New IRS tax hack rips off people who were already ripped off

The IRS shuts down part of its website to try to stop tax refund thieves from taking even more money.

Joe received a big check in the mail a while back, a refund check from the IRS for $9,000.

“Yahtzee!” Joe told me. “I’ve had to pay in for the last ten years. And all of a sudden, I get a $9,000 refund. Bang!”

But the check was not for him. He found out thieves had used his information to make a fake tax return. They had intended the check to go to them, of course, but Joe said an online filing snafu accidentally sent the check his way, and the plot was uncovered.

For people like Joe, the IRS has a plan. Victims of tax ID theft can get a special “IP PIN,” an identity protection personal identification number, to file with their returns, to prove it is really them.

“The IP PIN is a six-digit number that provides an additional layer of protection for taxpayers who have been or could become victims of tax-related identity theft,” the IRS said in an announcement.

But the IRS has now shut down its IP PIN retrieval system on its web site, saying thieves have been mining these special PINs to victimize people like Joe—again.

How did they get in?

The “Get an IP PIN” tab is now frozen on the IRS site, with a message, “This tool is unavailable until further notice.”

Before the freeze, the fakers were able to get in.

The site says you must have access to your e-mail account and “answer personal, financial, and tax related questions to confirm your identity” to get the IP PIN online.

But Brian Krebs with Krebs on Security said that thieves needed to do little more than answer “four easy-to-guess questions from consumer credit bureau Equinox.”

“These so-called knowledge-based authentication (KBA) or “out-of-wallet” questions focus on things such as previous address, loan amounts and dates and can be successfully enumerated with random guessing,” wrote Krebs.

“In many cases, the answers can be found by consulting free online services, such as Zillow and Facebook,” he added.

Cybersecurity experts say answers to knowledge-based questions can also be gleaned from information stolen in the many high-profile data breaches, including hospitals, retail companies and the Office of Personnel Management, which revealed life history data for millions of people.

The IRS announced Monday that they had found 800 fake returns using stolen IP PINs.

Cat and mouse

The IRS said it is reviewing the “Get an IP PIN” application and looking at ways to strengthen security.

“We understand that for those taxpayers this is a significant aggravation—by definition, they got an IP PIN in the first place because they’d been the victim of identity theft,” IRS commissioner John Koskinen told the Washington Post.

“It’s a little game of cat and mouse” with tax return thieves, he said in the article.

But some people have less than flattering comments for the IRS, including a South Dakota woman who told Krebs that thieves had indeed used her IP PIN to try to steal her refund a second time.

“So, last year I was devastated by this,” victim Becky Wittrock said in the post, “But this year I’m just pissed.”

“We have entrusted the IRS—out of the requirements of law—with our most detailed financial information and they not only can’t keep it secure, but they let the crooks use our information to steal from the U.S. government,” said Patrick Coyle with Chemical Facility Security News.

Not the first IRS hack

The IRS announced last month that even more people were affected by attacks on another part of the agency site, the “Get Transcript” application, totaling more than 700,000, reported Time. “Get Transcript” allowed taxpayers to answer security questions to get access to their previous tax returns.

“In this sophisticated effort, third parties succeeded in clearing a multi-step authentication process that required prior personal knowledge about the taxpayer, including Social Security information, date of birth, tax filing status and street address before accessing IRS systems,” the IRS said.

“The multi-layer process also requires an additional step, where applicants must correctly answer several personal identity verification questions that typically are only known by the taxpayer,” it said.

The agency said it mailed the new victims to let them know of the hack, and continues to keep the “Get Transcript” part of its site shut off. 

Currently, “Get Transcript” says you can get copies of your previous returns by mail.

Bots

Also last month, the IRS said malicious hackers used automated bots to get E-file PINS for more than  100,000 stolen Social Security numbers. The E-file PIN, different from an IP PIN, can be used to send in your return electronically.

The agency said it mailed notices to the people affected and is marking their accounts to protect them against tax ID theft.

Proving who you are

Cybersecurity experts say there can be problems with sensitive interactions online.

“It’s difficult to prove who someone is for humans who don’t know each other,” Slade Griffin with Contextual Security told Archer News. “It’s more difficult for a computer, as it must rely on whatever criteria is being used.”

“For example, most of the time, anyone with your password is you online,” he added. “In this case, anyone with your credentials and the ability to reveal your IP PIN.”

And passwords can be part of the problem, some say.

“The IRS is having the same problem that many customer service organizations continue to have,” said Coyle. “They ask us to develop and memorize any number of unique, hard-to-remember passwords and PINs, knowing full well that people are going to forget them by the droves.”

“If they make it too hard to reset passwords, they get voluminous customer complaints. If they make it too easy, the crooks game the system,” Coyle said.

Security questions

Those security questions about your siblings and your favorite car may not protect you from theft.

“Knowledge-based authentication or ‘out-of-wallet’ questions have always had a weakness,” said Daniel Lance with Archer Security Group. “They ask questions we all brag about, or that is public knowledge.”

Lance suggested that you use the knowledge-based questions as an extra password layer, when possible.

“When asked to enter your best friend’s name, input a complex alpha-numeric password with more than eight digits,” he said.

Then, use a storage device, like a digital password safe, to encrypt and store that password, he explained.

“Knowledge-based authentication isn’t about helping you remember who your first grade teacher is,” he said. “It’s about getting you access again and again.”

However, most knowledge-based authentication solutions store your answers unencrypted, he said.

In case of a hack, he recommended you use different knowledge-based authentication answers for different companies or organizations, so the thieves can’t use your security answers against you.

IRS security questions

The IRS security questions did not allow for you to enter your own information. Instead, you—or thieves—responded to fixed questions about your personal and financial history.

“Fixed knowledge-based authentication is always an issue,” said Lance.

 For now, the IRS has taken it off line.

“Until accounting, authentication, and authorization are more mature, doing some things electronically may need to be restricted,” said Griffin.

What to do if you are affected

The IRS said it sent out letters with IP PINS to 2.7 million people for this year. About 5% of those people, about 130,000, used the IP PIN retrieval tool on the site to get their IP PIN, perhaps because they forgot the IP PIN or lost the letter, according to the agency.

The IRS has discovered 800 fake returns with stolen IP PINs so far, 800 new “Yahtzees,” as Joe might call them.

If you are one of the 800, the agency has these instructions for you do in this announcement on the IRS site.