IRS dumps e-filing PIN security early - after yet more automated attacks

The US taxation authority has opted to kill off its PIN system "as a safety measure".


Despite a huge attack in February, the IRS had planned to keep using the e-File PIN until later this year.

Images: iStock

The US Internal Revenue Service (IRS) has pulled the plug on the e-File PIN system earlier than scheduled as a precautionary step to thwart attempts to steal the codes, which can be used to gather information for identity and tax fraud.

"Recently, the IRS observed additional automated attacks taking place at an increasing frequency, but only affecting a small number of e-File PINs," the IRS said in a statement.

IRS hit by data breach, tax info on 100,000 stolen

The federal agency said thieves used its "get transcript" system to access the data.

Read More

"We were able to identify this issue because of additional defenses put in place earlier this year, and backend protections remain in place. However, the IRS decided to remove the e-File PIN program as a safety measure."

Attackers in February successfully harvested more than 100,000 taxpayers' e-File PINs from the IRS' website. While the PINs themselves don't give access to taxpayer data, the five-digit codes can be combined with stolen social-security numbers to gain access to information on tax payers.

The e-File PIN tool is different from the six-digit Identity Protection (IP) PIN tool, which is meant to prevent misuse of social-security numbers on fraudulent tax returns. The IRS shut down IP PIN in March after fraudsters used its website to obtain the codes and file 800 bogus returns.

The IRS said it had planned to keep using the e-File PIN until later this year, since it's used in nearly all commercial tax software products.

It also said the change only affects a small segment of taxpayers and that most taxpayers don't need the PIN to file a tax return.

The IRS in May launched a dedicated unit to combat cybercrime, identity theft, and the misuse of stolen social-security numbers. Fraudsters use stolen social-security numbers to submit a tax return and collect refunds before a legitimate tax return has been filed.

Read more about IRS security