IRS Tool Designed To Protect Identity Theft Victims -- Exposes Users To Identity Theft
from the bang-up-job dept
Last year, the personal records of 100,000 taxpayers wound up in the hands of criminals, thanks to a flimsy authentication process in the agency's "Get Transcript" application. In short, the IRS used all-too-common static identifiers to verify taxpayer identity (information that could be found anywhere), allowing criminals to use the system to then obtain notably more sensitive taxpayer information and ultimately steal finances. At the time, the IRS breathlessly insisted it would be shoring up its security standards, though it failed to really detail how it would accomplish this.Tax return fraud has since become a burgeoning industry unto itself, with crooks consistently gaming IRS systems to fool the IRS into sending your money to a criminal's account, something victims only discover when they find their own, legitimate tax returns rejected. To protect these compromised users, the IRS has employed a system wherein it mails these victims a six-digit "Identity Protection (IP) PIN." That pin has been mailed to some 2.7 million victims, and must be entered into the following year's tax return. But not-too-surprisingly, this pin system is also notably easy to game, relying heavily on commonly available user data:
...The trouble with this approach is that the IRS allows IP PIN recipients to retrieve their PIN via the agency’s Web site, after supplying the answers to four easy-to-guess questions from consumer credit bureau Equifax. These so-called knowledge-based authentication (KBA) or “out-of-wallet” questions focus on things such as previous address, loan amounts and dates and can be successfully enumerated with random guessing. In many cases, the answers can be found by consulting free online services, such as Zillow and Facebook.So yes, that's an agency already hit several times by fraud and internal scandals providing an identity theft tool -- that can be used to help steal your identity. A CPA by the name of Becky Wittrock, who had fallen victim to identity theft in 2014, notes she's now been a repeat victim after thieves impersonated her, then used the IRS's crappy pin system to impersonate her again:
Becky Wittrock, a certified public accountant (CPA) from Sioux Falls, S.D., said she received an IP PIN in 2014 after crooks tried to impersonate her to the IRS. Wittrock said she found out her IP PIN had been compromised by thieves this year after she tried to file her tax return on Feb. 25, 2016. Turns out, the crooks beat her to the punch by more than three weeks, filing a large refund request with the IRS on Feb. 2, 2016. “So, last year I was devastated by this,” Wittrock said, “But this year I’m just pissed.”After spending more time trying to prove her identity to the IRS than the thief apparently did, Wittrock was told that next year the IRS will be ditching the pin system for a murky system that may rely on users' driver's licenses. Granted, we do seem to enjoy gutting IRS funding, staffing, authority and overall resources, only to complain that the agency sucks at doing its job. Still, that's no excuse for not implementing some fundamental authentication common sense. Meanwhile, the IRS's repeated failures are troubling for a government that's intent on viewing itself as the foremost expert in cyber-warfare and security, yet still can't manage to keep wolves out of its own henhouse.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: hack, identity theft, irs
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Wrong economic model
The solution is actually an old quasi-joke: "Possession is nine points of the law." Before we had all these computers and stuff, your personal information was mostly in your head, and if someone wanted to know when you visited a convenience store, they had to ask you, not the recordings of the surveillance cameras. That information should be owned by the person it relates to, and even stored where that person wants it stored. Accessing the information for any purpose should require the permission of the owner AKA the person involved.
If there are several people involved (and there usually are), then the natural solution is that all of them share ownership and have copies of the information. Anyone else has to get permission after explaining why, and can't legally retain the information after the purpose of the why has been satisfied.
[ link to this | view in chronology ]
Simplify
How about simplifying it, tax every businesses on their gross income and tax every individuals on their purchases. Things not taxed are the minimum basics, Requisite, nutritious food, real health care and medicinal products. Graduate the percent of tax on quantum leaps - millionaires are taxed at a higher rate, billionaires at an even higher rate - but never more than 50%. Maybe not even more than 10% if everyone must pay. Same with goods and services, if it is a bass boat - a lower rate, a yacht is a higher rate. The more expensive something is from what is typically needed, the higher the tax rate. But corporations use public facilities and they should not be able to not pay tax. They employee a workforce that has to use public facilities to get there. Same for any physical religious venue. But that could be easily stated in 100 pages or less.
[ link to this | view in chronology ]
Re: Simplify
Not to mention that government agencies (State and Local mostly, since there's no Federal sales tax), already have trouble keeping track of sales taxes. Did you know that in most States, if you buy something online (i.e., Interstate commerce), you're supposed to pay sales taxes to both states? The retailer will take care of the tax for the other State, but you're supposed to self-report the sale to your own State. How many people actually do this? And let's not even get into cash transactions...
No, if you want a simple tax structure, you need to base it on money coming in, not going out. Then, you need to provide "deductions" for things you want to tax less, such as health care. That's when the tax code becomes complicated. There's no easy answer, I'm afraid.
The futurist in me would like to see the Department of Commerce implement a universal electronic funds system, available to every individual or business, theoretically obviating the need for cash, allowing automatic calculation of taxes, and cutting into financial crimes such as fraud and money laundering. In the real world, though, I'd be terrified of that system, the reasons of which are aptly described by this article.
[ link to this | view in chronology ]
Re: Re: Simplify
This is exactly completely wrong!!!
[ link to this | view in chronology ]
Re: Simplify
Which is why it's not. Boy, are you naive. The current system is about as flexible as they need it to be. Yes, corner cases and abrasion does occur, but generally not for long.
Every minute a revolution's not beginning, they're cleaning up.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Oh, Irony
The irony is that those four "easy to guess" questions have kept me locked out of Equifax (and the others) because I can't guess the answers even though they're about me!
The problem is that I have moved a lot in my lifetime. So much that I honestly don't remember most of my prior addresses, and one of those questions is always to present you with a list of three partially obfuscated addresses and you have to pick which one is a prior residence.
As a result, I have never been able to use the websites for these companies (nor can I get my free annual credit report).
[ link to this | view in chronology ]
Easy tax fix
Personally, I would like to go a step farther and say that the IRS cannot pay out refunds; it can only credit your refund against your future tax liability. However, just deferring the payment until after filing day would help quite a bit.
[ link to this | view in chronology ]
[ link to this | view in chronology ]