Bamboozled March 3, 2016: More bad news on IRS Security Flaw

The IRS announced last week that more taxpayers than initially thought may be the victims of transcript fraud.

It basically happened because the IRS website security system was too easy to crack.

Now at least 724,000 taxpayers had data swiped by thieves who finagled their way into the IRS’ Get Transcript system, the IRS said.

The notifications to affected taxpayers started going out on Monday, the agency said.

The new estimate is more than double the previous numbers reported by the IRS in August 2015, when it said about 334,000 taxpayers were at risk. Before that, in May, the IRS said only 114,000 taxpayers were affected.

Let’s hope that number doesn’t keep climbing.

You never know. The IRS said another 295,000 taxpayers were targeted, but the bad guys weren’t able to access the personal info they were seeking.

The IRS is offering these taxpayers free credit monitoring and for their tax returns to receive “extra scrutiny.”

What’s interesting is that the IRS fix for taxpayers uses the same kind of security that crooks were able to pass through to get into the Get Transcript tool to begin with, according to several reports by Krebs on Security.

More on that in a moment.

First, the Get Transcript feature was launched on the IRS website in January 2014. It allowed taxpayers to view or download their tax transcripts or elect to have them mailed.

Since the launch, more than 47 million transcripts have been ordered, the IRS said.

But in May 2015, when the IRS realized criminals were gaining access to tax transcripts that were not their own, the agency shut down the service while it worked to enhance security measures.

The IRS is trying to fix the tool so crooks can’t break in, but you can still order your transcripts and have them mailed to you.

Fraudsters would love to have your tax transcript because it provides all the information needed to file a fake tax return in your name — and get a refund — all before you’ve even noticed a problem.

Here’s the real problem: The tool the IRS recommends taxpayers use to protect themselves employs the very same security protocols the criminals were able to surpass when they accessed the tax transcripts.

You see, to get your transcript using the Get Transcript tool, you would have to enter your name, Social Security number, birth date and filing status. Then you’d have to answer four so-called knowledge-based authentication questions. These might ask about your loan amounts, what credit cards you have, previous addresses and so on. The idea was that only the taxpayer would be able to answer those questions.

But it didn’t work that way. Because the questions are multiple choice, enough scammers were able to guess correctly and gain access to a taxpayer’s transcript.

In fact, the IRS said there were 1.3 million attempts to break into the Get Transcript system since January 2014.

So now, the IRS is recommending affected taxpayers request an Identity Protect PIN, or IP PIN, which the IRS says “provides an additional layer of protection for the taxpayer’s SSN on the federal tax return.”

That’s all well and good, but the IP PIN system also requires consumers to answer knowledge-based authentication questions. The same kinds of questions the crooks were able to get past in the Get Transcript system.

Didn’t we already learn that those security questions aren’t foolproof?

Sigh.

We predict we will see even more tax refunds — the legit ones — held up this season as the IRS and the state try to make sure they’re not paying out fake refunds.

So if you haven’t yet filed your return, you may want to hurry. The best protection against refund fraud is to file your return before a scammer files one in your name.

If the scammer beats you to it, you might have to wait many, many months before it’s all sorted out and you get the refund you’re due.

That’s another reason to try not to have a large refund due to you each year. Even if you see it as a method of forced savings as many taxpayers do, if you do become a victim of tax return fraud, at least your money will be in your pocket, not in waiting mode in the IRS coffers while it all gets sorted out.

Plus, you’ll no longer be giving the IRS an interest-free loan with your overpayment.

Have you been Bamboozled? Reach Karin Price Mueller at Bamboozled@NJAdvanceMedia.com. Follow her on Twitter @KPMueller. Find Bamboozled on Facebook. Mueller is also the founder of NJMoneyHelp.com. Stay informed and sign up for NJMoneyHelp.com’s weekly e-newsletter.