Last year, KrebsOnSecurity warned that the Internal Revenue Service's (IRS) solution for helping victims of tax refund fraud avoid being victimized two years in a row was vulnerable to compromise by identity thieves. According to a story shared by one reader, the crooks are well aware of this security weakness and are using it to revisit tax refund fraud on at least some victims two years running -- despite the IRS's added ID theft protections.
Tax refund fraud affects hundreds of thousands -- if not millions -- of U.S. citizens annually. It starts when crooks submit your personal data to the IRS and claim a refund in your name, but have the money sent to an account or address you don't control.
Victims usually first learn of the crime after having their returns rejected because scammers beat them to it. Even those who are not required to file a return can be victims of refund fraud, as can those who are not actually due a refund from the IRS.
The IRS's preferred method of protecting tax refund victims from getting hit two years in a row -- the Identity Protection (IP) PIN -- has already been mailed to some 2.7 million tax ID theft victims. The six-digit PIN must be supplied on the following year's tax application before the IRS will accept the return as valid.
As I've noted in several stories here, the trouble with this approach is that the IRS allows IP PIN recipients to retrieve their PIN via the agency's Web site, after supplying the answers to four easy-to-guess questions from consumer credit bureau Equifax. These so-called knowledge-based authentication (KBA) or "out-of-wallet" questions focus on things such as previous address, loan amounts and dates and can be successfully enumerated with random guessing. In many cases, the answers can be found by consulting free online services, such as Zillow and Facebook.
Read more at krebsonsecurity.com.