Paul L. Caron
Dean


Tuesday, March 31, 2015

Sign Up For An Account At IRS.gov Before Crooks Do It For You (And Steal Your Refund)

RefundKrebs on Security, Sign Up at irs.gov Before Crooks Do It For You:

If you’re an American and haven’t yet created an account at irs.gov, you may want to take care of that before tax fraudsters create an account in your name and steal your personal and tax data in the process. ...

The IRS’s process for verifying people requesting transcripts is vulnerable to exploitation by fraudsters because it relies on static identifiers and so-called “knowledge-based authentication” (KBA)  — i.e., challenge questions that can be easily defeated with information widely available for sale in the cybercrime underground and/or with a small amount of searching online.

To obtain a copy of your most recent tax transcript, the IRS requires the following information: The applicant’s name, date of birth, Social Security number and filing status. After that data is successfully supplied, the IRS uses a service from credit bureau Equifax that asks four KBA questions. Anyone who succeeds in supplying the correct answers can see the applicant’s full tax transcript, including prior W2s, current W2s and more or less everything one would need to fraudulently file for a tax refund.

(Hat Tip: Greg McNeal.)

https://taxprof.typepad.com/taxprof_blog/2015/03/sign-up-for-an-account-at-irsgov-.html

IRS News | Permalink

Comments

People may want to think twice before setting up an account. Once the account is set-up, anyone who successfully hacks the password and username of the account holder has access to the account holder's tax information without the need to answer any questions. It's just like any other account set up somewhere else. If the whole purpose of the account is to get access to the tax return for the account holder, just simply keep a copy of the return. There really is no need to do this at all, and it carries risks.

Posted by: Roger | Mar 31, 2015 8:26:25 AM

I tried to sign up but was unsuccessful, probably because I had placed a credit freeze with the credit bureaux. I suppose that the freeze therefore should also be successful in preventing fraudsters from opening an account in my name -- a good reason for the freeze, in my view. Yes, the freeze can be annoying at times but it does provide some protection against identity theft.

Posted by: Victor Thuronyi | Mar 31, 2015 12:00:25 PM

Getting registered is indeed a good idea. I did it at:

http://www.irs.gov/Individuals/Get-Transcript

What you do is start ordering a transcript. You'll first be registered, after answering some questions. You put in your name and a few things, and they'll send you an email code that will last 15 minutes. This took a while. First, their email took 40 minutes to arrive, and so was dead on arrival. Next, it took perhaps 10 minutes, but I wasn't watching my email carefully, so it died too. Next, it took 30 seconds, so I succeeded. After that, you'll answer some hard questions such as what year you bought your house and signed up for credit cards. I don't know if I answered correctly or not. It's multiple choice. I seemed to get registered, though. THen I logged out, rather than ordering a transcript.
I should have my wife do this too. I wonder whether children's accounts and trusts need to do this? If they are due for refunds, I suppose so.

Posted by: Eric Rasmusen | Mar 31, 2015 1:22:47 PM