Krebs on Security shares the story of an certified public accountant who was the victim of tax refund fraud back in 2014. She went to file her return this year, and discovered that someone had already done it for her, collecting her refund. How were they able to e-file? After contacting the IRS, she determined that they must have looked up her PIN sometime this year, then simply filed before she did.
New PINs are supposed to arrive in the mail every year, and if you don’t receive the letter or misplace it, you can use the IRS lookup system to find out what your PIN is. The flaw in this system is that the PIN lookup system checks your identity by pulling information from credit and property databases, quizzing you about your past addresses, housemates, and bank and credit accounts.
Once you’ve already stolen someone’s identity, that information is at hand or very easy to find. That’s the same kind of non-protection that the IRS gave their “get transcript” system that taxpayers could use to look up previous years’ returns, and they turned the feature off because it was compromised by identity thieves.
Thieves Nab IRS PINs to Hijack Tax Refunds [Krebs on Security]