The Internal Revenue Service (IRS) announced on Monday that it has temporarily suspended its Identity Protection (IP) PIN tool while it further strengthens its security.
The IP PIN tool hosted on irs.gov allows taxpayers to generate or recover a six-digit number that provides an extra layer of protection aginast fraudulent tax returns. Individuals who have been victims of tax-related identity theft and ones who are at risk can request such a PIN, which they must use when submitting electronic and paper tax returns. Without this PIN, fraudsters cannot abuse a taxpayer’s social security number (SSN) to file income tax returns.
The problem, as security blogger Brian Krebs pointed out earlier this month, is that the IP PIN can be easily obtained by answering four knowledge-based authentication (KBA) questions from Equifax. The answers to these questions can often be found on free online services, allowing fraudsters to easily get the PINs they need to file tax returns on behalf of victims.
The IRS says it’s conducting a review of the application and further strengthening its security features after it previously implemented some security enhancements to help detect fraud and identity theft attempts. The agency reported blocking 800 fraudulent tax returns that leveraged an IP PIN.
According to the IRS, a total of 2.7 million taxpayers received IP PINs by mail in the current filing season, 130,000 of which used the online tool to retrieve a forgotten or lost PIN. In fact, the agency says the online tool is mainly used by people who lost their six-digit codes and need to recover them.
Now that the online service is suspended, users who need to recover their PIN have to call the IRS and the password will be mailed to them after their identity has been verified. Taxpayers who have already received a PIN can use it to file their tax returns as they normally would.
The IP PIN tool is not the only online service suspended by the IRS over the past months. In May 2015, the agency shut down its “Get Transcript” service after discovering that it had been abused by fraudsters. A report published by the organization last month revealed that 700,000 taxpayers had been affected since the launch of the service in January 2014.
The IRS’s Electronic Filing PIN application has also been abused. The agency revealed in February that fraudsters attempted to generate PINs for the E-File service using roughly 464,000 stolen SSNs, with 101,000 successful attempts.