The heart of tech is coming to the heart of the Mediterranean. Join TNW in València this March 🇪🇸

This article was published on March 2, 2016

IRS invites thieves to hijack your tax refund (again) with new PIN system

IRS invites thieves to hijack your tax refund (again) with new PIN system
Bryan Clark
Story by

Bryan Clark

Former Managing Editor, TNW

Bryan is a freelance journalist. Bryan is a freelance journalist.

Last year hackers stole sensitive records from over 100,000 350,000 700,000 people after a security breach of the IRS website. Hackers found a vulnerability in the ‘Get Transcript’ verification process and used this to amass some 700,000 names, Social Security numbers, addresses and filing statuses.

This year, the IRS wants to prove it’s righted its earlier wrongs and stepped up security by giving taxpayers internet protection (IP) personal identification numbers (PINs). These IP PINs are basically a secret code that taxpayers are required to use on their tax forms in order to prevent future fraud.

Thing is, it’s the exact same process as last year, only with an additional step. It’s the digital equivalent to giving thieves a key to your house and then trying to secure yourself by using a second lock that used that exact same key.

Hackers exploited a loophole in the authentication system at the IRS website; an additional key does nothing to address that vulnerability other than provide the illusion of safety for those that use the site.

Krebs on Security, the site that broke this story, talked with Becky Witrock, a certified public accountant (CPA), after her PIN had been used by thieves more than three weeks before she filed her return.

I tried to e-file this weekend and the return was rejected. I received the PIN since I had IRS fraud on my 2014 return. I called the IRS this morning and they stated that the fraudulent use of IP PINs is a big problem for them this year.

Wittrock, who had been victimized by IRS attackers previously, called the IRS to report this to a representative who told her:

We won’t be using the six digit PIN next year. We’re working on coming up with another method of verification. He also had thrown in something about [requiring] a driver’s license, which didn’t sound like a good solution to me.

“So, last year I was devastated by this,” Wittrock said, “But this year I’m just pissed.”

Rightfully so. It seems that the IRS is foregoing proper security while they work on a solution for the future, a move that puts the burden of protecting ourselves on the taxpayer.

It’s a sound reason to be pissed.

Thieves Nab IRS PINs to Hijack Tax Refunds [Krebs on Security]