The Internal Revenue Service has temporarily suspended the Identity Protection PIN tool on its website after security vulnerabilities were discovered in the service, which is intended to help victims of identity theft.

Last week, reports emerged that a number of identity theft victims who had received IP PINs from the IRS found out that someone else had already used their IP PIN to file a tax return in their name (see IRS Experienced Identity Theft of IP PINs).

The IRS said Monday that as part of its ongoing security review, it has temporarily suspended the Identity Protection PIN tool on IRS.gov. The IRS is conducting a further review of the application that allows taxpayers to retrieve their IP PINs online and is also looking at further strengthening the security features on the tool.

Taxpayers received 2.7 million IP PINs by mail for the current filing season, according to the IRS. About 5 percent of those — approximately 130,000 — used the online tool to try to retrieve a lost or forgotten IP PIN. For taxpayers retrieving a lost IP PIN, the IRS is emphasizing that it has put strengthened processes and filters in place for this tax season to review these tax returns. These strengthened review procedures — which are invisible to taxpayers — have helped detect potential identity theft and stopped refund fraud. Through the end of February, the IRS had confirmed and stopped 800 fraudulent returns using an IP PIN.

The IRS advised taxpayers who have been issued an IP PIN to continue to file their tax returns as they normally would. The online tool is primarily used by taxpayers who have lost their IP PINs and need to retrieve their numbers. Most taxpayers receive their IP PIN via mail and never use the online tool.

The IP PIN is a six-digit number that provides an additional layer of protection for taxpayers who have been or could become victims of tax-related identity theft. Taxpayers who receive an IP PIN are supposed to use it on electronic and paper returns in order for the returns to be accepted for processing. Prior to the 2016 filing season, the IRS mailed 2.7 million CP01A letters with IP PINs.

For certain taxpayers, the online tool was their only alternative to access or retrieve an IP PIN, the IRS noted. This includes IP PIN holders who lost their IP PIN letter and needed to retrieve the number, taxpayers participating in the IRS's three pilot locations and taxpayers that the IRS invited to use an IP PIN because they have non-tax identity theft issues.

For these taxpayers, the IRS is offering the following guidance following the removal of the online option:

Lost or misplaced IP PIN letters: Taxpayers who are IP PIN holders but who lost their CP01A letters containing the IP PIN will need to call the IRS. If they can verify their identity, they will be mailed their IP PIN. If they have moved since Jan. 1, 2016, they must file a paper tax return, which will receive additional scrutiny and take longer to process because we don’t normally accept these returns without an IP PIN.  

Florida, Georgia and District of Columbia participants: Taxpayers who live in Florida, Georgia or the District of Columbia and who already have retrieved an IP PIN should include it on their tax returns. Taxpayers in those locations who have not retrieved an IP PIN will be unable to access the tool at this time but may file their tax return as normal.

Other taxpayers: Taxpayers who filed a Form 14039 citing non-tax identity theft issues (Box 2) and who already have retrieved an IP PIN should include it on their tax returns.