Last year hackers stole sensitive records from over
100,000 350,000 700,000 people after a security breach of the IRS website. Hackers found a vulnerability in the ‘Get Transcript’ verification process and used this to amass some 700,000 names, Social Security numbers, addresses and filing statuses.
This year, the IRS wants to prove it’s righted its earlier wrongs and stepped up security by giving taxpayers internet protection (IP) personal identification numbers (PINs). These IP PINs are basically a secret code that taxpayers are required to use on their tax forms in order to prevent future fraud.
Thing is, it’s the exact same process as last year, only with an additional step. It’s the digital equivalent to giving thieves a key to your house and then trying to secure yourself by using a second lock that used that exact same key.
Instead of asking Apple to unlock iPhones, maybe the FBI should hire the hackers who broke into the GSA, the IRS and the State Dept
— David Burge (@iowahawkblog) March 1, 2016
Hackers exploited a loophole in the authentication system at the IRS website; an additional key does nothing to address that vulnerability other than provide the illusion of safety for those that use the site.
Krebs on Security, the site that broke this story, talked with Becky Witrock, a certified public accountant (CPA), after her PIN had been used by thieves more than three weeks before she filed her return.
I tried to e-file this weekend and the return was rejected. I received the PIN since I had IRS fraud on my 2014 return. I called the IRS this morning and they stated that the fraudulent use of IP PINs is a big problem for them this year.
Wittrock, who had been victimized by IRS attackers previously, called the IRS to report this to a representative who told her:
We won’t be using the six digit PIN next year. We’re working on coming up with another method of verification. He also had thrown in something about [requiring] a driver’s license, which didn’t sound like a good solution to me.
“So, last year I was devastated by this,” Wittrock said, “But this year I’m just pissed.”
Rightfully so. It seems that the IRS is foregoing proper security while they work on a solution for the future, a move that puts the burden of protecting ourselves on the taxpayer.
It’s a sound reason to be pissed.
➤ Thieves Nab IRS PINs to Hijack Tax Refunds [Krebs on Security]