IRS Identity Protection PIN Tool: Helpful or Hurtful?

March 8, 2016

Every year, tax refund fraud through identity theft affects hundreds of thousands – if not millions – of United States citizens. Last year alone, the personal records of approximately 720,000 taxpayers found their way into the hands of criminals using one simple method of identity theft. The stolen data included social security information, dates of birth, and street addresses. To make matters worse, the IRS can’t accurately keep track of the actual number of thefts that take place. In May 2015, the government agency reported that criminals had used a tool on the IRS website to steal the tax forms of 104,000 people. Then in August, it revised that number up to 330,000. Furthermore, it took until a few weeks ago, after a nine month investigation, to determine that the actual number of victims was closer to 720,000.
All of these attacks were due to a flawed authentication process in the IRS’s “Get Transcript” tool. The “Get Transcript” tool allows people to receive a transcript by mail so they can view their tax account transactions or line-by-line tax return information for a specific year. The problem was that the IRS used extremely common static identifiers (information on people that can be found almost anywhere) to verify taxpayer identity. This allows criminals to use the system to then obtain further sensitive taxpayer information and steal finances.
To protect the compromised taxpayer accounts, the IRS has developed a system where it mails identity theft victims a six digit “Identity Protection (IP) PIN.” PINs have been mailed to approximately 2.7 million victims, and must be entered into the following year’s tax return. However, the major issue is that the PIN system is incredibly easy for criminals to hack because it also relies heavily on commonly available user data.

“The trouble with this approach is that the IRS allows IP PIN recipients to retrieve their PIN via the agency’s website, after supplying the answers to four easy-to-guess questions focus[ing] on things such as previous address, loan amounts and dates and can be successfully enumerated with random guessing”

This information can often be found simply by consulting free online services such as Zillow and Facebook.  Therefore, the IRS basically took a system already hit several times by fraud and internet scandals and replaced it with an identity theft protection tool that can actually be used to help steal your identity. Therefore, identity theft victims who were provided with PINs for additional security have now become at-risk for multiple attacks.
In addition, many victims spend more time actually trying to prove their identity to the IRS after the attacks than the thieves ever did in the first place. For example, a certified public accountant from Sioux Falls, S.D. by the name of Becky Wittrock was a victim of identity theft in 2014 and, not even two years later, fell victim once again due to the flawed PIN system. After spending more time trying to prove her identity to the IRS than the thief apparently did, Wittrock was simply told that the next year the IRS is planning to abandon the PIN system for another questionable system that may rely on peoples’ driver’s licenses.
Overall, the IRS needs to somehow up the ante when it comes to security. Admittedly, we, as a nation, have enjoyed cutting IRS funding, staffing, authority, and total resources, only to further complain that the agency is terrible at its job. However, even on top of all of those things, it is no excuse that the IRS still fails to implement some sort of higher security to protect its users. Tax information and financial security are important aspects of our nation and they need to be sufficiently protected.