Become a fan of Slashdot on Facebook


Forgot your password?
Government United States

Identity Thieves Obtain 100,000 Electronic Filing PINs From IRS System ( 107

itwbennett writes: In January attackers targeted an IRS Web application in an attempt to obtain E-file PINs corresponding to 464,000 previously stolen social security numbers (SSNs) and other taxpayer data. The automated bot was blocked by the IRS after obtaining 100,000 PINs. The IRS said in a statement Tuesday that the SSNs were not stolen from the agency and that the agency would be notifying affected taxpayers.
This discussion has been archived. No new comments can be posted.

Identity Thieves Obtain 100,000 Electronic Filing PINs From IRS System

Comments Filter:
  • by buchner.johannes ( 1139593 ) on Wednesday February 10, 2016 @02:33PM (#51480533) Homepage Journal

    with ten-thousand 4-digit PINs. Interested?

  • by SuperKendall ( 25149 ) on Wednesday February 10, 2016 @02:34PM (#51480543)

    I'm pretty sure I forgot my e-file pin, it would be ever so helpful if the hackers would offer to sell it to me for a reasonable fee so I wouldn't have to go through the bother of a reset.

  • by avandesande ( 143899 ) on Wednesday February 10, 2016 @02:35PM (#51480561) Journal
    Would love to be hacked and have someone pay my back taxes for me!
    • Re:Excellent! (Score:5, Informative)

      by quetwo ( 1203948 ) on Wednesday February 10, 2016 @05:14PM (#51482059) Homepage

      If it only worked that way. The real game they are playing is to file your taxes with a bunch of fake dependents, every dedication they can take, etc., in order to drive up a refund. They then send the refund to a bank account they own and run away with the money, usually several thousand dollars. This often happens without you knowing at all. When you try to submit your real tax return, the IRS bounces it because you already filed. You then have to go through all sorts of hoops to prove to the IRS you are filing your real taxes and you don't need to pay them back the refund they've already send "you".

      It happened to one of my co-workers last year. He didn't get it cleaned up until nearly August -- and he had to spend several hundred hours on the phone, in court, at the IRS office, etc. to get everything straightened out.

      • This. . Except that the bank account is typically a prepaid credit card which is almost untraceable. In order to efile tax returns for others the IRS requires a pin they assign to the preparers. If they suspect a pin number, its a hassle for one preparer but they can hold the returns filled until verified and issue a replacement pin. This will be extremely complex in the middle of the tax season with thousands.

      • by rtb61 ( 674572 )

        Yeah, real warning in that, you do not hack the IRS, the IRS hacks you and in every way imaginable. The amount of investigatory they will put into this hack will be positively mind boggling, ain't no company going to say no to the IRS's request for information.

      • Early August? He did well, must have filed in January. I didn't get mine until November.

      • Re:Excellent! (Score:4, Informative)

        by Mateorabi ( 108522 ) on Thursday February 11, 2016 @01:28AM (#51485047) Homepage
        If e-file is blocked you paper file. It takes several affidavits and certified mail and some phone calls, not 100s of hours and court. Though in my case they sent ME the initial "we think something's hinkey with your return" letter before I had even tried to file. I did have to wait 6 months from April to get the check in the mail.

        What annoys me is that the IRS reps always give you a condescending tone about getting your taxes in early, because first-through-the-gate wins. They ignore the fact that fraudsters are making up the filing data and don't have to wait for the actual W2 to get sent out. It's February and I'm still waiting on some 1099s to finish my paperwork.

        I'm a bit scared now because their PIN system was down last Nov/Dec, and when I tried to get in early January after it was back up an account had already been made and PIN accessed but I have no memory of signing up. I was able to "recover" the account. The lady on the phone with IRS insisted I just forgot I had done it already (impossible) and insisted there was no way I was hacked and recommended AGAINST voiding the PIN and getting a replacement--which is apparently a PITA for them and a huge delay to file. "Just file early" she said.....
    • by WSOGMM ( 1460481 )
      Great! Maybe they can help me remember my pin
  • Since when do systems allow brute-force attacks on PIN numbers? Many systems have been locking out (or slowing down) logins after a certain number of failed attempts for a long time now. While this allows for denial-of-service attacks, it seems better than allowing a bot to try 1000 passwords per second until it succeeds.
    • I recently read my boys (12 and 8) Lauren Ipsum: A Story About Computer Science and Other Improbable Things. It's sort of like computer science meets Alice in Wonderland. In one of the chapters, she has to guess a password. She notices that the little old lady working security (who looks the passwords up in a big book) takes longer to deny access as Lauren gets closer to the right word. So when she gives "About", the lady says "A... B... O... No", but if Lauren gave "Abrupt", the lady would say "A... B.

    • The app requires taxpayer information such as name, Social Security number, date of birth and full address.

      It was not brute force. They had a lot more information about the person to get the PIN.

    • by amicusNYCL ( 1538833 ) on Wednesday February 10, 2016 @03:04PM (#51480895)

      Since when do systems allow brute-force attacks on PIN numbers? Many systems have been locking out (or slowing down) logins after a certain number of failed attempts for a long time now.

      Yes, and obviously the IRS is using such a system. They have a rule in their firewall which says something like "if the IP address makes 100,000 requests within a minute, then block it." Boom, problem solved. Intrusion Detection systems have come a long way, and the IRS is leading the way.

    • Since when do systems allow brute-force attacks on PIN numbers?

      Who said brute force?

      The attack occurred in January and targeted an IRS Web application that taxpayers use to obtain their so-called Electronic Filing (E-file) PINs. The app requires taxpayer information such as name, Social Security number, date of birth and full address.

      This sucker just harvested them.

      Because, really, HOW many different places will have those 4 pieces of information? I'm betting FAR too many for comfort ... and I'm betting s

  • by Anonymous Coward

    What else is new?

  • That's probably why the IRS sent me a letter with my 2014 IP PIN and a follow-up letter that I should use my 2014 IP PIN for filing my taxes. Filed my taxes through H&R Block and my return got accepted yesterday.
  • The IRS really should assign everyone PINs or, preferably, better security. There's no good reason that additional security is restricted to people in Georgia, Florida, or those who have suffered tax-related identity theft. Also, why not simply maintain a registry of public keys for individuals? Require tax returns to be filed electronically and digitally sign them using the private key of individuals. As long as people don't allow anyone access to their private keys, this could prevent a lot of the problem

  • I've been doing electronic tax filing since the days of yore, even back when the tax software was generating a special machine-readable "1040PC" form with all your data on one page. If I remember correctly, the PIN was supposed to be a replacement for your physical signature on the return, since the rules say you need to certify that you are submitting a true return and acknowledge the penalties for not doing so. So, I'm not sure it was a secret PIN in that sense.

    BUT -- these e-filing services shouldn't be

  • ...and the government wants to move to e-records for your healthcare. So far I've been compromised with the Target breach, the Home Depot breach, the TMobile Experian breach. The government has been breached many times including this one to the tune of millions of people. You have to assume that your information is out there already. I'm not keen on moving to those electronic health records...

  • by OzPeter ( 195038 ) on Wednesday February 10, 2016 @02:55PM (#51480795)

    Seeing this makes me wonder if this was the real reason for the IRS stopping to accept electronically filed returns last week. No mention of it in TFA, but the Christian Science Monitor was a bit cynical when reporting Tax filing halted by IRS computer outage. Will refunds be delayed? [] by putting quotes around the "hardware failure".

    A "hardware failure" forced the shutdown of several tax processing systems, including the e-file system, the IRS said in a statement.

    whereas the actual IRS statement was (in the same article)

    The IRS experienced a hardware failure this afternoon affecting a number of tax processing systems, which are currently unavailable. Several of our systems are not currently operating, including our modernized e-file system and a number of other related systems. The IRS is currently in the process of making repairs and working to restore normal operations as soon as possible. We anticipate some of the systems will remain unavailable until tomorrow.

  • Am I missing something here? What is the risk in someone having my SSN and e-file PIN? Are they going to file my taxes for me? Even if they file a fraudulent return and the IRS cuts a check to the bad guy, I'm not seeing any liability for me.

    I had my SSN stolen and used once for illegal employment. I only found out when the IRS contacted me and asked why I hadn't filed my "other" W-2. It was pretty clear that I wasn't simultaneously working two full time jobs, and they quickly marked the other W-2 as frau

    • A fraudulent return means the IRS won't accept your legitimately filed return. As a result, you'll need to prove your identity to the IRS, and then wait a lengthy amount of time for them to process your return. This happened to my parents and it took a few months for them to get their refund. If the IRS owes you a refund, you won't get it for a long time. While you're not liable for the fraudulent return, you'll have to wait a long time for your refund and it's quite a hassle. Also, a substantial amount of

      • That sounds annoying. Personally, I file early, always owe a little (no free loans from me, Uncle Sam), and pay at the last moment, so this doesn't seem like it would be a problem for me. Fortunately, it sounds like the IRS knows which PINs were compromised, so they'll be re-issued.

        As for the fraud, sure, we don't want that, but this sounds like a drop in the bucket compared to other tales of government waste.

    • by SQLGuru ( 980662 )

      They could file a return with faked data indicating "you" are to get a refund and even go so far as to receive the money. Then, when you go to file, either for your refund or to pay your taxes, you're screwed since "you" have already filed taxes.

  • Okay, I find it funny that the IRS reassuring people that SSN's were not stolen from them. Not sure it matters, the SSN' s were already stolen. All they wanted was the PINs and, Hey, 25% isn't bad. Still worth a fortune. Wonder if data would be safer being send by pigeon carrier. All these data breaches recently. FBI, CIA and the IRS.
  • "Not stolen from the agency."

    Thieves' Computer: Is this a valid pin?

    IRS' Computer: Nope

    Thieves' Computer: Is this a valid pin?

    IRS' Computer: Nope

    Thieves' Computer: Is this a valid pin?

    IRS' Computer: (Smirks and looks away) Nope!

  • All a PIN does is act as a proxy for a ink signature, an issue that the government hasn't been able to figure out yet.
  • Everyone who gets a letter from the IRS saying their SSN was compromised needs to sue the government.
    • by Xtifr ( 1323 )

      Ignoring sovereign immunity (and the all-too-typical American response of "let's sue!"), I can only imagine the results:

      You: I'm suing the IRS for telling me my SSN was compromised!
      IRS: Yes, when we discovered his SSN had been compromised, we notified him of the fact. Of course, we are in no way responsible for the compromise, so we have no idea why this idiot is suing us.
      Judge: He is an idiot, isn't he? Case dismissed.

      But on the bright side, you would have caused a federal lawyer and a judge to spend time

  • I've been claiming 0 on my taxes so that I get a big refund. The logic is that it's easier for me to put away $3k on day then $115.0684931506849 every two weeks. I'm also quick to file my taxes because I want my money. For years this has worked well but now I think I should rethink my strategy.

  • How is it that these people don't get tracked?

    Require refunds to go to a domestic bank with an account name matching the name on the return. Better yet, require refunds to be processed through the employer who collected the taxes in the first place if the taxpayer is still employed there.

    • Prepaid debit cards, like Serve and Chime will often give you a routing number and account number to deposit your refund on. While they are supposed to have the same DHS identity verification as a real bank account, I'm not sure if it's just as secure. The funds are available via the credit card number, which could be used anywhere - even if the physical card never made it overseas.

      For one, they could be reloading prepaid debit cards purchased to pay off scammers who encrypted someone's computer, rather t

"Don't worry about people stealing your ideas. If your ideas are any good, you'll have to ram them down people's throats." -- Howard Aiken