Hackers stole sensitive records from over 700,000 people by breaching the Internal Revenue Service in 2015. You’d think that kind of horrific security breach would prompt some soul-searching, but [insert joke about soulless taxman here] nope. The IRS continues to use an impressively bad PIN authentication process to protect people from fraud.
People who were hacked last year have been reassured that they’ll be safe this time around, and the IRS has sent out “IP PINS”— “internet protection” PINs meant to add an extra layer of security against hackers. The IP PINs were basically secret codes that taxpayers were required to use on their taxforms to prevent fraud in the future. The problem is, as security researcher Brian Krebs reported this week, these IP PINs are authenticated using the same dumb process that hackers broke last year:
The IRS killed the Get Transcript function in May 2015 after it was revealed (first on this blog) that crooks were abusing it to hijack consumer identities and refunds. But here’s the problem: the agency requires IP PIN holders seeking a copy of their PIN to jump through the exact same flawed authentication process that afflicted its now-defunct Get Transcript service.
The hackers stole all those files because they figured out how to cheat the authentication process that gives people access to their PINs. This year, they may be able to do the same damn thing.
Quartz spoke to the IRS about this problem. The answer was not comforting:
In a statement given to Quartz, the IRS said that although it’s been reviewing the authentication process for IP PIN retrieval, “most taxpayers receive their IP PIN via mail and never use the tool.” It also pointed out that “unlike Get Transcript, the IP PIN tool is available to a limited number of taxpayers who must have special markers on their tax accounts to successfully access the tool.”
It added: “The IRS has a number of protections to monitor traffic on IRS.gov, and we continue to closely monitor the IP PIN situation.”
This is sort of like if you got robbed, so an alarm company gave you an extra alarm, but didn’t bother to change the code pattern thieves had already previously figured out.
[Brian Krebs via Quartz]