Identity Thieves Obtain 100,000 Electronic Filing PINs From IRS System

itwbennett writes: In January attackers targeted an IRS Web application in an attempt to obtain E-file PINs corresponding to 464,000 previously stolen social security numbers (SSNs) and other taxpayer data. The automated bot was blocked by the IRS after obtaining 100,000 PINs. The IRS said in a statement Tuesday that the SSNs were not stolen from the agency and that the agency would be notifying affected taxpayers.

I have a datafile

[buchner.johannes]

with ten-thousand 4-digit PINs. Interested?

Re:

[110010001000]

Is my PIN in there? It is "1234"

Re:

[Anonymous Coward]

So you got hacker problems,
I feel bad for you son.
I got 9,999 PIN codes,
but "1234" ain't one.

Re:

[Sax Russell 5449D29A]

I think you have one duplicate there. I don't trust your data to be correct.

Re:

[immortalpob]

Is 0000 not a valid four digit number?

Re:

[Sax Russell 5449D29A]

I don't trust anyone in IT who doesn't start counting from 0. :-)

Re:

[SQLGuru]

IRS PIN codes are 5 digits. Your file is worthless. I, on the other hand, have the 100,000 entry file that you need.

Good opportunity for legal earnings

[SuperKendall]

I'm pretty sure I forgot my e-file pin, it would be ever so helpful if the hackers would offer to sell it to me for a reasonable fee so I wouldn't have to go through the bother of a reset.

Excellent!

[avandesande]

Would love to be hacked and have someone pay my back taxes for me!

Re:Excellent!

[quetwo]

If it only worked that way. The real game they are playing is to file your taxes with a bunch of fake dependents, every dedication they can take, etc., in order to drive up a refund. They then send the refund to a bank account they own and run away with the money, usually several thousand dollars. This often happens without you knowing at all. When you try to submit your real tax return, the IRS bounces it because you already filed. You then have to go through all sorts of hoops to prove to the IRS you are filing your real taxes and you don't need to pay them back the refund they've already send "you".

It happened to one of my co-workers last year. He didn't get it cleaned up until nearly August -- and he had to spend several hundred hours on the phone, in court, at the IRS office, etc. to get everything straightened out.

Re:

[sumdumass]

This. . Except that the bank account is typically a prepaid credit card which is almost untraceable. In order to efile tax returns for others the IRS requires a pin they assign to the preparers. If they suspect a pin number, its a hassle for one preparer but they can hold the returns filled until verified and issue a replacement pin. This will be extremely complex in the middle of the tax season with thousands.

Re:

[rtb61]

Yeah, real warning in that, you do not hack the IRS, the IRS hacks you and in every way imaginable. The amount of investigatory they will put into this hack will be positively mind boggling, ain't no company going to say no to the IRS's request for information.

Re:

[Marxist Hacker 42]

Early August? He did well, must have filed in January. I didn't get mine until November.

Re:Excellent!

[Mateorabi]

If e-file is blocked you paper file. It takes several affidavits and certified mail and some phone calls, not 100s of hours and court. Though in my case they sent ME the initial "we think something's hinkey with your return" letter before I had even tried to file. I did have to wait 6 months from April to get the check in the mail.

What annoys me is that the IRS reps always give you a condescending tone about getting your taxes in early, because first-through-the-gate wins. They ignore the fact that fraudsters are making up the filing data and don't have to wait for the actual W2 to get sent out. It's February and I'm still waiting on some 1099s to finish my paperwork.

I'm a bit scared now because their PIN system was down last Nov/Dec, and when I tried to get in early January after it was back up an account had already been made and PIN accessed but I have no memory of signing up. I was able to "recover" the account. The lady on the phone with IRS insisted I just forgot I had done it already (impossible) and insisted there was no way I was hacked and recommended AGAINST voiding the PIN and getting a replacement--which is apparently a PITA for them and a huge delay to file. "Just file early" she said.....

Re:

[WSOGMM]

Great! Maybe they can help me remember my pin

Password Security 101

[14erCleaner]

Since when do systems allow brute-force attacks on PIN numbers? Many systems have been locking out (or slowing down) logins after a certain number of failed attempts for a long time now. While this allows for denial-of-service attacks, it seems better than allowing a bot to try 1000 passwords per second until it succeeds.

Re:

[Jason Levine]

I recently read my boys (12 and 8) Lauren Ipsum: A Story About Computer Science and Other Improbable Things. It's sort of like computer science meets Alice in Wonderland. In one of the chapters, she has to guess a password. She notices that the little old lady working security (who looks the passwords up in a big book) takes longer to deny access as Lauren gets closer to the right word. So when she gives "About", the lady says "A... B... O... No", but if Lauren gave "Abrupt", the lady would say "A... B.

RTFA

[jklovanc]

The app requires taxpayer information such as name, Social Security number, date of birth and full address.

It was not brute force. They had a lot more information about the person to get the PIN.

Re:Password Security 101

[amicusNYCL]

Since when do systems allow brute-force attacks on PIN numbers? Many systems have been locking out (or slowing down) logins after a certain number of failed attempts for a long time now.

Yes, and obviously the IRS is using such a system. They have a rule in their firewall which says something like "if the IP address makes 100,000 requests within a minute, then block it." Boom, problem solved. Intrusion Detection systems have come a long way, and the IRS is leading the way.

Re:

[gstoddart]

Since when do systems allow brute-force attacks on PIN numbers?

Who said brute force?

The attack occurred in January and targeted an IRS Web application that taxpayers use to obtain their so-called Electronic Filing (E-file) PINs. The app requires taxpayer information such as name, Social Security number, date of birth and full address.

This sucker just harvested them.

Because, really, HOW many different places will have those 4 pieces of information? I'm betting FAR too many for comfort ... and I'm betting s

Re:

[SQLGuru]

I'm ready for a system where I don't have to bother filing taxes........either a flat tax that is taken out of each paycheck or a national sales tax where it's taken at the register or whatever. I know taxes are needed to pay for stuff for the greater good, but holy cow, taxes are a pain. I'll pay my fair share (emphasis on fair), just make it easier for me.

Government fucks up security

[Anonymous Coward]

What else is new?

No kidding...

[__aaclcg7560]

That's probably why the IRS sent me a letter with my 2014 IP PIN and a follow-up letter that I should use my 2014 IP PIN for filing my taxes. Filed my taxes through H&R Block and my return got accepted yesterday.

Re:

[jklovanc]

Wrong. The Affordable Care Act (some call it Obamacare) is administered by the Health and Human Services Department. [hhs.gov]

Re:

[Coren22]

Yeah, the IRS only charges you a fee if you don't have approved insurance, hardly the same thing as managing our health insurance, or even health care.

Re:

[__aaclcg7560]

Yeah, the IRS only charges you a fee if you don't have approved insurance, hardly the same thing as managing our health insurance, or even health care.

God forbid that you ever owe for being a member of society.

Re:

[Coren22]

I'm not sure that you are arguing against something I said. I merely pointed out that the IRS does not administer the ACA, but only charges the fee if you choose to go without insurance. I was pointing out that Archangel Michael was mischaracterizing how much the IRS is involved with the ACA.

Re:

[__aaclcg7560]

I'm not sure that you are arguing against something I said.

I'm not sure either. Today has been one catastrophic brain fart after another on Slashdot. I guess my skinny vanilla latte haven't kicked in this morning.

Re:

[Anonymous Coward]

Owe a fucking corrupt corporation!?! Are you fucking shitting me? I pay taxes for things like roads, cops and soldiers. But Why the Fuck do I have to pay the rich bastards who own Humana? And as far as HHS administering it? What the hell do they do besides rubber-stamping rate increases?

Re:

[__aaclcg7560]

Owe a fucking corrupt corporation!?! Are you fucking shitting me?

Private citizens pay the government first before spending their money. Corporate citizens pay the government last after spending their money. The tax laws are in favor of the corporations and not individuals.

Re:

[Archangel Michael]

Tax laws are in favor of those that can pay off the politicians the most. All taxes are regressive.

Re:

[__aaclcg7560]

Tax laws are in favor of those that can pay off the politicians the most. All taxes are regressive.

Corporations are doing a fine in paying less in regressive taxes. Why not join them?

Re:

[Archangel Michael]

God forbid that you ever owe for being a member of society.

Being a member of society is not the same as involuntary servitude (13th Amendment). Got it. YOU MUST PAY to belong! So much for free association (1st Amendment).

This is why socialists suck. They have no clue how they enslave a society.

Re:

[amicusNYCL]

In case you're curious, this is how APK spent his day yesterday. I see about 7 waking hours throughout the day when he was not trolling Slashdot, although I may have missed a few posts. All times are correct at least for my timezone. The vast majority of these are replies to you (that's how it's easy to find them - just go through your post history and he's there like stink on shit), some of the ones late at night were trolling replies to me. This is who we're dealing with. Something tells me that this

Re:

[amicusNYCL]

That's interesting, I saw him posting in the article about Sourceforge. I didn't see him mention APK though. It's probably worth linking him to this list.

Re:

[Coren22]

I missed it as well, perhaps it was in the Slashdot improvements article.

Re:

[amicusNYCL]

Here it is [slashdot.org]. I kind of appreciate the vagueness of it. Hopefully they aren't just outright stopping the AC tradition though, that would probably be overkill, even for APK.

Re:

[Coren22]

That whole string is awesome, I had to chip in a bit. I think it is hilarious AmiMoJo is posting against APK being silenced, but would gladly silence people who disagree with women...

Re:

[Coren22]

Yeah, he does so enjoy doing that. I think he has a script, because it seems like he replies to every one of my replies within a short amount of time. I try to keep the conversation to a single thread though. This time it is at least only 2 posts to each one. Last time he got a bug up his rear it was 5 posts to every post I made, which of course pisses everyone off.

Re:

[cybordeath]

I wouldn't worry too much about it, he probably just wants your cock; that or he's using you as an excuse to spam his HOSTS engine garbage

Re:

[cybordeath]

You don't even need to look at the post history to see that, just check out my homepage APK :)

Re:

[omnichad]

And those don't even count the recent replies to me. Since he brought it up, and it was on-topic (claim that all ads are served from a different domain to the main site), I had to mention that a HOSTS file can't even block his OWN abuse ads on Slashdot.

Course I went into an amusing look into his history with CA [thorschrock.com], where his legal "threats" resulted in him "winning" because he filled out their 21 question form to be removed as a false positive for malware. You know, what you would do if you don't hire a lawy

Re:

[amicusNYCL]

He'll probably reply to this and still link to my previous comment and claim again that he "won" and that I must accept that he's right.

Of course he will, that's all he does. After all, your comment failed to prove him "technically and validly wrong", right? Therefore, obviously he won. It doesn't matter that you're not trying to prove him wrong in the first place and that he's the only one playing that game, he still wins. That's the game, it's called "I win", and he's the only one who ever plays it. Then he'll follow up that post with 4 other anonymous posts where he refers to himself in the third person but still uses phrases like "

Re:

[omnichad]

All from public information he's posted himself, in case you were curious.
Alexander Peter Kowalski AKA alecstaar [slashdot.org]
903 East Division Street Syracuse, N.Y

apk4776239@hotmail.com

I can't even imagine...
http://www.esciudad.com/casas/... [esciudad.com]

Re:

[amicusNYCL]

I haven't had the good fortune to read through that thread responding to John Carmack, that's awful. That's one of those things that makes you cringe for the person who doesn't get it. He posts a question to Carmack, and then the next day some AC replies kind of trolling him. 4 days after that the crapflood hits. He posts at (my times) 11:47am, 11:55, 11:58, 12:04, 12:10, 12:25, 12:39, all anonymous replies appearing to come from a third person (not APK), all saying the same crap as if all of a sudden 4

Re:

[omnichad]

The birth of a troll. Not that he hadn't been kicked out [antionline.com] of several other online forums for the same behavior. I've had some fun googling the alecstaar username and seeing his banned self [arstechnica.com] being talked about as a sort of trolling legend, while most are unaware of his Slashdot antics.

Or weirder, making coherent positive [techpowerup.com] contributions [techguy.org] on other web sites.

Im genuinely curious about what makes him tick

It looks like severe bipolar disorder, with Persecutory delusions - http://psycheducation.org/diag... [psycheducation.org]

Re:

[amicusNYCL]

Well, I'm not going to be sorry to see him go. He's been trolling me for months after I called him out to stop with all of the spam he posts. I've emailed Slashdot about it asking if they can add some more filters specifically to block his post content (which it sounds like they're going to do), I've been emailing the people he cites as those who recommend his software to let them know how he's using their reputations in his spam, etc. He's been taunting me non-stop about how no one can affect him, etc.

Re:

[omnichad]

Entirely ironic that he spams an ad-blocking program. And then will complain when his ads....get blocked.

Re:

[amicusNYCL]

APK, the things that you do or say to me (or, for that matter, what any bipolar sociopath has to say) don't affect me, other than as a source of entertainment and possibly pity. Go ahead, let's hear again how nothing that I can do will affect you, because from what I hear you're about to see the effects. Slashdot is about to speak in a loud voice that your trollish shit is not welcome. It's a long time coming, and I will have zero sympathy for you when you're gone. You contribute nothing of value to thi

Re:

[amicusNYCL]

I like how you talk about the "risk of putting yourself out there", and then immediately follow that up 6 minutes later with a post where you act like you're someone else. Posts # 51500355 and 51500369 - 14 posts on Slashdot on Saturday morning and one of them just happened to be an anonymous supporter of yourself, and you still think that no one knows it's you. You're either a world-class hypocrite, or you are actually so bipolar that you really do think you're someone else. Maybe that's another persona

Re:

[Archangel Michael]

And you think that is any better? Or you just missing the point that the government agencies that need to protect our information the most, can't?

Not sure you made your case any better. ;-)

Re:

[jklovanc]

I realize you have the "Government bad" mind set but accuracy is important. You may as well blame the right department.

PIN numbers are a bad idea

[spork invasion]

The IRS really should assign everyone PINs or, preferably, better security. There's no good reason that additional security is restricted to people in Georgia, Florida, or those who have suffered tax-related identity theft. Also, why not simply maintain a registry of public keys for individuals? Require tax returns to be filed electronically and digitally sign them using the private key of individuals. As long as people don't allow anyone access to their private keys, this could prevent a lot of the problem

Re:

[Archangel Michael]

"As long as people don't allow anyone access to their private keys"

And there is the flaw in your plan.

Re:

[__aaclcg7560]

Require tax returns to be filed electronically and digitally sign them using the private key of individuals.

If you file your return electronically, you need to provide last year's adjusted gross income number, your own PIN or get a filing PIN.

https://www.irs.gov/Individuals/Electronic-Filing-PIN-Request [irs.gov]

I don't think the PINs were secret

[ErichTheRed]

I've been doing electronic tax filing since the days of yore, even back when the tax software was generating a special machine-readable "1040PC" form with all your data on one page. If I remember correctly, the PIN was supposed to be a replacement for your physical signature on the return, since the rules say you need to certify that you are submitting a true return and acknowledge the penalties for not doing so. So, I'm not sure it was a secret PIN in that sense.

BUT -- these e-filing services shouldn't be

Just think of the healthcare

[surfdaddy]

...and the government wants to move to e-records for your healthcare. So far I've been compromised with the Target breach, the Home Depot breach, the TMobile Experian breach. The government has been breached many times including this one to the tune of millions of people. You have to assume that your information is out there already. I'm not keen on moving to those electronic health records...

Re:

[svendsen]

Add to that the OPM breach. Good thing all my data AND finger prints were compromised.

IRS computer shutdown last week?

[OzPeter]

Seeing this makes me wonder if this was the real reason for the IRS stopping to accept electronically filed returns last week. No mention of it in TFA, but the Christian Science Monitor was a bit cynical when reporting Tax filing halted by IRS computer outage. Will refunds be delayed? [csmonitor.com] by putting quotes around the "hardware failure".

A "hardware failure" forced the shutdown of several tax processing systems, including the e-file system, the IRS said in a statement.

whereas the actual IRS statement was (in the same article)

The IRS experienced a hardware failure this afternoon affecting a number of tax processing systems, which are currently unavailable. Several of our systems are not currently operating, including our modernized e-file system and a number of other related systems. The IRS is currently in the process of making repairs and working to restore normal operations as soon as possible. We anticipate some of the systems will remain unavailable until tomorrow.

Re:

[Tighe_L]

I was thinking the same thing.

Re:

[avandesande]

I've had so many issues with the pin I gave up- print out the forms and mail them. It really isn't that hard!

Re:

[__aaclcg7560]

I filed my taxes through H&R block and informed 30 minutes that the IRS accepted my return earlier this week.

Re:

[omnichad]

Oh, I had mentally put my own quotes around "hardware failure" when I saw this last week.

So?

[BlckAdder]

Am I missing something here? What is the risk in someone having my SSN and e-file PIN? Are they going to file my taxes for me? Even if they file a fraudulent return and the IRS cuts a check to the bad guy, I'm not seeing any liability for me.

I had my SSN stolen and used once for illegal employment. I only found out when the IRS contacted me and asked why I hadn't filed my "other" W-2. It was pretty clear that I wasn't simultaneously working two full time jobs, and they quickly marked the other W-2 as frau

Re:

[spork invasion]

A fraudulent return means the IRS won't accept your legitimately filed return. As a result, you'll need to prove your identity to the IRS, and then wait a lengthy amount of time for them to process your return. This happened to my parents and it took a few months for them to get their refund. If the IRS owes you a refund, you won't get it for a long time. While you're not liable for the fraudulent return, you'll have to wait a long time for your refund and it's quite a hassle. Also, a substantial amount of

Re:

[BlckAdder]

That sounds annoying. Personally, I file early, always owe a little (no free loans from me, Uncle Sam), and pay at the last moment, so this doesn't seem like it would be a problem for me. Fortunately, it sounds like the IRS knows which PINs were compromised, so they'll be re-issued.

As for the fraud, sure, we don't want that, but this sounds like a drop in the bucket compared to other tales of government waste.

Re:

[SQLGuru]

They could file a return with faked data indicating "you" are to get a refund and even go so far as to receive the money. Then, when you go to file, either for your refund or to pay your taxes, you're screwed since "you" have already filed taxes.

Reassurances by PlacebosRus

[evolutionary]

Okay, I find it funny that the IRS reassuring people that SSN's were not stolen from them. Not sure it matters, the SSN' s were already stolen. All they wanted was the PINs and, Hey, 25% isn't bad. Still worth a fortune. Wonder if data would be safer being send by pigeon carrier. All these data breaches recently. FBI, CIA and the IRS.

Cat got my tongue

[Impy the Impiuos Imp]

"Not stolen from the agency."

Thieves' Computer: Is this a valid pin?

IRS' Computer: Nope

Thieves' Computer: Is this a valid pin?

IRS' Computer: Nope

Thieves' Computer: Is this a valid pin?

IRS' Computer: (Smirks and looks away) Nope!

What a PIN does

[avandesande]

All a PIN does is act as a proxy for a ink signature, an issue that the government hasn't been able to figure out yet.

Sue the government!

[AndyKron]

Everyone who gets a letter from the IRS saying their SSN was compromised needs to sue the government.

Re:

[Xtifr]

Ignoring sovereign immunity (and the all-too-typical American response of "let's sue!"), I can only imagine the results:

You: I'm suing the IRS for telling me my SSN was compromised!
IRS: Yes, when we discovered his SSN had been compromised, we notified him of the fact. Of course, we are in no way responsible for the compromise, so we have no idea why this idiot is suing us.
Judge: He is an idiot, isn't he? Case dismissed.

But on the bright side, you would have caused a federal lawyer and a judge to spend time

Another reason to make sure you owe taxes on 4/15

[AlanBDee]

I've been claiming 0 on my taxes so that I get a big refund. The logic is that it's easier for me to put away $3k on day then $115.0684931506849 every two weeks. I'm also quick to file my taxes because I want my money. For years this has worked well but now I think I should rethink my strategy.

Honeypot / Prevention

[Etherwalk]

How is it that these people don't get tracked?

Require refunds to go to a domestic bank with an account name matching the name on the return. Better yet, require refunds to be processed through the employer who collected the taxes in the first place if the taxpayer is still employed there.

Re:

[omnichad]

Prepaid debit cards, like Serve and Chime will often give you a routing number and account number to deposit your refund on. While they are supposed to have the same DHS identity verification as a real bank account, I'm not sure if it's just as secure. The funds are available via the credit card number, which could be used anywhere - even if the physical card never made it overseas.

For one, they could be reloading prepaid debit cards purchased to pay off scammers who encrypted someone's computer, rather t