Last year, KrebsOnSecurity warned that the Internal Revenue Service‘s (IRS) solution for helping victims of tax refund fraud avoid being victimized two years in a row was vulnerable to compromise by identity thieves. According to a story shared by one reader, the crooks are well aware of this security weakness and are using it to revisit tax refund fraud on at least some victims two years running — despite the IRS’s added ID theft protections.
Tax refund fraud affects hundreds of thousands — if not millions — of U.S. citizens annually. It starts when crooks submit your personal data to the IRS and claim a refund in your name, but have the money sent to an account or address you don’t control.
Victims usually first learn of the crime after having their returns rejected because scammers beat them to it. Even those who are not required to file a return can be victims of refund fraud, as can those who are not actually due a refund from the IRS.
The IRS’s preferred method of protecting tax refund victims from getting hit two years in a row — the Identity Protection (IP) PIN — has already been mailed to some 2.7 million tax ID theft victims. The six-digit PIN must be supplied on the following year’s tax application before the IRS will accept the return as valid.
As I’ve noted in several stories here, the trouble with this approach is that the IRS allows IP PIN recipients to retrieve their PIN via the agency’s Web site, after supplying the answers to four easy-to-guess questions from consumer credit bureau Equifax. These so-called knowledge-based authentication (KBA) or “out-of-wallet” questions focus on things such as previous address, loan amounts and dates and can be successfully enumerated with random guessing. In many cases, the answers can be found by consulting free online services, such as Zillow and Facebook.
Becky Wittrock, a certified public accountant (CPA) from Sioux Falls, S.D., said she received an IP PIN in 2014 after crooks tried to impersonate her to the IRS.
Wittrock said she found out her IP PIN had been compromised by thieves this year after she tried to file her tax return on Feb. 25, 2016. Turns out, the crooks beat her to the punch by more than three weeks, filing a large refund request with the IRS on Feb. 2, 2016.
“So, last year I was devastated by this,” Wittrock said, “But this year I’m just pissed.”
Wittrock said she called the toll-free number for the IRS that was printed on the identity theft literature she received from the year before.
“I tried to e-file this weekend and the return was rejected,” Wittrock said. “I received the PIN since I had IRS fraud on my 2014 return. I called the IRS this morning and they stated that the fraudulent use of IP PINs is a big problem for them this year.”
Wittrock said that to verify herself to the IRS representative, she had to regurgitate a litany of static data points about herself, such as her name, address, Social Security number, birthday, how she filed the previous year (married/single/etc), whether she claimed any dependents and if so how many.
“The guy said, ‘Yes, I do see a return was filed under your name on Feb. 2, and that there was the correct IP PIN supplied’,” Wittrock recalled. “I asked him how can that be, and he said, ‘You’re not the first, we’ve had many cases of that this year.'”
According to Wittrock, the IRS representative shared that the agency wouldn’t be relying on IP PINs for long.
“He said, ‘We won’t be using the six digit PIN next year. We’re working on coming up with another method of verification’,” she recalled. “He also had thrown in something about [requiring] a driver’s license, which didn’t sound like a good solution to me.” Continue reading →