IRS yanks anti-identity-theft tool IP PIN over 800 identity thefts

Remember the Internal Revenue Service’s (IRS’s) IP PIN?

That supposedly special, strong form of two-factor authentication (2FA) meant to protect taxpayers from ID fraud, a six-digit number that, oddly enough, the US tax authority only sent to taxpayers who’d already been victimized?

Those “Identity Protection PINs” were for victimized taxpayers to include on future tax returns as an extra layer of security, since cybercrooks had already stolen their taxpayer IDs – i.e., their Social Security Numbers (SSNs).

The idea was that without a valid IP PIN, you couldn’t login, even if you were a crook armed with somebody’s SSN.

“Great!” we said, as did the vast majority of readers. “Why can’t everybody get one?

Well. Yes. About those PINs.

The IRS suspended the identity protection PINs as of Monday.

Why? Because cybercrooks have been using the anti-identity-theft tools to steal people’s identities.

The IRS said it sent out 2.7 million IP PINs by snailmail for the 2015 tax filing season.

About 5%, or 130,000, people used their PINs to try to retrieve a lost or forgotten IP PIN.

Thanks to review procedures running invisibly in the background (looking for improper/repetitive use of IP numbers, for example, along other clues the IRS outlined last June), the agency had sniffed out scammers behind 800 of those by the end of February.

Cybercrooks had used those 800 PINs to try to file fraudulent tax returns that would have redirected people’s refunds into the criminals’ own bank accounts.

The IRS has stopped the system, for now, to try to figure out how to make it more secure.

From its statement:

As part of its ongoing security review, the Internal Revenue Service temporarily suspended the Identity Protection PIN tool on The IRS is conducting a further review of the application that allows taxpayers to retrieve their IP PINs online and is looking at further strengthening the security features on the tool.

The problem with the PIN retrieval system, presumably, is that it used the same knowledge-based authentication that led to last year’s breach of the agency’s Get Transcript service: a service that allowed taxpayers to retrieve details of their past tax returns.

Applicants have to answer four questions about themselves to get a number, along the lines of “On which of the following streets have you lived?” or “What is your total scheduled monthly mortgage payment?”

But scammers can dig out, guess, or buy personal data like that online. That can enable them to get the PIN, with which they then try to file a bogus return.

Even before last year’s Get Transcript breach, a report by the Government Accountability Office pointed out the weaknesses in the PIN retrieval system.

But for whatever reason, the IRS left it in place.

As of August, when Quartz investigated the Get Transcript breach, it wasn’t even clear if the IRS was still using the system that had been breached.

The IRS wouldn’t confirm one way or the other. Instead, it merely said it was taking “a number of steps to protect taxpayers and Identity Protection (IP) PINs.”

The IRS is telling taxpayers who’ve already been issued an IP PIN to continue to file their tax returns as they normally would.

Lost the letter with the IP PIN? You’ll have to call the IRS and prove you’re who you say you are. Check the statement for more details on what to do.

Image of IRS courtesy of