The US Internal Revenue Service (IRS) has been forced to suspend a PIN-protection system set up with the intention of adding an 'additional layer of protection' for US taxpayers because it was being activity exploited by internet fraudsters.
Following the massive system breach suffered by the agency in May 2015 in which hackers were able to compromise the records of 700,000 US taxpayers, the agency attempted to bulk up security by issuing secret personal identification numbers (PINs) to any potential victims.
Yet now, citing an ongoing security review, the IRS has been forced to suspend its new Internet Protection (IP) PIN system because hackers have exploited hundreds of the PINs via its online portal. The news comes after reports indicated that a number of identity theft victims had attempted to file a tax return only to find out someone else had already used their unique IP-PIN.
In a statement issued on its website, the IRS said that it sent out 2.7 million identity protection PIN numbers by mail with roughly 130,000 of those taking advantage of the online tool before its suspension. However, by the end of February, the agency revealed that it had 'confirmed and stopped' 800 attempts to use stolen PINs to attempt to file fraudulent tax returns.
"The IRS is conducting a further review of the application that allows taxpayers to retrieve their IP PINs online and is looking at further strengthening the security features on the tool," it added.
Yet according to technology website Quartz, the PIN retrieval system the IRS website had implemented was using the same weak verification setup – known as 'knowledge-based authentication' (KBA) – as the 'Get Transcript' function that was originally compromised last year. The system reportedly works by making the user answer a series of personal questions that could easily be either guessed or exploited via information acquired from websites and social media accounts.
Most recently, the impact of the cyberattack was revealed to have hit twice as many US taxpayers than previously reported. When the incident was first revealed, the IRS said tax return details of just over 100,000 US-based taxpayers were breached but only three months later that number had rocketed to include another 220,000 known breaches and over 170,000 failed hacking attempts. Then, a nine-month probe by the Treasury Inspector General for Tax Administration found an additional 390,000 accounts were exploited by the unknown hackers.
Meanwhile, the IRS received more than 490,000 identity theft complaints in 2015, which was nearly a 50% jump from 2014.