At the end of May 2015, we wrote about a data breach at the Internal Revenue Service (IRS), the USA’s federal tax office.
Crooks were able to login to the IRS’s Get Transcript application, a feature designed to allow taxpayers to review details of their income and tax-related information from previous tax years.
Admittedly, the attackers needed a fair bit of personally identifiable information (PII) up front about their victims in order to login illegally.
But once the crooks were in, they were able to learn more about each victim, and even about other members of some victims’ families, given that many Americans file one tax return to cover their whole family, typically including their spouses and dependent children.
Many unhappy returns
If crooks know enough about your tax affairs, they may very well be able to pull off a crime that’s become a real problem in the US.
They may be able to login in as you and to submit a bogus tax return while you’re still diligently preparing the paperwork to file legitimately.
The crooks will deliberately understate your final income, change your bank account details, request an electronic refund, and run off with the money.
When you get your documents together to file your own proper tax return, you’ll be unpleasantly surprised to find that you can’t, because the IRS system will consider your tax affairs to be finalised for the year.
So you’re stuck with what amounts to undeclared income, and the IRS is stuck with having paid out money from the public purse to a bunch of thieving rotters.
Interestingly, even before the Get Transcript breach, the IRS already had a handy anti-fraud measure known as the Identity Protection PIN (IP PIN).
That’s a six-digit number sent out by snail-mail that you need to provide in order to finalise your return: a form of two-factor authentication (2FA).
Simply put, a crook would need to steal your physical mail as well as know enough of your PII before he could stitch you up with a fraudulent return.
Unfortunately, the IP PIN system isn’t a standard part of the US tax filing season – it seems to be somewhere between an experimental and an emergency feature.
You can request an IP PIN if you live in Florida, Georgia or the District of Columbia; if you’re anywhere else in the US, you’re only eligible if you have already been a victim of identity fraud.
It’s something of an irony that 2FA codes for fraud prevention are routinely issued only to those people against whom fraud has already been detected.
As a result of the Get Transcript problem, changes are afoot in how US tax returns will be authenticated in 2016.
The IRS has announced a number of automated measures that will be applied to electronically submitted tax returns in the hope of preventing fraud in the future.
• Reviewing the transmission of the tax return, including the improper and/or repetitive use of [IP numbers...].
• Reviewing computer device identification data tied to the return's origin.
• Reviewing the time it takes to complete a tax return, so computer mechanized fraud can be detected.
• Capturing metadata in the computer transaction that will allow review for identity theft related fraud.
But we still think that the IRS should roll out the IP PIN system to everybody as a useful additional step.
Even if it remained opt-in, so you’d explicitly have to ask, we’d like to see IP PIN’s availability extended to to the entire USA.
Yes, that would cost money, but it would also be a positive way of engaging with the very Americans who are making an effort to live a more secure digital life.
And it would help to keep public money out of the hands of undeserving crooks.
What do you think?
Do you agree? Have your say in our poll…