IRS hacked again – say goodbye to that PIN system!

shutterstock_6839749

In the wake of automated attacks speeding up, the US tax overlords – the Internal Revenue Service (IRS) – has likewise sped up plans to deep-six its repeatedly hacked PIN system.

The IRS on Thursday announced that it’s removed its electronic filing PIN tool (e-File PIN), formerly available on IRS.gov or by toll-free phone call, following “additional questionable activity.”

Additional, as in, on top of 800 identity thefts that had already caused the IRS to suspend the PIN system in March 2016 (though it told taxpayers who already had an IP PIN at the time to continue to file their tax returns as they normally would).

The e-File PIN, also known as the Identity Protection (IP) PIN, is a supposedly special, strong form of two-factor authentication (2FA) meant to protect taxpayers from ID fraud: a six-digit number that, oddly enough, the US tax authority only sent to taxpayers who’d already been victimized.

Those PINs were for victimized taxpayers to include on future tax returns as an extra layer of security, since cybercrooks had already stolen their taxpayer IDs – i.e., their Social Security Numbers (SSNs).

The idea was that without a valid IP PIN, you couldn’t login, even if you were a crook armed with somebody’s SSN.

“Great!” we said, as did the vast majority of readers. “Why can’t everybody get one?

The problem with the PIN retrieval system, presumably, was that it used the same knowledge-based authentication that led to last year’s breach of the agency’s Get Transcript service: a service that allowed taxpayers to retrieve details of their past tax returns.

Applicants had to answer four questions about themselves to get a number, along the lines of “On which of the following streets have you lived?” or “What is your total scheduled monthly mortgage payment?”

But scammers can dig out, guess, or buy personal data like that online. That can enable them to get the PIN, with which they then try to file a bogus return.

Even before last year’s Get Transcript breach, a report by the Government Accountability Office pointed out the weaknesses in the PIN retrieval system.

But for whatever reason, the IRS left it in place.

And along with that status quo came an increase, over recent years, in automated attacks from crooks who’ve gone out of their way to get access to innocent users’ online tax submission accounts.

In February, we got wind of the thieves having struck again. This time, they used a list of known SSNs to repeatedly try to access the IRS’s Get My Electronic Filing PIN portal.

At the time, the crooks were after the PINs corresponding to 464,000 previously stolen SSNs and other taxpayer data. The IRS blocked that automated bot, but not before it had successfully grabbed 100,000 PINs.

The Get Transcript tool only reveals the PIN. It doesn’t reveal taxpayer data.

In the statement put out on Thursday, the IRS said that the criminals stole the SSNs somewhere else, and not from the agency. In addition to the SSNs, the crooks also used taxpayers’ names, addresses, filing status, and dates of birth to access the e-File PIN.

After this history of repeated attacks, why didn’t the IRS throw in the towel on the IP PIN after that February attack?

It says that it couldn’t: links to the tool are woven into “almost all” of the commercial tax software products that consumers use to file their tax returns. The IRS said it did, however, add “additional defenses,” including extra scrutiny for returns with e-File PINs.

But recently, the automated attacks sped up. The increasing frequency of attacks only affected “a small number of e-File PINs,” the IRS said. Those attacks were spotted thanks to additional defenses put in place earlier this year, along with backend protections.

The IRS didn’t give details on the beefed-up security measures, but we already know that the procedures running invisibly in the background include looking for improper/repetitive use of IP numbers, for example, along other measures the IRS outlined last June.

The IRS said that it had already been working with the industry as it mulled pulling the plug on the e-File PIN system later this year.

Scratch that “maybe later this year” timetable. Batten the hatches and arm the torpedoes: it’s happening now.

From the announcement:

The IRS decided to remove the e-File PIN program as a safety measure.