The IRS has been no stranger to attacks by cybercriminals over the past few years, as we saw when Russian thieves stole $50 million in tax return money in 2015 as a result of a major flaw in the security of the online “Get Transcript” tool. When news of the breach first broke in May of last year, it was estimated that 100,000 taxpayers were impacted. Months later in August, that estimate was increased to 330,000 — but just a little while later, in February 2016, the IRS admitted the real number was about 724,000 taxpayers. This was determined after a nine-month investigation that looked into the entire breach and how the thieves were able to use the “Get Transcript” tool to access taxpayers’ returns. The tool was suspended in May 2015 when the breach was disclosed, and many assumed it might not return. However, the IRS has announced that “Get Transcript” is back with strengthened security and verification. Is this new version any safer?
What is “Get Transcript” and how was it compromised?
This tool enables taxpayers to view, print and download transcripts of their tax returns from previous years, at any point during the year. To verify a user’s identity, the original version of the “Get Transcript” tool required some basic information from the person’s most recent tax return — including social security number, date of birth, mailing address and filing status. Some additional verification was conducted by means of “knowledge-based authentication” questions, which use the information provided by credit bureaus to generate questions that, theoretically, only the person themselves can answer (such as asking about prior addresses).
Unfortunately, this information is widely available as a result of the hundreds of data breaches that have occurred in recent years which send personal data flooding into underground cybercriminal markets. This data is sold on these websites and forums for just a few dollars, making it easy and relatively cheap for a thief wanting to gain access to “Get Transcript.” The IRS website was not actually hacked — instead, thieves used information obtained elsewhere to take advantage of a weak security and verification system. Now, the IRS wants to try again with beefed-up verification methods that will, hopefully, deter this from happening again.
What new security features are being offered to taxpayers?
In order to verify your identity, you’ll be required to provide some basic information from your most recent tax return (social security number, name, birth date, mailing address, filing status) as well as a mobile phone number with your name on the account and the account number from either a credit card, auto loan, mortgage, home equity loan or a home equity line of credit. You’ll also need to have immediate access to your email account for a confirmation code the IRS will send once you’ve submitted your information. The IRS will verify the phone number and account information you provide via credit bureau Equifax, as well as ask a series of knowledge-based authentication questions that are intended to be more difficult than those typically used.
If you have a problem verifying your identity, the IRS urges taxpayers to order one to be sent to you by mail. This can be done online, as well as by phone and fax or snail mail.
Is this process actually safer?
Although the increased security and beefed up verification requirements will probably deter a number of criminals, there is a chance that it will encourage some thieves to commit additional acts of identity theft in order to obtain the extra information needed for verification. For example, taking out a new credit card in their intended victim’s name and changing the name on a prepaid mobile phone account — both of which would easily satisfy the new requirements. This information is also easily available online from the same dark web sources as your social security number, so although more information is now required, it’s still highly likely next tax season will see further abuse of “Get Transcript.”
It’s also important to note that, in order to verify your identity, you’ll need to lift any freeze you might have placed on your credit reports. You can do this temporarily, just long enough for the IRS to verify that you are who you are. At this point, the best line of defense most of us have against identity thieves is to place a credit freeze and lift it only when a new account or some other form of verification requires it.