The Internal Revenue Service is being urged to fix a security vulnerability that makes it all too easy to get an Electronic Filing PIN used by tax preparers.
The IRS said earlier this month that it had identified and stopped an automated attack on its online Electronic Filing PIN application (see IRS Detects Attack on Electronic Filing PIN App). Based on its review, the IRS identified unauthorized attempts involving approximately 464,000 unique SSNs, of which 101,000 SSNs were used to successfully access an E-file PIN. The incident, involving an automated bot, occurred last month, and the IRS said it continues to closely monitor the web application.
However, a new report by Luca Gattoni-Celli of Tax Analysts finds that the IRS’s “Get My Electronic Filing PIN” page remains vulnerable to identity theft. Users only need to submit easily accessible personal information, such as a name, Social Security Number, filing status, date of birth and address to get an e-file PIN.
The Tax Foundation, a Washington, D.C., think tank, posted an open letter Thursday to IRS Commissioner Koskinen urging him to fix the security vulnerability.
“The whole point of requiring a PIN to file electronically is to minimize identity theft, so it is sadly ironic that the process to obtain an electronic PIN is so easy that it makes the whole point of obtaining one pointless at best and making identity theft easier at worst,” wrote Tax Foundation vice president of legal projects Joseph Henchman.
The IRS contended it has added extra security to the e-file PIN page and is monitoring it for unusual activity. “Making it difficult for criminals to file false returns is a top priority for the IRS, and we have taken additional steps to protect taxpayers across multiple systems,” said the IRS, in a statement emailed Thursday to Accounting Today. “The IRS has put in place additional security features around the e-file pin page to help protect against inappropriate accesses, and we continue to closely monitor the site for unusual activity. It’s also important to note that the IRS has put additional protections and filters in place on its core tax return processing systems to help guard against identity theft and fraudulent tax returns. These processing systems have been strengthened as part of our Security Summit process with the tax industry, software companies and the states. The processing systems are separate and distinct from the e-file pin application, and taxpayer information has not been compromised on this critical platform. The IRS continues to closely monitor the e-file pin application as well as our other systems, and we will take action as needed to protect taxpayers.”
On Wednesday, the IRS sent an email to tax professionals urging them to verify their Electronic Filing Identification Number activity as a way to protect their security (see IRS Warns Preparers about Protecting Electronic Filing IDs).