The US Internal Revenue Service said last week that the number of records it lost in a 2015 data breach is higher than it previously thought. When the agency first announced in May 2015 that hackers had broken into its website and stolen tax transcripts, it said that about 100,000 people were affected. It bumped that number up to 334,000 last August, and now says the number of records stolen is actually 724,000.
And it gets worse. To protect the victims of the data breach from further harm, the IRS provided them with “Identity Protection PINs.” The PINs are secret codes those taxpayers now have to put on all of their tax returns, or the IRS won’t accept them. As long as they keep their PINs secret, they should be safe from fraud.
For this master plan to work, though, the IRS would also have to keep the PINs secret. Unfortunately, it seems the agency is having some trouble with that.
Security researcher and journalist Brian Krebs reported yesterday (March 1) that at least one of the PINs has been compromised. An accountant in South Dakota, Becky Wittrock, told Krebs she was assigned her PIN in 2014, after she was a victim of fraud. When she filed her tax return this year, she found out the PIN had already been used:
Wittrock said she found out her IP PIN had been compromised by thieves this year after she tried to file her tax return on Feb. 25, 2016. Turns out, the crooks beat her to the punch by more than three weeks, filing a large refund request with the IRS on Feb. 2, 2016.
But how could a secret code meant to stop fraud be used to commit more fraud? Get ready for some terrible/wonderful irony. If someone loses their PIN, they can retrieve it by logging into a service on the IRS website. And that login process is secured by the same technology that hackers broke through in the original data breach.
That technology is called Knowledge-Based Authentication, or KBA, which asks security questions to confirm a user’s identity. You’ve probably seen this before. KBA asks questions about a person’s credit history, like “On which of the following streets have you lived?” or “What is your total scheduled monthly mortgage payment?” and provides multiple-choice answers.
The hackers who stole tax transcripts in the 2015 data breach found a way to correctly answer those questions on the IRS’s “Get Transcript” page, which has since been taken down. The service to retrieve an IP PIN not only stayed up, but was the only barrier between hackers and the secret codes given to the victims of the original breach. It’s been right there this entire time, still using KBA to verify users.
And certainly, the IRS was aware of the weakness. Even before last year’s data breach, the Government Accountability Office tested the IP PIN authentication process, and described the results in a 2015 report (pdf). ”Some likely identity thieves were able to correctly answer authentication questions,” the report said, “while some legitimate taxpayers were not.”
In a statement given to Quartz, the IRS said that although it’s been reviewing the authentication process for IP PIN retrieval, “most taxpayers receive their IP PIN via mail and never use the tool.” It also pointed out that “unlike Get Transcript, the IP PIN tool is available to a limited number of taxpayers who must have special markers on their tax accounts to successfully access the tool.”
It added: “The IRS has a number of protections to monitor traffic on IRS.gov, and we continue to closely monitor the IP PIN situation.”