Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Government Security

Sign Up At irs.gov Before Crooks Do It For You 349

tsu doh nimh writes If you're an American and haven't yet created an account at irs.gov, you may want to take care of that before tax fraudsters create an account in your name and steal your personal and tax data in the process. Brian Krebs shows how easy it is for scammers to register an account in your name and view your current and past W2s and tax filings with the IRS, and tells the story of a New York man who — after receiving notice from the agency that someone had filed a phony return in his name — tried to get a copy of his transcript and found someone had already registered his SSN to an email address that wasn't his. Apparently, having a credit freeze prevents thieves from doing this, because the IRS relies on easily-guessed knowledge-based authentication questions from Equifax.
This discussion has been archived. No new comments can be posted.

Sign Up At irs.gov Before Crooks Do It For You

Comments Filter:
  • by myvirtualid ( 851756 ) <pwwnow AT gmail DOT com> on Monday March 30, 2015 @02:20PM (#49372773) Journal

    For years, CRA, the Canadian equivalent to the IRS, has been including Web Authentication Codes (WACs) with the annual notice of assessment, that is, their summary of your personal income tax submission, snail mailed to your address of record some weeks after you submit your personal tax return.

    Your WAC changes every year. Without it, you cannot access your account in CRA's online systems.

    And it isn't enough: You also need your SIN and the amount recorded on a particular line of your return (or notice, I cannot remember which).

    Now here is where my memory gets hazy: Once you register for online access, I think they might send a one-time code to your address, which is required to activate your account.

    The only way to subvert this system is to tamper with postal delivery, which means fraudsters must take specific, intentional action and break multiple federal laws (postal acts, the income tax act, etc.). There ain't no easy to guess stuff in the Canadian system. The bar is sufficiently high, the risks to fraudsters very high, i.e., hard time.

    • Similar in Australia. Validation for online lodgement of taxes with the ATO (Aust. Tax Office) requires:

      - Tax File Number (analogous to ITIN in US or SIN in Canada)
      - Reference ID number from previous year's Notice of Assessment
      - An amount paid or owed, from a previous year's NoA or other bill

      I am not aware of any identity theft or security breach that has occurred through this system, which has been running for over a decade.

  • Sign up? (Score:5, Informative)

    by TechyImmigrant ( 175943 ) on Monday March 30, 2015 @02:27PM (#49372851) Homepage Journal

    I just went to www.irs.gov [irs.gov]

    The advice to sign up there may be reasonable, but the words 'sign up' or anything semantically similar do not appear on the front page. It's not obvious where you would go to try to sign up.

    It's not https either.

    • Re: (Score:2, Informative)

      by Anonymous Coward

      It's "get my transcript" (from the article's link)

    • Re:Sign up? (Score:5, Interesting)

      by mellon ( 7048 ) on Monday March 30, 2015 @02:41PM (#49372991) Homepage

      Request a transcript, like the author of the article did. However, bear in mind that if you register for an account, now all a fraudster needs to get into your irs.gov account is pwnership of your computer, which may be even easier to get than the personal information required to sign up.

    • Re:Sign up? (Score:4, Informative)

      by Coren22 ( 1625475 ) on Monday March 30, 2015 @02:50PM (#49373079) Journal

      Following the links in TFA, it leads me to here:

      https://sa.www4.irs.gov/icce-c... [irs.gov]

      I agree however, I would not even think of clicking a Get Transcripts button in order to create an IRS account.

  • I just now created an account. There's no login button on the top page -- you have to enter into some kind of transaction before it'll give you the option of logging in or creating a new account. (I chose to view a transcript for a past year.)

    Once the process gets going, it's a little *too* straightforward. The information you need to create an account could easily be socially engineered. Current address, age, full name and SS# are all required information on any loan application, for instance. It then

    • The 'hard' questions where things like 'what was your monthly payment on that loan'. There were 2 hard question, each with 4 choices. So that's 3 bits of information. You would expect to guess correctly 1 in 8 times. So if you have a database of SSNs and names and DOBs, you can succeed first time on 12.5% of them on average.

      • Sorry. 4 bits. 1/16. 6.25%

      • Yeah, 'hard'. Take the street address and get the public property record from the purchase and assume a 30-year loan from the date of purchase. Not hard to estimate at ALL unless there was a substantial down payment.

      • None of my questions were "hard". 3 were the street, city, and county and somewhere i had lived - and the correct options where all for one address. And the other question was what bank did you open a credit card with in 2005. So anywhere I had something shipped from that I paid via a credit card had all the answers in that one transaction.

  • I just created my account and had to try 5 times before it accepted a randomly-generated password I created programmatically. All 5 randomly generated passwords were validated by the on-page Javascript, but upon submitting the form they were rejected with no stated reason.

    The key to finally getting one accepted one selecting a very short one. 47 characters was nixed, as was 32 and a few other, shorter ones. It finally accepted what I would consider to be a not-even-close-to-long-enough password for somethin

  • From the article:

    For starters, the woman who owned the bank account that received his phony refund — a student at a local Pennsylvania university — said she got the transfer after responding to a Craigslist ad for a moneymaking opportunity.

    Kasper said the detective learned that money was deposited into her account, and that she sent the money out to locations in Nigeria via Western Union wire transfer, keeping some as a profit, and apparently never suspecting that she might be doing something illegal.

    How can anyone in college not suspect that sending money to strangers in Nigeria might somehow involve something illegal?
    Is it possible that someone is telling fibs? Oh my stars, I'm feeling dizzy.

    • How can anyone in college not suspect that sending money to strangers in Nigeria might somehow involve something illegal?

      Insert Einstein quote about infinite stupidity here.

      Seriously, there are just some people that "smacking with a clue by 4" shouldn't just be a metaphor. If you accept a deposit into your account and forward it to Nigeria via Western Union, the punishment should be that the victim gets to use an actual 2x4 on you wherever he wants (in addition to any criminal penalties).

      Alternative propos

  • by RobinH ( 124750 ) on Monday March 30, 2015 @03:07PM (#49373229) Homepage
    I was signing up for something through my bank, and it was asking me some of these questions like, "Which of these employers did you previously work for?" Unfortunately none of them were correct (this wasn't a huge surprise because I had already tried to correct my credit report information... they seem to have me confused with someone else). That meant I couldn't continue, but it turns out if you start the test over again, it gives you the same question but randomly selects the "wrong" answers. All I had to do was remember what the original multiple-choice answers were, and pick the one that didn't change. Basically that means there's almost zero security with this method of authentication.
    • by McKing ( 1017 )
      This is why the method of answering "security questions" for resetting a password has been frowned upon in security circles for about 10 years now. For some reason there are still a lot of large businesses that haven't got the memo that with a little social engineering an attacker can find out enough about a person from public records, social media, etc to answer these questions in order to obtain a password reset screen. That's exactly how some high-visibility attacks occurred over the last few years, for
    • by vanyel ( 28049 )

      I treat such questions as passwords and never put real info in them. If they're basing it on info they think they already have, they should be slapped hard.

      • by pla ( 258480 )
        I treat such questions as passwords and never put real info in them. If they're basing it on info they think they already have, they should be slapped hard.

        This, so much this! It really annoys me that sooo many sites all ask questions from the same pool of stupid biographical data, thereby making guessing them almost trivial for people like vengeful ex wives and rogue IT staff at any random website that collects password reset questions.

        Mother's maiden name? "handlebar mustache"
        First pet's name? "fur
    • Wow, so getting scammed by former co-workers is easy. As is anyone who knows how to Google LinkedIn.

  • Beautiful - take an organization that processes billions of dollars of other people's money, and add security not much better than any random web shop. I just went through the process - they ask for only one single piece of information that isn't easily available: the filing status on your last return. Of course, there aren't many choices, and you can try as many times as you want, so there's no penalty for guessing.

    For laughs, they think your SSN is super secret, because the first two parts are in a passwo

    • I'm a victim of identity theft and so my SSN is already out there (along with my name, address, and DOB). It's scary if they give a drop down with a small selection of N options and let you retry N times. I never thought that anyone could out-security theater the TSA, but it looks like the IRS has done it.

  • My mom called me and told me that my brother had this very thing happen to him. He had to fill out some paperwork, and now has to wait up to 180 days for his return.

    I'm about to file,and I'm scared to find out if I'll have the same problem.

  • by JSmooth ( 325583 ) on Monday March 30, 2015 @03:34PM (#49373477)

    This is what you get with the lowest bidder.

    Password ended in a '%'

    Got this error:

    Internal Server Error

    The server encountered an internal error or misconfiguration and was unable to complete your request.

    Please contact the server administrator, apache@%{Host}.rup.afsiep.net and inform them of the time the error occurred, and anything you might have done that may have caused the error.

    More information about this error may be available in the server error log.

  • It's convenient to complain about the IRS, but its flaws are a result of our own animus. Note the flaws of the agency are separate from those of the underlying tax code it has to administer, which it does not write (blame Congress for that).

    We don't want to fund the IRS, so its budget keeps getting cut, while the list of demands placed upon it increases. Nobody likes the IRS, so it has difficulty attracting high-quality job applicants. Would you want to work for an agency constantly being berated for doi

  • by Jason Levine ( 196982 ) on Monday March 30, 2015 @03:44PM (#49373587) Homepage

    From the article:

    “Since I was alerting them that this transaction was fraudulent, their privacy rules prevented them from telling me any more information, such as the routing number and account number of that deposit,” Kasper said. “They basically admitted this was to protect the privacy of the criminal, not because they were going to investigate right away. In fact, they were very clear that the matter would not be investigated further until a fraud affidavit and accompanying documentation were processed by mail.”

    My identity was stolen once. Someone got my name, DOB, SSN, and mailing address. They used this to open a credit card (*cough*Capital One*cough*) in my name. Due to a quirk, I was lucky and the card came to me, not them. Once I reported it as fraudulent (after having to argue that, no, my wife who was standing RIGHT THERE didn't open it under my name without telling me), they refused to tell me where the card was supposed to have gone to. They told me that this was because if they told me and I went and shot the person, they would be liable. Then, they proceeded to stonewall both me and the police until the investigation was dropped.

    The lesson here? Companies (and government agencies) don't care about you. Fraud can be written off and is no big deal to them even if it ruins your credit rating and takes years of your life to fix. For them, that's just one line item in a million. I was lucky that I didn't lose anything and it was relatively easy to fix (close fraudulent account, freeze credit file), but others aren't so lucky.

    • Replying to myself, I know, but please tell me I'm reading this wrong:

      The detective then interviewed the individual who held the account the same day and told Kasper that the bank’s fraud department was investigating and had asked the person to return the cash.

      They identity the person who got the fraudulent $8.000+ tax return and who spent the money and the response is "Will you return the money? Pretty please with sugar on top?" If someone files a fraudulent tax return, collects the money, and spen

    • My identity was stolen once

      Not to belittle the experience you went through, but this would happen less if people fought back against the banks. Remember, there is no such thing as identify theft. Nobody can steal a "number" from you.

      The actual crime that is taking place is bank fraud. If someone walks into a bank (or online), fraudulently represents themselves, and gets money from the bank - exactly what part of that are you liable for? An appropriate legal threat for any personal ramifications or credit file tampering from fra

  • by Scragglykat ( 1185337 ) on Monday March 30, 2015 @04:08PM (#49373821)
    IRS.gov looks like a GoDaddy placeholder... I don't want to sign up there.

FORTRAN is the language of Powerful Computers. -- Steven Feiner