After being targeted successfully by hackers again, IRS shuts down e-File PIN service
June 28, 2016
Shah Sheikh (1294 articles)

After being targeted successfully by hackers again, IRS shuts down e-File PIN service

The United States Internal Revenue Service (IRS) has announced the abolition of its PIN tool due to the platform being hacked.

Under the now abolished electronic filing PIN tool (e-File PIN) people dealing with the IRS were able to use a PIN number to access services on or by toll-free phone call.

The  agency cited “additional questionable activity” as the impetus for the change, which is Government new-speak for the system was being hacked again.

According to Sophos, 800 cases of identity thefts were identified earlier this year causing the PIN system to be partially suspended in March, although at the time the IRS told taxpayers who already had a PIN to continue using the service to file their tax returns as they normally would.

If that’s not bad enough the IRS admitted that cyber criminals using data stolen elsewhere had managed to access 100,000 e-File PINS using an automated attack bot; the bot was said to only reveal the PIN number of a user and not any taxpayer data, but if hackers then obtained taxpayers names, addresses, filing status, dates of birth and social security numbers from other sources they could then use the PIN number to access IRS services.

“Recently, the IRS observed additional automated attacks taking place at an increasing frequency, but only affecting a small number of e-File PINs,” the agency said in a statement. “We were able to identify this issue because of additional defenses put in place earlier this year, and backend protections remain in place. However, the IRS decided to remove the e-File PIN program as a safety measure.”

Poor form

The e-File PIN, a strong form of two-factor authentication, was meant to protect taxpayers from ID fraud, and yet due to the incompetency of the IRS, those very PINs somehow made their way onto the dark web, and into the hands of bad actors.

At the very least you can call the security measures implemented by the IRS as being extremely poor form, and that’s being overly polite about it; if the key revenue-raising agency of the United States Government can’t adequately protect the security of American taxpayers, how can you trust it, let alone other Government agencies?

The IRS noted that the change only affects a small segment of taxpayers who have not filed their tax returns this year, but any number is too many.

Source | SiliconAngle