IRS shuts down its insecure identity protection service after 800 fraudulent logins

Credit: Andrew F. Kazmierski /

Following a major breach of its systems in which hackers stole 700,000 US taxpayers’ records in 2015, the Internal Revenue Service (IRS) attempted to tighten security last week by issuing people personal identification numbers (PINs).

The trouble is that this new authentication method can be cracked the same way as the vulnerability that was discovered last year, which means it’s useless. After hackers attempted to access people’s returns at least 800 times, the IRS has ditched its new Internet Protection (IP) PIN system for the time being.

The IRS said in a statement that it had mailed PINs to 2.7 million people for this tax season. 130,000 of them had used its Web-based tool to retrieve their PINs and the agency noted that it had “confirmed and stopped 800 fraudulent returns using an IP PIN.”

How did this happen? The new system uses what’s called knowledge-based authentication to allow users to retrieve their PINs. It requires you to correctly answer questions like, “On which of the following streets have you lived?” to prove your identity.

The problem with this is that such information can easily be found through social media sites and online directories. It’s the same insecure system that allowed hackers to access people’s tax returns last year.

The agency said:

The IRS is conducting a further review of the application that allows taxpayers to retrieve their IP PINs online and is looking at further strengthening the security features on the tool.

It’s unclear why the IRS is shuffling its feet about implementing more stringent security measures when so many people’s personal information and money are stake. Hopefully it’ll have better ideas for the next tax season.

IRS Statement on IP PIN [Internal Revenue Service via Quartz]

Read next: Toyota’s wearable looks like a scarf and helps the blind navigate indoors