The IRS assigns identity protection personal identification numbers (IP PINs) to identity theft victims and their family members, requiring that they provide the IP PINs when filing taxes electronically.
The IRS has opened the program to victims of data breaches connected directly to tax administration, as well as to residents of Florida, Georgia, and the District of Columbia.
Online access to IP PINs relies upon the same authentication process as the IRS's Get Transcript tax record retrieval application (goo.gl/ZQnn0h), as documented by TIGTA in a December 2015 report and recently confirmed by the IRS.
The IRS revoked online access to Get Transcript after a cyberattack on the application, disclosed in May 2015, wherein identity thieves downloaded approximately 324,000 tax transcripts containing detailed filer information dating back as far as a decade.
Single-factor, knowledge-based authentication was widely blamed for the Get Transcript attack; the IRS has since allowed filers to request only mailed copies of their tax transcripts.
However, the authentication process used to access Get Transcript, and for online access to IP PINs, remains single-factor, the IRS confirmed to Tax Analysts.
TIGTA and other observers approached by Tax Analysts argued that the IRS should not allow online access to IP PINs without stronger, multifactor authentication.
The IRS told Tax Analysts that after the attack, it revised the security around the IP PIN and Get Transcript applications. "We have enacted additional security enhancements to protect these applications for the 2016 filing season," the IRS said, "and anticipate the multifactor authentication will be in place later this year.
TIGTA said it is conducting a review of the additional IRS safeguards' effectiveness.
The 2015 attackers compromised Get Transcript by supplying filer information such as names and addresses, then successfully answering so-called "out-of-wallet" questions about filers' financial history, such as previous addresses, based on information provided to the IRS by a third-party credit reporting agency.
The IRS would not provide specific information about how it had increased the security of the IP PIN and Get Transcript applications. The IRS also did not say whether -- or for how long -- IP PINs were available online before the security changes were made.
"All of our safeguards are designed to stop fraudsters from using information stolen elsewhere to create or change IRS-related accounts," the IRS said. "Detailing safeguards or outlining vulnerabilities will only help the identity thieves."
The IRS has said that it plans to restore online access to Get Transcript as early as spring 2016, in conjunction with a new, multifactor "e-authentication" process, but some observers question the logic of allowing online access to IP PINs in the meantime.
"If the IRS's current authentication process is not good enough for online access to Get Transcript, why is the same process good enough for online access to IP PINs, which are a key IRS anti-fraud program?" said Stephen Mankowski, executive vice president of the National Conference of CPA Practitioners.
The IRS challenged that comparison in a separate statement, telling Tax Analysts on February 25, "There is a fundamental difference between the Get Transcript and the IP PIN applications," because the latter does not disclose any personally identifiable information.
"Prior to the start of the 2016 filing season, the IRS implemented additional steps to ensure the authenticity of returns containing newly acquired IP PINs," the IRS added.
However, the IRS's basic decision to continue online access to IP PINs after thousands of tax transcripts were illegally downloaded drew concern. "I would have real reservations that the IRS has returned to a system that failed once already," said Robert McKenzie, partner at Arnstein & Lehr LLP in Chicago and a former IRS collection division employee.
Even assuming that the IRS successfully implements a multifactor authentication process by spring 2016, there is no clear timeline for such a process to apply to other IRS applications.
The IRS did not comment when asked about applying the e-authentication process to its electronic filing PIN retrieval application, which was compromised in January by a massive cyberattack that may have been enabled by a potentially flawed authentication process.
How to Steal an IP PIN
Mankowski, who also prepares client returns as a partner at EP Caine & Associates CPA LLC, expressed skepticism that fraudulently obtaining IP PINs would be worth the extra effort given that filers receive a new IP PIN each filing season.
E-File PINs are also only usable for one filing season, but accessing them online requires completing a less demanding authentication process than for IP PINs, and the vast majority of individual filers can voluntarily apply for an e-file PIN.
The IRS mails IP PIN holders new IP PINs each tax season. The IRS did not respond to requests for comment about why it does not mail first-time IP PIN holders their PINs.
However, there is evidence that at least in January 2015, a few identity thieves found value and success in fraudulently retrieving IP PINs, as first reported by independent journalist and IT security expert Brian Krebs and independently documented by Tax Analysts.
A screenshot from a so-called carding forum -- where identity thieves and financial criminals compare notes -- shows one forum user explaining to other forum users how to illicitly obtain the correct IP PIN if the IRS kicked back a return they had attempted to file fraudulently, with a notice that it required an IP PIN.
The explanation, contained in a post dated January 30, 2015, describes steps indistinguishable from the method IRS Commissioner John Koskinen said identity thieves used in 2015 to compromise Get Transcript -- which relied on the same authentication process as the IP PIN application.
Other forum users appear to confirm that they were able to retrieve the IP PINs and file fraudulent returns based on the instructions, and thank the first user for showing them how to do so.
The IRS declined to comment on the evidence that thieves had fraudulently obtained IP PINs.
Mankowski said he would be "really surprised" if identity thieves actually made the effort to retrieve IP PINs in order to file false returns in the legitimate taxpayer's name, given that IP PIN filers receive a new PIN each year.
However, he was also critical of how the IRS has attempted to secure its IT systems and authenticate filer identities. After the IRS tells an identity theft victim to fill out Form 14039, "Identity Theft Affidavit," the filer has no way to know if she will actually be given an IP PIN or if her account will simply be internally flagged in the IRS database, Mankowski said.
Despite years of warning, "it seems like it took members of Congress and IRS breaches for this to even begin to be taken seriously," Mankowski said. "I know the budget cuts are an issue, but you would think the security and integrity of the data is paramount."
Follow Luca Gattoni-Celli (@TheGattoniCelli) on Twitter for real-time updates.
About Tax Analysts
Tax Analysts is an influential provider of tax news and analysis for the global community. Over 150,000 tax professionals in law and accounting firms, corporations, and government agencies rely on Tax Analysts' federal, state, and international content daily. Key products include Tax Notes, Tax Notes Today, State Tax Notes, State Tax Today, Tax Notes International, and Worldwide Tax Daily. Founded in 1970 as a nonprofit organization, Tax Analysts has the industry's largest tax-dedicated correspondent staff, with more than 250 domestic and international correspondents. For more information, visit our home page.
For reprint permission or other information, contact firstname.lastname@example.org