IRS Finally Pulls Offline ID Protection Service Exploited by Hackers

After last year’s massive data breach at the U.S. Internal Revenue Service, the agency gave secret codes to the taxpayers whose personal information had been compromised. These “Identity Protection PINs” were to be included on future tax returns as an extra layer of security, since hackers had already stolen their Social Security numbers.

Now, the IRS says identity thieves have stolen at least 800 of those PINs through its online retrieval service, and it has taken that service offline.

In a statement released Monday (March 7), the IRS said it had sent PINs by mail to 2.7 million people for this tax season. Of those, 130,000 had used the online tool to retrieve their PINs before it was shut down. The thieves who stole 800 PINs subsequently used them to file fraudulent tax returns, which the IRS says were flagged and stopped.

As we reported last week, the compromised PIN retrieval system used the same method of authentication, known as “knowledge-based authentication,” that led to last year’s breach of the agency’s “Get Transcript” service. (That service allowed taxpayers to retrieve the details of their past tax returns.)

Despite the original breach, a report by the Government Accountability Office that pointed out the weaknesses in the PIN retrieval system, and questions last year from Quartz that raised doubts about the safety of the system, the IRS left it in place.

The thieves presumably got into the PIN retrieval service this tax season the same way they got into the Get Transcript system last year. They were able to correctly answer authentication questions that KBA is based on, such as “On which of the following streets have you lived?” or “What is your total scheduled monthly mortgage payment?”

The IRS shut down its “Get Transcript” service shortly after the data breach—nine months ago—and still hasn’t brought up a new system to replace it. In its statement on Monday, the IRS said shutting down the PIN retrieval system is “part of its ongoing security review.” The agency has not yet said when either system will be brought back up, or whether they’ll continue to use KBA.

President Barack Obama signed an executive order in 2014 mandating that all federal agencies implement multi-factor authentication to improve security. And although KBA does not meet the standards laid out in that order, the IRS seemed to be investing further into the method as of last spring. According to a report by Federal News Radio, the agency put out a request for quotations to federal contractors in April, saying it was looking to build upon its KBA systems, and invest $130 million.

The IRS did not respond to questions from Quartz this week about where that request stands, and whether it’s been altered following the continued exploitation of KBA on its website.

During an investigation into the original breach last August, Quartz asked the IRS what it was planning to do about the PIN service’s authentication system, since it appeared to be using KBA, the system that had already been hacked. At the time, the agency would not confirm the method of authentication, but said it was taking “a number of steps to protect taxpayers and Identity Protection (IP) PINs.”

It wasn’t clear whether the IRS was indeed using KBA on its PIN retrieval service until security researcher and journalist Brian Krebs reported on March 1 that at least one of the PINs had been compromised.