Tuesday, March 31, 2015
Krebs on Security, Sign Up at irs.gov Before Crooks Do It For You:
If you’re an American and haven’t yet created an account at irs.gov, you may want to take care of that before tax fraudsters create an account in your name and steal your personal and tax data in the process. ...
The IRS’s process for verifying people requesting transcripts is vulnerable to exploitation by fraudsters because it relies on static identifiers and so-called “knowledge-based authentication” (KBA) — i.e., challenge questions that can be easily defeated with information widely available for sale in the cybercrime underground and/or with a small amount of searching online.
To obtain a copy of your most recent tax transcript, the IRS requires the following information: The applicant’s name, date of birth, Social Security number and filing status. After that data is successfully supplied, the IRS uses a service from credit bureau Equifax that asks four KBA questions. Anyone who succeeds in supplying the correct answers can see the applicant’s full tax transcript, including prior W2s, current W2s and more or less everything one would need to fraudulently file for a tax refund.
(Hat Tip: Greg McNeal.)