Another tax filing season means another season of opportunities for tax fraud. And to add insult to last year’s injury, some of the same people who were victims of the IRS’ data breach are being victimized once again.
Brian Krebs of KrebsOnSecurity is reporting the Identity Protection (IP) PIN the IRS sent out to those affected by last year’s “Get Transcript” fraud has the potential of being obtained by those who are not you (i.e. fraudsters). The PIN is initially sent to a person who has been a victim of fraud in the mail. This isn’t where fraudsters are obtaining the PIN. The point of attack is actually back with the IRS on the “Retrieve Your Lost or Misplaced IP PIN” portion of their website. As often happens in this day and age of too many passwords to remember, people misplace or forget their IP PIN. The IRS has created an electronic way to retrieve this PIN, but the system uses the same retrieval method that allowed the “Get Transcript” fraud. The system uses knowledge-based authentication which will have you answer four questions from the credit bureau Equifax. These questions will be something in the ballpark of your previous address, loan amounts and other questions of a similar nature. The problem is the answers to these questions are easy to guess especially since a taxpayer who is using an IP PIN already had their information compromised. A good question is why is the IRS using the same authentication system that caused issues last year?
Additionally, more good news out of the IRS is further review of the “Get Transcript” incident from 2015 has identified an additional 390,000 taxpayer accounts that had potential access. This brings the total number of affected taxpayers to somewhere over 700,000. Not necessarily all had fraudulent returns filed, luckily, but those taxpayers will now most likely have to deal with the IP PIN. Not all is doom and gloom, though. KrebsOnSecurity does have a handy write-up on things you can do to keep yourself from being a victim of tax fraud.