Data Breach , Fraud , ID & Access Management

IRS Disables Hacked PIN Tool

Identity Thieves Abused Online PIN Retrieval Capability, Agency Warns
IRS Disables Hacked PIN Tool

The U.S. Internal Revenue Service says it's temporarily deactivated an online security feature after it discovered that it was being abused by identity thieves attempting to profit from tax return fraud.

See Also: 2016 IAM Research: Where Financial Institutions' PAM Programs Are Falling Short

The feature in question is a six-digit number that the IRS calls the Identity Protection PIN, or IP PIN, which it rolled out to prevent criminals from filing fraudulent income tax returns simply by using someone else's Social Security number.

But as part of an ongoing security review, the IRS says it has now discovered and blocked at least 800 cases that appear to involve criminals who were able to obtain legitimate IP PINs tied to tax filers' accounts, and warned that it's facing up to 130,000 fraudulent returns.

As a result, on March 7, the IRS announced that it temporarily disabled the ability to use its website "to try retrieving a lost or forgotten IP PIN." The agency's move suggests - although doesn't state explicitly - that attackers abused that feature to obtain valid PIN codes tied to victims' IRS accounts.

To use the PIN-retrieval feature, users needed to answer four "personal, financial and tax-related questions to verify your identity," according to a related IRS FAQ. Of course, if criminals already have that information, they could successfully impersonate taxpayers.

The IRS says that of the 2.7 million IP PINs that it's distributed for the 2016 tax-filing year - tax returns are due next month - there were 130,000 subsequent attempts, using the IRS website, to retrieve those PINs. It's not clear how many of those attempts were fraudulent.

Identity Theft, Fraud Review

All returns that are tied to PINs that were retrieved via the IRS website will now be subject to close scrutiny, the agency says, suggesting that some percentage of them will have been filed by fraudsters.

"For taxpayers retrieving a lost IP PIN, the IRS emphasizes it has put strengthened processes and filters in place for this tax season to review these tax returns," the agency says. "These strengthened review procedures - which are invisible to taxpayers - have helped detect potential identity theft and stopped refund fraud. Through the end of February, the IRS had confirmed and stopped 800 fraudulent returns using an IP PIN."

Disabling of the online PIN-retrieval feature shouldn't impact most tax filers, the IRS claims. "Taxpayers who have been issued an IP PIN should continue to file their tax returns as they normally would. The online tool is primarily used by taxpayers who have lost their IP PINs and need to retrieve their numbers. Most taxpayers receive their IP PIN via mail and never use the online tool."

But as a result of the online PIN-retrieval feature no longer being available, the IRS says that anyone who's been instructed to file a return using an IP PIN, but who's forgotten their PIN - or lost the related letter they should have received from the IRS - will need to call the agency and attempt to verify their identity. If that fails, or if they've moved since Jan. 1, 2016, "they must file a paper tax return, which will receive additional scrutiny and take longer to process because we don't normally accept these returns without an IP PIN," the agency says.

Follows 'Get Transcript' Hack

As noted, the agency has only discovered 800 instances of related tax-return fraud - thanks to subverting the online IP PIN tool - so far. While that might not seem like a significant number of cases, as many breach-related investigations continue, investigators often find that the scope and scale of the data breach is much worse than was originally believed.

In May 2015, for example, the IRS warned that fraudsters had successfully subverted the agency's "Get Transcript" feature to obtain legitimate tax returns, thus giving them access to 114,000 real tax filers' tax returns, which include their Social Security numbers and other personal information, including financial details. The IRS first launched the feature in January 2014 to allow taxpayers to view and download their tax transcripts, or have them mailed to their addresses.

By August, however, the Treasury Department warned that related attacks had actually subverted 334,000 accounts (see IRS: Hack Much Wider Than First Thought). And last month, the agency says it thinks now that hackers accessed at least 724,000 accounts, and attempted to break into 575,000 other accounts (see IRS Doubles Number of Get Transcript Victims).

The IRS has suspended the Get Transcript feature (see Tax Commissioner Expects More IRS Cyberattacks).

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.

Around the Network