IRS Suspends Identity Protection Tool after Fraudulent Logins

Last week, the Internal Revenue Service (IRS) attempted to tighten security for its users following a comprehensive breach of its systems in 2015 which saw hackers steal taxpayers’ records. The new measure was the issuance of personal identification numbers (PINs).

Although the IRS implemented the new security measure using PINs as an authentication method, it has now been revealed that the PIN method can be cracked the same way with which the hackers used to infiltrate the IRS systems the last time around. As a result of this, the IRS is temporarily suspending the PIN tool.

A statement from the IRS read:

The IRS is conducting a further review of the application that allows taxpayers to retrieve their IP PINs online and is looking at further strengthening the security features on the tool.

Altogether, taxpayers received 2.7 million IP PINs by mail for the current filing season. The IRS revealed that 5 percent of those PINs, about 130,000 users, used the online tool to try and retrieve lost or forgotten IP Pins. However, by the end of February, it turned out that the IRS had noticed and stopped about 800 fraudulent returns using an IP PIN.

The IP PIN is a six-digit number that helps provide an additional layer of security for taxpayers who are susceptible to becoming victims of identity theft. The online tool is fundamentally used by taxpayers to retrieve their numbers if they have lost their IP PINs.

Notably, taxpayers who have been issued an IP PIN are encouraged to file their tax returns as they normally would.

The Problem With Legacy Authentication Methods

The recently issued PINs require authentication with questions such as “On which of the following streets have you lived?”, as a means to proving one’s identity.

The answers to such questions can easily be found online through social media websites or other resources by hackers. It is fundamentally the same verification system that allowed hackers to gain access to tax returns of everyday citizens the last time.

When the personal information and finances of millions are at stake, it remains to be seen how the IRS will proceed to implement better and more stringent security measures.

 Image credit: Flickr.