In May 2015 the U.S. Internal Revenue Service announced that approximately 100,000 tax transcripts had been stolen when hackers broke into its website. That figure has now been upped to 724,000. The new system to protect the victims of the 2015 hack was to assign them Identity Protection PIN numbers that must be included on the tax return in order for it to be accepted by the IRS. Lost IP PINS can be retrieved by logging into the IRS website, a process that is protected from hackers by technology called Knowledge-Based Authentication (KBA) – which is ironically the same technology that was hacked in the first place. And it’s been hacked again this year.
Brian Krebs, journalist and security researcher, reported Mar. 1 in KrebsonSecurity that at least one person has been hacked already this tax season. Becky Wittrock is a CPA from Sioux Falls, S.D. who received one of the PIN numbers in 2014 after scammers tried to impersonate her to the IRS. This year she filed her tax return on Feb. 25, with the PIN number included as instructed, and was told that her return had already been filed on Feb. 2.
Wittrock called the IRS and told them that when she tried to e-file her return was rejected as a duplicate. She was told that the return that was already filed had included the correct PIN, and that fraud with use of these identification numbers is a big problem for the IRS this year. The IRS representative told her that they will soon be changing the system, and that the six-digit PIN will not be used next year.
The 724,000 tax records that were stolen in 2015 were accessed through the Get Transcript function on the IRS site between January 2014 and May 2015. Copies of tax returns could be obtained by anyone by providing the taxpayer’s name, Social Security number, date of birth and address, as well as answering some multiple choice questions that are fairly easy to guess, such as a street previously lived on, or what the user’s mortgage payment is.
Get Transcript was taken down, but the service used to retrieve the new IP PIN number stayed up, and is still using KBA to verify users attempting to access past records, the same system that was hacked in the first place. The IRS is aware of the weakness, and after testing the system reported that some likely identity thieves were able to answer the authentication questions correctly while some actual taxpayers were not.