Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Fraud & Identity Theft

IRS Suspends Identity Protection PIN Tool Over Security Concerns

The Internal Revenue Service (IRS) announced on Monday that it has temporarily suspended its Identity Protection (IP) PIN tool while it further strengthens its security.

The Internal Revenue Service (IRS) announced on Monday that it has temporarily suspended its Identity Protection (IP) PIN tool while it further strengthens its security.

The IP PIN tool hosted on irs.gov allows taxpayers to generate or recover a six-digit number that provides an extra layer of protection aginast fraudulent tax returns. Individuals who have been victims of tax-related identity theft and ones who are at risk can request such a PIN, which they must use when submitting electronic and paper tax returns. Without this PIN, fraudsters cannot abuse a taxpayer’s social security number (SSN) to file income tax returns.

The problem, as security blogger Brian Krebs pointed out earlier this month, is that the IP PIN can be easily obtained by answering four knowledge-based authentication (KBA) questions from Equifax. The answers to these questions can often be found on free online services, allowing fraudsters to easily get the PINs they need to file tax returns on behalf of victims.

The IRS says it’s conducting a review of the application and further strengthening its security features after it previously implemented some security enhancements to help detect fraud and identity theft attempts. The agency reported blocking 800 fraudulent tax returns that leveraged an IP PIN.

According to the IRS, a total of 2.7 million taxpayers received IP PINs by mail in the current filing season, 130,000 of which used the online tool to retrieve a forgotten or lost PIN. In fact, the agency says the online tool is mainly used by people who lost their six-digit codes and need to recover them.

Now that the online service is suspended, users who need to recover their PIN have to call the IRS and the password will be mailed to them after their identity has been verified. Taxpayers who have already received a PIN can use it to file their tax returns as they normally would.

The IP PIN tool is not the only online service suspended by the IRS over the past months. In May 2015, the agency shut down its “Get Transcript” service after discovering that it had been abused by fraudsters. A report published by the organization last month revealed that 700,000 taxpayers had been affected since the launch of the service in January 2014.

The IRS’s Electronic Filing PIN application has also been abused. The agency revealed in February that fraudsters attempted to generate PINs for the E-File service using roughly 464,000 stolen SSNs, with 101,000 successful attempts.

Advertisement. Scroll to continue reading.
Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Fraud & Identity Theft

Famed hacker Kevin Mitnick has died after a battle with pancreatic cancer.  At the time of his death, he was Chief Hacking Officer at...

Fraud & Identity Theft

A team of researchers has demonstrated a new attack method that affects iPhone owners who use Apple Pay and Visa payment cards. The vulnerabilities...

Cybercrime

Deepfakes, left unchecked, are set to become the cybercriminals’ next big weapon

Cybercrime

A threat actor tracked as ‘Scattered Spider’ is targeting telecommunications and business process outsourcing (BPO) companies in an effort to gain access to mobile...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Cybercrime

While there are likely many different approaches, here are a few points that are important for enterprises to consider when evaluating bot solutions.