The IRS has issued a notice about the temporary suspension of use of its Identity Protection PIN tool. According to the notice, the use of the IP PIN tool on the IRS.gov site has been suspended as part of its ongoing security review. It has announced a possible security breach.
A recent attack on the website that resulted in the breach of an IRS contractor’s system—exposing 101,000 taxpayers’ Social Security numbers and other data—prompted an IRS security review. The IRS designed the Identity Protection PIN tool to safeguard people at higher risk of becoming the victims of fraud because of sensitive personal information leaked in commercial data breaches, by providing them an additional layer of security. Instead, the tool was being used by scammers for the very purpose of identity theft.
Identity Protection Pin tool is a way to protect the identity of a company and its employees just like the registered office address. The IRS had to shut down an electronic tool for obtaining tax data last year, after identity thieves managed to extract filing data for hundreds of thousands of American taxpayers, using stolen Social Security numbers and other data from commercial data breaches. This year, a surge in phishing campaigns to obtain employees’ W-2 form data has become a new nuisance to the IRS.
Several companies have reported that they’ve been the victims of these attacks, including Snapchat and Seagate. This has put thousands of U.S. employees at these companies, current and former, at risk for potential tax fraud—heightening the need for the security that the IRS’ Identity Protection PIN is supposed to provide.
“Taxpayers received 2.7 million IP PINs by mail for the current filing season. About 5 percent of those — approximately 130,000 — used the online tool to try retrieving a lost or forgotten IP PIN,” the agency said in a statement. The IRS has confirmed it had detected and stopped 800 fraudulent returns using a stolen IP PIN, through the end of February. It has not confirmed how many IP PINS were stolen or used to file returns fraudulently.
Apparently, the online tool that allows the taxpayers to reset their IP PIN wasn’t secure enough to ensure the identity of the person doing the resetting. The scammers have found ways to exploit and use to their advantage the procedure by which the IRS website issues PINs to the taxpayers. A PIN is issued after the applicant answers four questions about him/herself, but the scammers can guess the answers if they already has some of the taxpayer’s personal data and do some digging online. They can get the code and file a fraudulent return.
“Most taxpayers receive their IP PIN via mail and never use the online tool,” the agency added.
“As part of its ongoing security review, the Internal Revenue Service temporarily suspended the Identity Protection PIN tool on IRS.gov. The IRS is conducting a further review of the application that allows taxpayers to retrieve their IP PINs online and is looking at further strengthening the security features on the tool.”
Following the removal of the online tool, taxpayers that have lost their IP PIN will now have to call the IRS and verify their identity in order to get a new PIN mailed to them. Those that already have an IP PIN should include it on their tax returns.
[Photo by Oli Scarff/Getty Images]