PIN-stealing IRS attack affects 100,000 taxpayers

It’s tax filing season in the United States.

That means that you are are now able to go online and submit your tax returns for 2015.

Of course, with the final tax filing deadline far away in April, many of us are still twiddling our thumbs, or waiting for paperwork, or simply putting off until tomorrow what we’d rather not do today.

What that means is that this is an ideal time for tax refund fraudsters to get busy, filing a fraudulent return in your name, understating your income in order to claim a refund, and then scooping up the refund by having the funds diverted out of your account and into theirs.

The IRS has had plenty of trouble in recent years with refund fraud, including automated attacks from crooks who have gone out of their way to get access to innocent users’ online tax submission accounts.

In May 2015, for example, crooks used an online IRS system called Get Transcript to probe for taxpayers’ personal information that they could use in refund fraud.

Get Transcript wasn’t actually anything to do with the tax filing or refund system – it was actually a reference portal by which you could retrieve returns from previous years – but it turned out to be exactly the sort of information a crook could use to file this year’s return.

Granted, the crooks needed an existing database of personal information to initiate their attack, such as names and Social Security Numbers (SSNs), but it seems as though they had acquired a handy list from an earlier data breach somewhere else.

Even if they didn’t pull off the breach of the existing database themselves, the crooks could simply have bought that data on some underground forum.

Unfortunately, this sort of round-the-houses attack has happened again.

This time, the crooks used a list of known SSNs to make repeated attempt to access the IRS’s Get My Electronic Filing PIN portal.

Ironically, an E-Filing PIN is a sort of second factor of authentication (2FA), that you need, along with other personal data, when submitting online tax returns.

In other words, it seems that you can request your second factor of authentication by using your first factor, which isn’t quite the idea of 2FA.

According to the IRS:

Based on our review, we identified unauthorized attempts involving approximately 464,000 unique SSNs, of which 101,000 SSNs were used to successfully access an E-file PIN. The incident, involving an automated bot, occurred last month, and the IRS continues to closely monitor the web application.

The IRS says it will contact everyone whose account was affected.

Presumably, if you’re on that list you will be allowed to request a special, stronger form of 2FA from the IRS known as the IP Identity Protection PIN (IP PIN).

This is a six-digit number that is sent to you by snail-mail, and without which you can’t finalise your tax return.

Annoyingly, the IP PIN isn’t available to everyone on demand – only to taxpayers who have already suffered some kind of identity breach.

We think that the IRS ought to let anyone who wants one sign up for an IP PIN; if we got the chance, we’d do it.