State Department Backs Off Criminalizing Security Research Tools

IRS Tool Designed To Protect Identity Theft Victims -- Exposes Users To Identity Theft

from the bang-up-job dept

Thu, Mar 3rd 2016 3:25pm — Karl Bode

Last year, the personal records of 100,000 taxpayers wound up in the hands of criminals, thanks to a flimsy authentication process in the agency's "Get Transcript" application. In short, the IRS used all-too-common static identifiers to verify taxpayer identity (information that could be found anywhere), allowing criminals to use the system to then obtain notably more sensitive taxpayer information and ultimately steal finances. At the time, the IRS breathlessly insisted it would be shoring up its security standards, though it failed to really detail how it would accomplish this.

Tax return fraud has since become a burgeoning industry unto itself, with crooks consistently gaming IRS systems to fool the IRS into sending your money to a criminal's account, something victims only discover when they find their own, legitimate tax returns rejected. To protect these compromised users, the IRS has employed a system wherein it mails these victims a six-digit "Identity Protection (IP) PIN." That pin has been mailed to some 2.7 million victims, and must be entered into the following year's tax return. But not-too-surprisingly, this pin system is also notably easy to game, relying heavily on commonly available user data:

...The trouble with this approach is that the IRS allows IP PIN recipients to retrieve their PIN via the agency’s Web site, after supplying the answers to four easy-to-guess questions from consumer credit bureau Equifax. These so-called knowledge-based authentication (KBA) or “out-of-wallet” questions focus on things such as previous address, loan amounts and dates and can be successfully enumerated with random guessing. In many cases, the answers can be found by consulting free online services, such as Zillow and Facebook.

So yes, that's an agency already hit several times by fraud and internal scandals providing an identity theft tool -- that can be used to help steal your identity. A CPA by the name of Becky Wittrock, who had fallen victim to identity theft in 2014, notes she's now been a repeat victim after thieves impersonated her, then used the IRS's crappy pin system to impersonate her again:

Becky Wittrock, a certified public accountant (CPA) from Sioux Falls, S.D., said she received an IP PIN in 2014 after crooks tried to impersonate her to the IRS. Wittrock said she found out her IP PIN had been compromised by thieves this year after she tried to file her tax return on Feb. 25, 2016. Turns out, the crooks beat her to the punch by more than three weeks, filing a large refund request with the IRS on Feb. 2, 2016. “So, last year I was devastated by this,” Wittrock said, “But this year I’m just pissed.”

After spending more time trying to prove her identity to the IRS than the thief apparently did, Wittrock was told that next year the IRS will be ditching the pin system for a murky system that may rely on users' driver's licenses. Granted, we do seem to enjoy gutting IRS funding, staffing, authority and overall resources, only to complain that the agency sucks at doing its job. Still, that's no excuse for not implementing some fundamental authentication common sense. Meanwhile, the IRS's repeated failures are troubling for a government that's intent on viewing itself as the foremost expert in cyber-warfare and security, yet still can't manage to keep wolves out of its own henhouse.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: hack, identity theft, irs

13 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Anonymous Coward, 3 Mar 2016 @ 3:49pm

Needs more backdoors.
[ link to this | view in chronology ]
orbitalinsertion (profile), 3 Mar 2016 @ 3:50pm

OMG, crappy TFA for stupid websites is more secure than this.
[ link to this | view in chronology ]
shanen (profile), 3 Mar 2016 @ 4:38pm

Wrong economic model
Unless the economic models make it unprofitable, our privacy will continue to be abused. The funny part is that we don't need new laws in America. It's basically in the Bill of Rights, and it would be obvious if certain so-called justices didn't think that corporations are real people rather than legal fictions (that occasionally must be regarded as having status in lawsuits involving contracts).

The solution is actually an old quasi-joke: "Possession is nine points of the law." Before we had all these computers and stuff, your personal information was mostly in your head, and if someone wanted to know when you visited a convenience store, they had to ask you, not the recordings of the surveillance cameras. That information should be owned by the person it relates to, and even stored where that person wants it stored. Accessing the information for any purpose should require the permission of the owner AKA the person involved.

If there are several people involved (and there usually are), then the natural solution is that all of them share ownership and have copies of the information. Anyone else has to get permission after explaining why, and can't legally retain the information after the purpose of the why has been satisfied.
[ link to this | view in chronology ]
rw, 3 Mar 2016 @ 5:05pm

Simplify
First and foremost - the US Tax system is too taxing. Individuals are taxed when they earn money, when they spend money, when they save money. Their employers are taxed when they earn money, when they spend money and when they save money. And there's a billion pages on how to get out of paying this tax or that tax and how to be penalized for not paying a tax. The tax law should be able to be written on 100 pages or less in plain, common, proper English - not Lawyerease and a secret dictionary.

How about simplifying it, tax every businesses on their gross income and tax every individuals on their purchases. Things not taxed are the minimum basics, Requisite, nutritious food, real health care and medicinal products. Graduate the percent of tax on quantum leaps - millionaires are taxed at a higher rate, billionaires at an even higher rate - but never more than 50%. Maybe not even more than 10% if everyone must pay. Same with goods and services, if it is a bass boat - a lower rate, a yacht is a higher rate. The more expensive something is from what is typically needed, the higher the tax rate. But corporations use public facilities and they should not be able to not pay tax. They employee a workforce that has to use public facilities to get there. Same for any physical religious venue. But that could be easily stated in 100 pages or less.
[ link to this | view in chronology ]
- Kal Zekdor (profile), 3 Mar 2016 @ 7:38pm
  
  Re: Simplify
  I get where you're coming from, but your suggestions are at odds with your ideals. VAT structures are a mess to actually implement. Suddenly the government needs to know the value of every good and service, and entities selling goods or services need to navigate a quagmire of tax classifications in order to figure out how much they need to pay back in taxes. There's no way you're fitting that in 100 pages. If anything, it would end up more complicated than it already is.
  
  Not to mention that government agencies (State and Local mostly, since there's no Federal sales tax), already have trouble keeping track of sales taxes. Did you know that in most States, if you buy something online (i.e., Interstate commerce), you're supposed to pay sales taxes to both states? The retailer will take care of the tax for the other State, but you're supposed to self-report the sale to your own State. How many people actually do this? And let's not even get into cash transactions...
  
  No, if you want a simple tax structure, you need to base it on money coming in, not going out. Then, you need to provide "deductions" for things you want to tax less, such as health care. That's when the tax code becomes complicated. There's no easy answer, I'm afraid.
  
  The futurist in me would like to see the Department of Commerce implement a universal electronic funds system, available to every individual or business, theoretically obviating the need for cash, allowing automatic calculation of taxes, and cutting into financial crimes such as fraud and money laundering. In the real world, though, I'd be terrified of that system, the reasons of which are aptly described by this article.
  [ link to this | view in chronology ]
  - Anonymous Coward, 4 Mar 2016 @ 8:06am
    
    Re: Re: Simplify
    " if you buy something online (i.e., Interstate commerce), you're supposed to pay sales taxes to both states?"
    
    This is exactly completely wrong!!!
    [ link to this | view in chronology ]
- tqk (profile), 4 Mar 2016 @ 3:36pm
  
  Re: Simplify
  Individuals are taxed when they earn money, when they spend money, when they save money. Their employers are taxed when they earn money, when they spend money and when they save money. And there's a billion pages on how to get out of paying this tax or that tax and how to be penalized for not paying a tax. The tax law should be able to be written on 100 pages or less in plain, common, proper English - not Lawyerease and a secret dictionary.
  
  Which is why it's not. Boy, are you naive. The current system is about as flexible as they need it to be. Yes, corner cases and abrasion does occur, but generally not for long.
  
  Every minute a revolution's not beginning, they're cleaning up.
  [ link to this | view in chronology ]
Anonymous Coward, 3 Mar 2016 @ 11:13pm

Sounds like it's less "Exposes Users To Identity Theft" and more "fails to protect users from identity theft".
[ link to this | view in chronology ]
- Anonymous Coward, 4 Mar 2016 @ 12:32am
  
  Re:
  Clarke's Corollary applies - "Sufficiently-advanced stupidity is indistinguishable from malice."
  [ link to this | view in chronology ]
  - Anonymous Coward, 4 Mar 2016 @ 3:38pm
    
    Re: Re:
    We keep idiot proofing the universe, and the universe keeps on producing better idiots.
    [ link to this | view in chronology ]
John Fenderson (profile), 4 Mar 2016 @ 6:30am

Oh, Irony
after supplying the answers to four easy-to-guess questions from consumer credit bureau Equifax

The irony is that those four "easy to guess" questions have kept me locked out of Equifax (and the others) because I can't guess the answers even though they're about me!

The problem is that I have moved a lot in my lifetime. So much that I honestly don't remember most of my prior addresses, and one of those questions is always to present you with a list of three partially obfuscated addresses and you have to pick which one is a prior residence.

As a result, I have never been able to use the websites for these companies (nor can I get my free annual credit report).
[ link to this | view in chronology ]
Anonymous Coward, 4 Mar 2016 @ 7:58am

Easy tax fix
Change the law to be that the IRS cannot pay out refunds until after the filing deadline. This way, if the scammer files a false refund request, and the real taxpayer files a normal form, both will be received before the refund is issued. Presumably, the IRS already delays paying a refund when two separate returns are submitted on the same ID. The problem is that they do not wait to see if there will be a second return filed.

Personally, I would like to go a step farther and say that the IRS cannot pay out refunds; it can only credit your refund against your future tax liability. However, just deferring the payment until after filing day would help quite a bit.
[ link to this | view in chronology ]
Phils, 4 Mar 2016 @ 2:26pm

Is it just a coincidence that tax return fraud started and has grown about the same time that the IRS instituted "e-filing" and has made getting paper forms into an annoying scavenger hunt? They used to send out the forms in early January, then it was late January and you had to try to find them at places like your local library. Now you have to call the IRS at least twice and then wait a couple of weeks to get the forms. How much money are they really saving by "e-filing"?
[ link to this | view in chronology ]