Posts Tagged: Mike Kasper

Jun 16

IRS Re-Enables ‘Get Transcript’ Feature

The Internal Revenue Service has re-enabled a service on its Web site that allows taxpayers to get a copy of their previous year’s tax transcript. The renewed effort to beef up taxpayer authentication methods at comes more than a year after the agency disabled the transcript service because tax refund fraudsters were using it to steal sensitive data on consumers.

irsbldgDuring the height of tax-filing season in 2015, KrebsOnSecurity warned that identity thieves involved in tax refund fraud with the IRS were using’s “Get Transcript” feature to glean salary and personal information they didn’t already have on targeted taxpayers. In May 2015, the IRS suspended the Get Transcript feature, citing its abuse by fraudsters and noting that some 100,000 taxpayers may have been victimized as a result.

In August 2015, the agency revised those estimates up to 330,000, but in February 2016, the IRS again more than doubled its estimate, saying the actual number of victims was probably closer to 724,000.

So exactly how does the new-and-improved Get Transcript feature validate that taxpayers who are requesting information aren’t cybercriminal imposters? According to the IRS’s Get Transcript FAQ, the visitor needs to supply a Social Security number (SSN) and have the following:

  • immediate access to your email account to receive a confirmation code;
  • name, birthdate, mailing address, and filing status from your most recent tax return;
  • an account number from either a credit card, auto loan, mortgage, home equity loan or home equity line of credit;
  • a mobile phone number with your name on the account.

“If you previously registered to use IRS Get Transcript Online, Identity Protection PIN, Online Payment Agreement, or ePostcard online services, log in with the same username and password you chose before,” the IRS said. “You’ll need to provide a financial account number and mobile phone number if you haven’t already done so.”

The agency said it will then verify your financial account number and mobile phone number with big-three credit bureau Equifax. Readers who have taken my advice and placed a security freeze on their credit files will need to request a temporary thaw in that freeze with Equifax before attempting to verify their identity with the IRS. Continue reading →

Aug 15

Street Gangs, Tax Fraud and ‘Drop Hoes’

Authorities across the United States this week arrested dozens of gang members who stand accused of making millions of dollars stealing consumer identities in order to file fraudulent tax refund requests with the Internal Revenue Service (IRS). The arrests highlight the dramatic shift in gang activity in recent years from high-risk drug dealing to identity fraud — a far less risky yet equally lucrative crime.

cashgrafAccording to a story last week at CBS in Los Angeles, some 32 members of the so-called Insane Crip gang and their associates were charged with 283 counts of criminal conspiracy, 299 counts of identity theft, 226 counts of grand theft and 58 counts of attempted theft. Together, they are accused of operating a $14.3 million identity theft and tax fraud scheme.

In Elizabeth, N.J., 14 members of a street gang were arrested in a 49-count indictment charging the defendants with a range of “white-collar crimes,” including filing false tax returns and manufacturing fake gift cards to collect thousands of dollars. According to, the money from the scams was used to support members of the 111 Neighborhood Crips and to aid other gang members who were in jail or prison.

“All 14 defendants face charges under New Jersey’s Racketeer Influenced and Corrupt Organizations (RICO) statute,” NJ’s Tom Haydon writes. “Defendants allegedly bought stolen identities of real people for use in the preparation of fraudulent W-2 forms. Those forms were used for fraudulent income tax returns filed early in the tax season.”

Tax return fraud costs consumers and the U.S. Treasury more than $6 billion annually, according the U.S. Government Accountability Office. And that number is by all accounts conservative. It should not be a surprise that street gangs are fast becoming the foot soldiers of cybercrime, which very often requires small armies of highly mobile individuals who can fan out across cities to cash out stolen credit cards and cash in on hijacked identities.

Tax fraud has become such an ingrained part of the modern gang culture that there is a growing set list of anthems to the crime — a type of rap music that evokes the Narcocorrido ballads of the Mexican drug cartels in that it glorifies making money from identity theft, credit card fraud and tax return fraud.


A key component of cashing out tax return fraud involves recruiting unwitting or willing accomplices to receive the fraudulent refunds. Earlier this year, I wrote about Isha Sesay, a Pennsylvania woman who was arrested for receiving phony IRS refunds on behalf of at least two tax fraud victims — including Mike Kasper, the guy who helped expose the IRS’s pervasive authentication weaknesses and later testified to Congress about his ordeal.

Turns out, the sorts of gang members arrested in the above-mentioned crime sweeps have a different nickname for people like Ms. Sesay: Instead of money mules, they’re derisively known as “drop hoes.” In cybercriminal parlance, a “drop” is a person who can be recruited to help forward stolen funds or merchandise on to the criminals, providing a pivotal buffer against the cops for the thieves.

In this Youtube video (not safe for work), a self-styled rapper calling himself “J-Creek” opines about not being able to find enough drop hoes to help him cash out $40,000 in phony tax refund deposits to prepaid debit cards. It’s been a while since I’ve listened to pop music (let alone rap) but I think this work speaks for itself (if rather lewdly).

The artists allegedly responsible for the tax fraud paean, "Drop Hoes."

The artists allegedly responsible for the tax fraud paean, “Drop Hoes.”

Here are a few choice quotes from the song (I cut out much of it, and someone please correct me if I somehow butchered the lyrics here). I think my all-time favorite line is the one about the role of Intuit’s TurboTax: “She got them stacks then went tax on the turbo.” Continue reading →

Aug 15

IRS: 330K Taxpayers Hit by ‘Get Transcript’ Scam

The Internal Revenue Service (IRS) disclosed today that identity thieves abused a feature on the agency’s Web site to pull sensitive data on more than 330,000 potential victims as part of a scheme to file fraudulent tax refund requests. The new figure is far larger than the number of Americans the IRS said were potentially impacted when it first acknowledged the vulnerability in May 2015 — two months after KrebsOnSecurity first raised alarms about the weakness.

Screenshot 2015-03-29 14.22.55In March 2015, I warned readers to Sign Up at Before Crooks Do It For You — which tracked the nightmarish story of Michael Kasper, one of millions of Americans victimized by tax refund fraud each year. When Kasper tried to get a transcript of the fraudulent return using the “Get Transcript” function on, he learned that someone had already registered through the IRS’s site using his Social Security number and an unknown email address.

Two months later, IRS Commissioner John Koskinen publicly acknowledged that crooks had used this feature to pull sensitive data on at least 110,000 taxpayers. Today, the Associated Press and other news outlets reported that the IRS is now revising those figures, estimating that an additional 220,000 potential victims had Social Security numbers and information from previous years’ tax filings stolen via the IRS Web site.

“In all, the thieves used personal information from about 610,000 taxpayers in an effort to access old tax returns,” the AP story notes. “They were successful in getting information from about 334,000 taxpayers.”


The IRS’s experience should tell consumers something about the effectiveness of the technology that the IRS, banks and countless other organizations use to screen requests for sensitive information.

As I reported in March, taxpayers who wished to obtain a copy of their most recent tax transcript had to provide the IRS with the following information: The applicant’s name, date of birth, Social Security number and filing status. After that data is successfully supplied, the IRS uses a service from credit bureau Equifax that asks four so-called “knowledge-based authentication” (KBA) questions. Anyone who succeeds in supplying the correct answers can see the applicant’s full tax transcript, including prior W2s, current W2s and more or less everything one would need to fraudulently file for a tax refund.

These KBA questions — which involve multiple choice, “out of wallet” questions such as previous address, loan amounts and dates — can be successfully enumerated with random guessing. But in practice it is far easier, as we can see from the fact that thieves were successfully able to navigate the multiple questions more than half of the times they tried.

If any readers here doubt how easy it is to buy personal data on just about anyone, check out the story I wrote in December 2014, wherein I was able to find the name, address, Social Security number, previous address and phone number on all current members of the U.S. Senate Commerce Committee. This information is no longer secret (nor are the answers to KBA-based questions), and we are all made vulnerable to identity theft as long as institutions continue to rely on static information as authenticators.

Unfortunately, the IRS is not the only government agency whose reliance on static identifiers actually makes them complicit in facilitating identity theft against Americans. The same process described to obtain a tax transcript at works to obtain a free credit report from, a Web site mandated by Congress. In addition, Americans who have not already created an account at the Social Security Administration under their Social Security number are vulnerable to crooks hijacking SSA benefits now or in the future. For more on how crooks are siphoning Social Security benefits via government sites, check out this story.


The IRS has responded to the problem of tax ID theft partly by offering Identity Protection PINs (IP PINs) to affected taxpayers that must be supplied on the following year’s tax application before the IRS will accept the return. However, according to Kasper — the tax ID theft victim whose story first prompted my reporting on the Get Transcript abuse problem back in March — the Web site allows consumers who have lost their IP PINs to recover them, and incredibly that feature is still using the same authentication method relied upon by  the IRS’s flawed Get Transcript function.

Continue reading →