The Internal Revenue Service (IRS) announced this week that in January 2021 taxpayers can apply for an Identity Protection Personal Identification Number (IP PIN). This single-use code is designed to block identity thieves from fraudulently submitting a tax return in your name and collecting your tax refund! This is a long overdue security improvement to the US tax system. IP PINs are currently only issued to those who fill out an ID theft affidavit or taxpayers who’ve experienced tax refund fraud in the past.
Tax refund fraud occurs when stolen personal financial information, such as your credit file at Equifax or Capital One, or your employer W-2 forms, are used to commit tax fraud. Taxpayers are unaware they have been victimized until their tax submission to the IRS is rejected with a message “you cannot submit your tax return twice”. Hackers have beat you to your refund!
Refund fraud may not always be in the headlines, but it’s extremely prevalent; the IRS estimated “during the 2013 filing year, over 5 million tax returns were filed using stolen identities, claiming $30 billion in refunds.” While this shouldn’t be possible, it unfortunately is all too common. CyberHoot is aware of dozens of people who have been compromised in this way. Finally, after decades of abuse, and hundreds of billions of dollars funneled to hackers through tax refund fraud, the IRS has dramatically improved its taxpayer identification process – the IP PIN tool.
IP PIN Tool
The IRS is hoping to reduce fraudulent income tax submissions in 2021 by issuing an IP PIN to anyone that requests it. IP PINs are unique six-digit numbers which are valid only in the year they are assigned. To receive an IP PIN taxpayers must identify themselves to the IRS with “something they have”, their email address or cellphone number. This is combined with “something they know“, their Social Security Number “SSN” paired to their Adjusted Gross Income “AGI”. The IRS has been experimenting with IP PINs to determine if this strategy would reduce tax fraud. Having proven its merit, the IRS will make the ‘IP PIN’ tool available to all taxpayers by mid-January 2021.
How To Get an IP PIN
In Mid-January taxpayers will be able to use the ‘Get an IP PIN‘ tool at IRS.gov. If you don’t already have an account on IRS.gov, you must first validate your identity by satisfying two identity factors, one from each of the lists below:
“Something you Know” Factors
- Social Security Number (SSN) or Individual Tax Identification Number (ITIN)
- Tax filing status and mailing address
- One financial account number linked to your name:
- Personal Credit card – last 8 digits (no American Express, debit, or corporate cards)
- Student loan
- Mortgage or home equity loan
- Home equity line of credit (HELOC)
- Auto loan
“Something you Have” Factors
- Your Email address and its ability to receive an activation code in your inbox
- A cellphone linked to your name
- Your ability to receive an activation code by postal service
Once you have secured your IP PIN, a form of two-factor authentication in and of itself, you will be able to securely file your taxes this year! You will also be helping secure our tax system, from rampant fraud by hackers, if you use an IP PIN.
CyberHoot Conclusions
CyberHoot would argue the IRS is long overdue for introducing additional tax submission security. In 2013, $30 billion dollars in tax fraud was committed. Assuming no growth in tax fraud (yeah right!), that’s $210 billion dollars funneled to malicious actors in the last seven years!
Every US Tax Payer should register for and use an IP PIN to eliminate this tax fraud and revenue source for hackers and nation states (is North Korea converting US tax fraud dollars into Bitcoins?).
CyberHoot wonders, when this revenue source dries up, where will tax fraud actors turn their hacking efforts towards? Time will tell.
Source: IRS.gov, Justice.Gov, Krebs
Additional Reading:
IRS to Make ID Protection PIN Open to All — Krebs on Security