IRS Brings Electronic Filing PIN System Back Online, Takes It Back Down After Automated Attacks Resume

Yet again the IRS’s Electronic Filing PIN program was subjected to attack, following an attack in February. In the original problem IRS web systems were attacked using information that the perpetrators had acquired from other services. In a statement the IRS described the attack on their system.

In June the IRS announced on their website they had detected another attempted attack upon their system.

The Original Attack

In this case the system under attack was the IRS’s Electronic Filing PIN web application used by some taxpayers to obtain a PIN to file a tax return when the taxpayers are not using a preparer and don’t have access to their tax year 2014 tax return information.

A return can be signed electronically using one of three methods:

  • Self selected PIN – Taxpayer provides date of birth and either their prior year adjusted gross income or self-select PIN at the time of signing the return, at which point the taxpayer provides a self-select PIN for the current year return.
  • Practitioner PIN – Taxpayer provides a tax preparer registered for electronic filing with the IRS with a Form 8879 which the taxpayer signs along with a PIN the taxpayer has selected. No prior year information is required for this method.
  • Electronic Filing PIN – This option is the one that was attacked. If a taxpayer lacks the information to use the self-selected PIN method and is not giving a paid preparer a Form 8879, the taxpayer can use the IRS website to obtain a PIN. To prove identity the taxpayer needs:
    • The taxpayer’s name
    • Address used on the prior year tax return
    • Taxpayer’s social security number
    • Taxpayer’s filing status on prior year’s return
    • Copy of the prior year’s tax return

Given that the IRS tells the taxpayer they need a copy of the prior year’s return to use this service, this option appears to be of use primarily for taxpayers who can’t figure out what number on the return is their adjusted gross income.

The IRS determined in February 2016 that an automated attack had attempted to get self-selected PINs for 464,000 social security numbers and was granted such a PIN in 101,000 cases.

The IRS statement indicated that malware was involved in the attack. That suggests the perpetrators may have used a botnet to carry out the attack. A botnet is a network of computer that have been infected with software that allows a third party to control them in the background to undertake various attacks. The owners of these computers will be unaware that their systems have been used to mount such an attack.

The use of the botnet would provide the attackers a few advantages, one of which is being able to mount attacks from computers that are on networks in the United States and from numerous different computers. This makes it more difficult to spot the attack since the attack is not seeming to originate outside the United States, nor will any one address appear to be requesting an inordinate number of PINs.

As with the transcript attack in 2015, this attack involved attackers who had some information on the individuals involved. Such databases of information are being assembled by parties looking to impersonate individuals for financial gain. In this case it would seem likely the attackers had social security numbers and likely addresses, but not the adjusted gross income details from the prior year returns (if they had that, they could simply sign a fraudulent return under the standard self-select PIN system) nor did they have access to a paid preparer’s credentials (when they could file a fraudulent practitioner PIN return).

This appears to be yet another case of the conflict between making electronic filing “easy” for taxpayers and making it secure. Taxpayers who can’t figure out what “adjusted gross income” is but want to use electronic filing services (which is something Congress has pushed for the IRS to strongly encourage) need an “idiot proof” way to do so if they aren’t going to hire a tax professional. If the IRS were to turn off the third option, these individuals would likely complain to their Congressional representative about how difficult the IRS made it for them to get their refund.

The problem, though, is that it means a fraudulent return can be filed for any taxpayer by a party who has access to the more limited information necessary to answer these questions. And under the current system there’s no way to tell the IRS not to issue an electronic filing PIN via the web application for a taxpayer.

The IRS will be notifying affected taxpayers that personal information obtained from some source had apparently been used by third parties to try and gain access to an identity protection PIN from the IRS. Any client receiving such a notice should be counseled that the perpetrators may not have only gone after tax information, and a check on their credit reports as well as careful scrutiny of any activity in accounts accessible online should be undertaken. That is, their data is “in the wild” and that means they are at risk for a number of problems, including identity theft as well as take overs of their accounts (normally to empty them out).

The IRS will also flag the returns in question as potentially subject to fraudulent filings. The downside of that will be that these returns will take a while to process when the real return is later filed.

Advisers should expect such issues to continue to affect the tax system. The conflicting goals of making electronic filing easy and making it secure are going to continue to create opportunities for nefarious parties to find ways to be able to file fraudulent returns and/or otherwise get access to systems meant to be limited to access by the actual individuals.

The problem so far has not been an actual breech of the IRS systems, but rather simply the fact that so many leaks of personal information have now taken place that it’s easy to produce information that makes it appear the party accessing a site is the person in question. Thus any system that attempts to “confirm” a party’s identity based on information that is believed to only be known by the actual person before giving access to sensitive information or options is at risk to this sort of attack.

The Second Attack

Following the February attack the IRS decided to bring the electronic filing PIN system back online. The IRS, in the notice announcing the June attacked, defended the decision to turn the system back on as follows:

The IRS retained the tool at that time because links are embedded in almost all commercial tax software products that helped taxpayers file their returns. However, additional defenses were added inside the IRS processing systems for protection, including extra scrutiny for any return with an e-File PIN.

As it turned out, the extra defenses did not discourage third parties from trying a new run at the system. As the IRS announced:

Recently, the IRS observed additional automated attacks taking place at an increasing frequency, but only affecting a small number of e-File PINs. We were able to identify this issue because of additional defenses put in place earlier this year, and backend protections remain in place. However, the IRS decided to remove the e-File PIN program as a safety measure.

The IRS noted that they were already in talks with the software vendors to remove this system for next year. It remains to be seen if this latest incident has pushed the “retirement” date up or if the IRS will try again to relaunch the system to catch returns for 2015 prior to the October 15 extended due date.

This IRS announcement came shortly after other sites had announced they had been the subject of automated password reuse attacks (for instance, Citrix’s GotoMyPC forced a reset of all user passwords) following a major sale of passwords previously obtained from a breach years ago of the usernames and passwords of LinkedIn, Tumblr and MySpace. Netflix had sent notices to their users whose usernames and passwords appeared on those lists and who had used the same pair for their Netflix accounts.

While those old passwords wouldn’t have been of direct use on the IRS site, it’s very possible that information gained from using those usernames/passwords on various sites may have given the attackers additional information to enable them to take another run at the IRS Electronic Filing PIN system.