The IRS has suspended an online tool used to retrieve Identity Protection PINs -- a six-digit number needed by victims of tax refund fraud to file their taxes electronically -- after reports that the system suffered the same security weakness that allowed fraudsters to trick another agency tool into giving up taxpayer information last year.
"The IRS is conducting a further review of the application that allows taxpayers to retrieve their IP PINs online and is looking at further strengthening the security features on the tool," the IRS said in a statement Monday.
Concerns about the tool were thrust into the spotlight last week after journalist Brian Krebs wrote about a South Dakota woman, Becky Wittrock, who said fraudulent tax returns were filed in her name two years in a row -- and that the phony filing this year included her stolen IP PIN. That PIN was meant to add a layer of security to prevent this exact type of problem.
Wittrock was an apparent victim of a type of identity theft known as tax refund fraud, a scam where criminals file phony, often inflated, tax returns in an attempt to steal other people's refunds.
The IRS said in the statement that it had mailed out 2.7 million IP PINS to taxpayers this year and that only abut 130,000 of them used the "Get an IP PIN" tool on the agency's website to access a lost or forgotten PIN.
The online IP PIN retrieval tool required information such as a taxpayer's name, date of birth, Social Security number, last filing status and the mailing address from their last tax return. It also asked a handful of "knowledge-based authentication" questions drawn from a person's credit history.
Unfortunately, answers to those questions can often be figured out by consulting public online sources such as social media networks or real estate tracking sites like Zillow -- or even by guessing. And the other personal information could have fallen into fraudsters' hands through past breaches, including an incident involving the IRS's "Get Transcript" tool last year.
The "Get Transcript" tool also relied on "knowledge based authentication" to prove a taxpayer's identity and may have allowed criminals to access the tax information of more than 700,000 people, according to the IRS's latest update on the scale of that breach. The agency took the "Get Transcript" system offline after the problems last year, but it left the "Get an IP PIN" tool up.
In an interview with The Washington Post last week, IRS Commissioner John Koskinen said the agency was taking a number of steps on the back end of its systems to ensure the security of taxpayers using IP PINs. He also said the agency is giving extra scrutiny to returns filed with lost IP PINs retrieved through the online tool.
The IRS said Monday that it has stopped 800 fraudulent returns using IP PINs through the end of February, more than four times the "less than 200" figure it cited to The Post last week. In the"Get Transcript" case, the IRS repeatedly raised its estimates of the number of victims. When the agency first acknowledged the problem last May, it estimated that 100,000 people's tax accounts were affected. By late last month, that figure had jumped to more than 700,000 accounts.