laugh at it all on wikileaks. See… All of that didn’t make you care at all, now you know why your going to be hacked. Not if, just When.

      2. Avr

        Thank you for your reply, but that does not answer the question why the IRS data retrieval tool was taken down? Someone trying to get the AGI would already have it by accessing past or current FAFSAs using the PII. It sounds like the FAFSA is more of a threat than accessing the IRS DRT.

  13. Rich Graves

    I’m disappointed that you cite the dramatic increase in tax refund fraud from 2013 to 2015 without mentioning that it appears to have FALLEN in 2016 and 2017.

    Do you not trust the numbers?

    The various tax software “know your customer” and information sharing arrangements have borne fruit. That’s newsworthy and should be applauded. Clearly it’s still a problem, but defenses have improved, which is why we see the bad guys shifting to BEC and ransomware instead.

    1. BrianKrebs Post author

      Rich,

      Where in this story do you see me citing 2013 numbers? Also, if you have 2017 numbers and 2016 numbers, please cite your sources with a link.

      Thanks

      1. darlon

        Page 3

        Volume 4, Issue 3

        IRS, Security Summit Partners Expand Identity Theft Safeguards for 2017 Filing Season, Build on 2016 Successes

        IR-2016-144, Nov. 3, 2016
        WASHINGTON – The Internal Revenue Service, state tax agencies and industry partners today finalized plans for 2017 to improve identity theft protections for indi-vidual and business taxpayers after making significant inroads this year against fraudu-lent returns.
        Public and private sector leaders an-nounced today that their collective efforts through the Security Summit initiative have led to a marked improvement in the battle against identity theft during 2016. This is highlighted by the number of new people reporting stolen identities on feder-al tax returns falling by more than 50 per-cent, with nearly 275,000 fewer victims compared to a year ago.
        At a Washington press conference, Sum-mit leaders also detailed new and expand-ed safeguards for taxpayers in the upcom-ing 2017 tax season. The 2017 focus re-volves around “trusted customer” features
        that will help ensure the authenticity of the taxpayer and the tax return – before, during and after a tax return is filed. The additional protections will build on the 2016 successes that prevented fraud-ulent returns and protected tax refunds.
        “We’ve made remarkable progress this year in our efforts to protect taxpayers following the unprecedented coordina-tion with the states, the tax industry and the financial sector,” said IRS Com-missioner John Koskinen. “Working together, this coalition has expanded its activities in many different areas, and we are focused on strengthening our systems and processes even more for the upcoming tax season.”
        “It is gratifying to see how many differ-ent ways we have already identified and begun to implement changes,” said Dawn Cash, Commissioner, Oklahoma Tax Commission and President, Board
        …….

        I don’t yet believe this; every year they announce success, no matter how wretched the record really is; but for what its worth….

        1. BrianKrebs Post author

          Yes, but bear in mind that the IRS likes to release numbers that place things in a decidedly positive light, but it almost never releases information about fraudulent returns it pays out on, i.e. how many billions the US Treasury loses each year due to the agency’s failure to detect fraudulent returns.

  14. David Longenecker

    Brian, I don’t know if you have learned anything more that you haven’t shared publicly. The IRS sent a letter to taxpayers whose information was exposed, and the letter implies the crooks made off with a lot more than just AGI.

    Part of the letter states “Fraudsters may have viewed information appearing on your federal tax return. Information viewed may include: type of tax return filed, type and amounts of income reported, income tax, untaxed pensions, untaxed individual retirement account distributions and payments, exemptions, and education credits.”

    It goes on to offer credit monitoring, identity theft insurance, and “other services that will allow you to monitor your personal accounts.”

  15. Adrienne McGuire

    I agree with you, Brian, you do not cite any numbers from 2013 in this post. I too would be interested to see that commenter’s references.

Comments are closed.