Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Fraud & Identity Theft

IRS Suspends Identity Protection PIN Tool Over Security Concerns

The Internal Revenue Service (IRS) announced on Monday that it has temporarily suspended its Identity Protection (IP) PIN tool while it further strengthens its security.

The Internal Revenue Service (IRS) announced on Monday that it has temporarily suspended its Identity Protection (IP) PIN tool while it further strengthens its security.

The IP PIN tool hosted on irs.gov allows taxpayers to generate or recover a six-digit number that provides an extra layer of protection aginast fraudulent tax returns. Individuals who have been victims of tax-related identity theft and ones who are at risk can request such a PIN, which they must use when submitting electronic and paper tax returns. Without this PIN, fraudsters cannot abuse a taxpayer’s social security number (SSN) to file income tax returns.

The problem, as security blogger Brian Krebs pointed out earlier this month, is that the IP PIN can be easily obtained by answering four knowledge-based authentication (KBA) questions from Equifax. The answers to these questions can often be found on free online services, allowing fraudsters to easily get the PINs they need to file tax returns on behalf of victims.

The IRS says it’s conducting a review of the application and further strengthening its security features after it previously implemented some security enhancements to help detect fraud and identity theft attempts. The agency reported blocking 800 fraudulent tax returns that leveraged an IP PIN.

According to the IRS, a total of 2.7 million taxpayers received IP PINs by mail in the current filing season, 130,000 of which used the online tool to retrieve a forgotten or lost PIN. In fact, the agency says the online tool is mainly used by people who lost their six-digit codes and need to recover them.

Now that the online service is suspended, users who need to recover their PIN have to call the IRS and the password will be mailed to them after their identity has been verified. Taxpayers who have already received a PIN can use it to file their tax returns as they normally would.

The IP PIN tool is not the only online service suspended by the IRS over the past months. In May 2015, the agency shut down its “Get Transcript” service after discovering that it had been abused by fraudsters. A report published by the organization last month revealed that 700,000 taxpayers had been affected since the launch of the service in January 2014.

The IRS’s Electronic Filing PIN application has also been abused. The agency revealed in February that fraudsters attempted to generate PINs for the E-File service using roughly 464,000 stolen SSNs, with 101,000 successful attempts.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Cybercrime

A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Software maker Adobe on Tuesday released security patches for 29 documented vulnerabilities across multiple enterprise-facing products and warned that hackers could exploit these bugs...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Software maker Adobe has rolled out its first batch of security patches for 2023 with fixes for at least 29 security vulnerabilities in a...

Application Security

Video messaging giant Zoom has released patches for multiple security vulnerabilities that expose both Windows and macOS users to malicious hacker attacks.The vulnerabilities, in...

Application Security

Virtualization technology giant Citrix on Tuesday scrambled out an emergency patch to cover a zero-day flaw in its networking product line and warned that...