On Tuesday, many people were surprised when the IRS announced that it was shutting down its “Get Transcript” system which enables taxpayers to get copies of their federal income tax returns from previous years. People often use this service to get copies of earlier income tax returns for uses such as when they apply for a mortgage or financial aid for college. The IRS shut down this service because it just became aware that vulnerabilities in the system resulted in hackers attacking the system from mid February until now posing as legitimate taxpayers and getting copies of income tax returns which could provide information that would enable the hackers to steal the identities of their victims and file phony income tax returns in the names of their victims and claim bogus refunds. According to the IRS, sophisticated hackers tried to hack the system 200,000 times and were successful in 104,000 of their attempts.
Although many people were surprised at this hacking, Scamicide readers were not among them because here at Scamicide, we exposed this vulnerability in our Scam of the day for April 3, 2015. Apparently, the IRS doesn’t read Scamicide. Maybe it should.
The problem with the system is in the authentication process used by the IRS to limit access to this information to the taxpayer who is seeking his or her own income tax returns. In order to access the income tax returns, the system required the inquirer to provide his or her name, Social Security number, birth date, address and other personal identity verifications, such as what was your high school mascot or when you got a mortgage. The problem is that, in many instances, this information can be gathered by a diligent hacker from public data bases, social media where people provide this information to hackers, and data breaches.
If you are one of the 104,000 people affected by this data breach, you will get a letter, not an email, from the IRS and will be offered free credit monitoring services. These letters will not require you to provide any personal information in response. Any communication you get that purports to be from the IRS that requests that you provide personal information is not from the IRS, but from another scammer.
A lesson for all of us is to remember to try to protect the privacy of your Social Security number as best you can. Most identity theft starts with the identity thief obtaining and exploiting the victim’s Social Security number. Don’t provide it to companies with which you do business unless you absolutely must do so. Medical care providers routinely ask you to provide this, but they have no need for this and the health care industry has been among the worst in protecting its data from being hacked.
The verification process of using personal identity verification information is fundamentally flawed in today’s world. Better systems should be used, such as dual factor authentication where a code is sent to your smartphone when you need to access an account.