When Becky Wittrock tried to file her taxes in March 2015, she was told a return had already been filed in her name the month before. The South Dakotan was one of a surging number of Americans to fall victim to scams in which fraudsters try to steal other people’s tax refunds by filing phony, inflated returns on their behalf.
But this year was supposed to be different: In January, the Internal Revenue Service mailed Wittrock – along with 2.7 million other taxpayers – a six-digit identity-protection personal identification number, or IP PIN, that she was supposed to use to ensure that only she could electronically file on her behalf.
“Honestly, I felt very secure I would be able to file my return without any problems,” she said.
But when Wittrock tried to file her taxes last weekend, there were problems once again. On Monday, the IRS help line told her that someone had filed a return using her IP PIN on Feb. 2, she said.
And more, according to Wittrock, the IRS representative told her the agency had heard from other people about similar cases of fraudulent use of the IP PINs this year. “It was not a new problem,” Wittrock said.
In an interview with The Washington Post, IRS Commissioner John Koskinen called the issue a “relatively minor problem” that has only affected a “handful” of filers thus far, but acknowledged that it could be frustrating for people such as Wittrock.
“We understand that, for those taxpayers, this is a significant aggravation. By definition, they got an IP PIN in the first place because they’d been the victim of identity theft,” Koskinen said.
But Wittrock and others who rely on the IP PINs to secure their online tax returns may have been easier to victimize again because of the way the tax agency allows people to retrieve the numbers online, according to cybercrime blogger Brian Krebs – who first reported on Wittrock’s situation.
If someone has lost their IP PIN, there is an online tool that can help them get it back. It requires some basic personal information, including name, date of birth, Social Security number, last filing status and the mailing address from the last tax return, but also uses information from the person’s credit report to ask “knowledge-based authentication” questions – things such as past addresses or mortgage payments.
Yet that basic information could have made it into the hand of fraudsters in a number of ways, such as the wave of massive data breaches that have hit consumers in recent years. Also, simple Google sleuthing can help uncover, via public sources, the answers to the other questions. If a fraudster succeeds, they will be able to gain access the IP PIN – and potentially use it to help them file a phony return.
The IRS should know how easily this type of system can be bypassed: The agency said fraudsters may have accessed tax data for more than 700,000 people last year by tricking a “get transcript” tool that relied on the same kind of authentication technique.
But while the agency took down the tool after reports of misuse last year, it appears to still rely on the same basic method to verify the identities of people wanting to retrieve IP PINs.
Only a very small fraction of taxpayers with IP PINs have used the online retrieval tool, according to Koskinen – although he did not know the exact number.
The agency said it has flagged less than 200 potentially fraudulent tax filings involving IP PINs and successfully stopped refunds from being issued in the majority of these cases. But now, every tax refund filed with an IP PIN that has been retrieved online is receiving extra scrutiny, Koskinen said.
And if abused, the IP PIN retrieval tool itself does not reveal information about a taxpayer to a hacker, he said, but acknowledged that obtaining an IP PIN through the system could help a criminal who had other necessary information file a fraudulent return.
“Since the initial question was raised about people coming in to find their IP PIN, we put stronger filters in place and monitors in place,” he said.
And there are additional layers of security on the back end that may not be obvious to taxpayers, according to Koskinen.
“It’s a little game of cat and mouse” with fraudsters, he said.
As for Wittrock, she is unsure how her information fell into the hands of scammers last year. “You feel totally invaded. You have no idea what’s going to happen to you next,” she said.
After this year’s incident, she is skeptical of the security measures put in place by the IRS. “There should be something tied down a little tighter with those six digit PINs,” she said.
But there is at least one silver lining: Wittrock said she was able to file her 2015 return in person at an IRS office this week and was told that the fraudulent refund from this year had not been sent out yet – a sign it may have been caught by another layer of the agency’s fraud filters.
(c) 2016, The Washington Post · Andrea Peterson