E-Filing PIN System Subject of Automated Attack Based on Information Obtained from Non-IRS Sources

The IRS web systems were again attacked using information that the perpetrators had acquired from other services.  In a statement the IRS described the attack on their system.

In this case the system under attack was the IRS’s Electronic Filing PIN web application used by some taxpayers to obtain a PIN to file a tax return when the taxpayers are not using a preparer and don’t have access to their tax year 2014 tax return information.

A return can be signed electronically using one of three methods:

·       Self selected PIN – Taxpayer provides date of birth and either their prior year adjusted gross income or self-select PIN at the time of signing the return, at which point the taxpayer provides a self-select PIN for the current year return.

·       Practitioner PIN – Taxpayer provides a tax preparer registered for electronic filing with the IRS with a Form 8879 which the taxpayer signs along with a PIN the taxpayer has selected.  No prior year information is required for this method.

·       Electronic Filing PIN – This option is the one that was attacked.  If a taxpayer lacks the information to use the self-selected PIN method and is not giving a paid preparer a Form 8879, the taxpayer can use the IRS website to obtain a PIN.  To prove identity the taxpayer needs:

  • The taxpayer’s name
  • Address used on the prior year tax return
  • Taxpayer’s social security number
  • Taxpayer’s filing status on prior year’s return
  • Copy of the prior year’s tax return

Given that the IRS tells the taxpayer they need a copy of the prior year’s return to use this service, this option appears to be of use primarily for taxpayers who can’t figure out what number on the return is their adjusted gross income.

The IRS has determined that an automated attack had attempted to get self-selected PINs for 464,000 social security numbers and was granted such a PIN in 101,000 cases. 

The IRS statement indicated that malware was involved in the attack.  That suggests the perpetrators may have used a botnet to carry out the attack.  A botnet is a network of computer that have been infected with software that allows a third party to control them in the background to undertake various attacks.  The owners of these computers will be unaware that their systems have been used to mount such an attack.

The use of the botnet would provide the attackers a few advantages, one of which is being able to mount attacks from computers that are on networks in the United States and from numerous different computers.  This makes it more difficult to spot the attack since the attack is not seeming to originate outside the United States, nor will any one address appear to be requesting an inordinate number of PINs.

As with the transcript attack in 2015, this attack involved attackers who had some information on the individuals involved.  Such databases of information are being assembled by parties looking to impersonate individuals for financial gain.  In this case it would seem likely the attackers had social security numbers and likely addresses, but not the adjusted gross income details from the prior year returns (if they had that, they could simply sign a fraudulent return under the standard self-select PIN system) nor did they have access to a paid preparer’s credentials (when they could file a fraudulent practitioner PIN return).

This appears to be yet another case of the conflict between making electronic filing “easy” for taxpayers and making it secure.  Taxpayers who can’t figure out what “adjusted gross income” is but want to use electronic filing services (which is something Congress has pushed for the IRS to strongly encourage) need an “idiot proof” way to do so if they aren’t going to hire a tax professional.  If the IRS were to turn off the third option, these individuals would likely complain to their Congressional representative about how difficult the IRS made it for them to get their refund.

The problem, though, is that it means a fraudulent return can be filed for any taxpayer by a party who has access to the more limited information necessary to answer these questions.  And under the current system there’s no way to tell the IRS not to issue an electronic filing PIN via the web application for a taxpayer.

The IRS will be notifying affected taxpayers that personal information obtained from some source had apparently been used by third parties to try and gain access to an identity protection PIN from the IRS.  Any client receiving such a notice should be counseled that the perpetrators may not have only gone after tax information, and a check on their credit reports as well as careful scrutiny of any activity in accounts accessible online should be undertaken.  That is, their data is “in the wild” and that means they are at risk for a number of problems, including identity theft as well as take overs of their accounts (normally to empty them out).

The IRS will also flag the returns in question as potentially subject to fraudulent filings.  The downside of that will be that these returns will take a while to process when the real return is later filed.

Advisers should expect such issues to continue to affect the tax system.  The conflicting goals of making electronic filing easy and making it secure are going to continue to create opportunities for nefarious parties to find ways to be able to file fraudulent returns and/or otherwise get access to systems meant to be limited to access by the actual individuals.

The problem so far has not been an actual breech of the IRS systems, but rather simply the fact that so many leaks of personal information have now taken place that it’s easy to produce information that makes it appear the party accessing a site is the person in question.  Thus any system that attempts to “confirm” a party’s identity based on information that is believed to only be known by the actual person before giving access to sensitive information or options is at risk to this sort of attack.