As many may recall, the IRS’ firewall was breached in 2015 and hackers made off with 724,000 personal records. The agency responded by instituting an “Identity Protection PIN” to enhance security and avoid further hiccups, but for this plan to work, the IP PINs cannot be authenticated using the same defunct Knowledge-Based Authentication function that was just hacked a year earlier.
And yet, that’s exactly what happened; evidence of at least one compromised PIN has already turned up. Security expert Brian Krebs writes that South Dakota accountant Becky Wittrock was assigned her IP PIN after being the victim of fraud in 2014, and when she filed her 2015 taxes on February 25, 2016, the system indicated her IP PIN was already used. In other words, the hackers beat her to punch (again).
Tax refund frauds, in which crooks submit your personal data to the IRS to claim your refund to another address, are more common than one may expect, affecting upwards of hundreds of thousands of US citizens annually. The new IP PINs were established to prevent this from happening, but if least one PIN was compromised, then it’s very probably that there must be many more.
The question then becomes: how can an anti-fraud tool be used for fraud? It’s pretty simple really. Users confirm their identity and obtain their PIN by completing a series of easy-to-guess questions such as “on which of the following streets have you lived” or “what is your total scheduled monthly mortgage payment,” most of which may be obtained through Facebook, Zillow, and other online databases. There’s nothing stopping identity thieves from doing the same and that’s the IRS’ fault.
When the IRS eliminated the “Get Transcript” page in response to 2015 breach, it overlooked the fact the page function itself wasn’t the issue, but the underlying authentication system on the page. So instead of devising a new method for users to retrieve their new IP PIN, it continued using the same faulty authentication, ergo exposing users to the same vulnerabilities from last time.
Ironically, the IRS was aware of the authentication weakness way before 2015, publishing its findings in a 2015 report.
Speaking to Quartz, the IRS said that while it’s reviewing the authentication process for IP PIN retrieval, “most taxpayers receive their IP PIN via mail and never use the tool.” It also stated that “unlike ‘Get Transcript’, the IP PIN tool is available to a limited number of taxpayers who must have special markers on their tax accounts to successfully access the tool.”
The IRS also added that it “has a number of protections to monitor traffic on IRS.gov, and we continue to closely monitor the IP PIN situation.” Not that reassuring, but then again, the IRS is severely underfunded.
Source: Quartz via Krebsonsecurity
Image credit: AP Photo/J. David Ake
Advertisement
Learn more about Electronic Products Magazine
