IRS Tool To Protect Identity Theft Victims Vulnerable To Identity Thieves

Every year, we warn you about tax return identity theft: bad guys all over the world obtain enough personal information about U.S. taxpayers to file fake tax returns and steal our refunds. After a taxpayer’s identity gets stolen in this way, the Internal Revenue Service issues them a special identification number that they have to enter when filing their tax return. The problem is that these numbers are pretty easy to access, too, and the IRS doesn’t have a good replacement yet.

Krebs on Security shares the story of an certified public accountant who was the victim of tax refund fraud back in 2014. She went to file her return this year, and discovered that someone had already done it for her, collecting her refund. How were they able to e-file? After contacting the IRS, she determined that they must have looked up her PIN sometime this year, then simply filed before she did.

New PINs are supposed to arrive in the mail every year, and if you don’t receive the letter or misplace it, you can use the IRS lookup system to find out what your PIN is. The flaw in this system is that the PIN lookup system checks your identity by pulling information from credit and property databases, quizzing you about your past addresses, housemates, and bank and credit accounts.

Once you’ve already stolen someone’s identity, that information is at hand or very easy to find. That’s the same kind of non-protection that the IRS gave their “get transcript” system that taxpayers could use to look up previous years’ returns, and they turned the feature off because it was compromised by identity thieves.

Thieves Nab IRS PINs to Hijack Tax Refunds [Krebs on Security]