The problem of security and tax refund fraud unfortunately continues to create new developments, and this time the issue involves the IRS’s online IP PIN recovery system. The IRS has announced it is shuttering the online IP PIN recovery system in an announcement posted on its website (“IRS Statement on IP PIN”).
On March 1, 2016, Brian Krebs (an IT security journalist whose writing we are referring to all too often in tax matters recently) posted a story describing a CPA who had her own IP PIN hijacked by unauthorized parties (“Thieves Nab IRS PINs to Hijack Tax Refunds”). The story went on to discuss the flaws inherent in the IRS’s online IP PIN recovery process, a criticism Brian had leveled at the system back when the online transcript breaches took place last year, noting the IP PIN system used the same type of “identity confirmation” as that system.
Tax Analysts’ Tax Notes also published a similar story on the weakness of this program on February 26 (“IRS ID Theft PINs Too Easy to Obtain Online, Observers Warn”, Tax Notes Today, 2016 TNT 38-5, February 28, 2016), citing practitioner and TIGTA concerns about the ease of getting new numbers issued. In that story the IRS defended the use of the same system of “protection” to allow the reissuance of IP PIN by noting:
The IRS challenged that comparison in a separate statement, telling Tax Analysts on February 25, “There is a fundamental difference between the Get Transcript and the IP PIN applications,” because the latter does not disclose any personally identifiable information.
As Brian Krebs notes in his article discussing the suspension “...this may be of small solace to taxpayers who had their tax and income data stolen directly from the IRS in the first place.” (“IRS Suspends Insecure ‘Get IP PIN’ Feature”)
Frankly, it’s also not comfort either to the much larger number of taxpayers who had their information compromised elsewhere and then had became victims of refund related identity theft.
The announcement states that the IRS has detected 800 attempts to file a return using a fraudulently obtained replacement IP PIN, prompting the shut-down of the online recovery program. It notes that about 5% of the 2.7 million who have been issued IP PIN ended up going online to recover their PINs.
The IRS notes that the online system was only way to obtain or recover an IP PIN, providing:
This includes IP PIN holders who lost their IP PIN letter and needed to retrieve the number, taxpayers participating in our three pilot locations and taxpayers we invite to use IP PIN because they have non-tax identity theft issues.
The IRS announcement provides the following information regarding alternatives for taxpayers to using the IP PIN online tool, based on the category the taxpayer is in:
- Lost or misplaced IP PIN letters. Taxpayers who are IP PIN holders but who lost their CP01A letters containing the IP PIN will need to call the IRS. If they can verify their identity, they will be mailed their IP PIN. If they have moved since Jan. 1, 2016, they must file a paper tax return, which will receive additional scrutiny and take longer to process because we don’t normally accept these returns without an IP PIN.
- Florida, Georgia and District of Columbia participants. Taxpayers who live in Florida, Georgia or the District of Columbia and who already have retrieved an IP PIN should include it on their tax returns. Taxpayers in those locations who have not retrieved an IP PIN will be unable to access the tool at this time but may file their tax return as normal.
- Other taxpayers. Taxpayers who filed a Form 14039 citing non-tax identity theft issues (Box 2) and who already have retrieved an IP PIN should include it on their tax returns.
The author has defended the IRS for previous issues, noting that the system they had been using arguably appeared to offer protection that only became a problem as those looking to take over accounts began assembling data from various sources on potential victims.
But in this case the IRS (through the transcript program) was on notice that sort of protection was no longer “good enough” and while the IP PIN did not have “personally identifiable information exposed” that was a far too myopic view of the problem that many commentators had pointed out to the agency—a myopic view the agency confirmed in writing in the February 25 comment given to Tax Analysts.
But it is best for CPAs not to get too smug about the lack of foresight of the IRS. The IRS succumb to the problem that users want their access to be “easy” and the lack of an online recovery system will prompt complaints. CPAs need to ask themselves whether their organization, if it offers an online access system for clients (as many do today), has managed to concentrate on making the system “easy to use” in a way, that like the IRS IP PIN recovery system, also makes it easy for a third party to gain access to that information.