IRS: Personal Info of 100,000 Taxpayers Accessed Illegally

← Back to Stories (view on slashdot.org)

IRS: Personal Info of 100,000 Taxpayers Accessed Illegally

Posted by Soulskill on Tuesday May 26, 2015 @09:03AM from the disincentive-to-pay-your-taxes dept.

An anonymous reader writes: The Associated Press reports that an online service provided by the IRS was used to gather the personal information of more than 100,000 taxpayers. Criminals were able to scrape the "Get Transcript" system to acquire tax return information. They already had a significant amount of information about these taxpayers, though — the system required a security check that included knowledge of a person's social security number, date of birth, and filing status. The system has been shut down while the IRS investigates and implements better security, and they're notifying the taxpayers whose information was accessed.

85 comments

Min score:

Reason:

Sort:

DoB, SSN & Filing Status?? by CrimsonAvenger · 2015-05-26 09:06 · Score: 4, Insightful

That's all the ID the IRS requires to use their "secure" site???
Jaysus, you can get most of that (SSN & DoB) by looking at someone's Driver License in most States.
And guessing Married Filing Jointly will work more often than not, I expect....

--

"I do not agree with what you say, but I will defend to the death your right to say it"
1. Re:DoB, SSN & Filing Status?? by Anonymous Coward · 2015-05-26 09:18 · Score: 1
  
  They require more than that. They tie into a credit agency.
2. Re:DoB, SSN & Filing Status?? by suutar · 2015-05-26 09:20 · Score: 1
  
  and if not MFJ, there's only 3 other possibilities. So they're really counting on the SSN/DOB to remain secret... except for every credit application ever.
3. Re:DoB, SSN & Filing Status?? by magarity · 2015-05-26 09:28 · Score: 1
  
  you can get most of that (SSN & DoB) by looking at someone's Driver License in most States
  Are there still states that want to use SSN as driver's license id number? I lived in a state that did that (VA) years ago but you could refuse and have them generate a DL number. The employees at the DMV hated that request and tried to bully you out of it, but would eventually relent. I thought I heard they started generating DL numbers for everyone though, so what's with your assertion?
4. Re:DoB, SSN & Filing Status?? by CrimsonAvenger · 2015-05-26 09:37 · Score: 1
  
  I thought I heard they started generating DL numbers for everyone though, so what's with your assertion?
  Purely anecdotal evidence. I've lived in (I think) eight States in my life. Exactly one of them didn't use SSN as DL number by default. Admittedly that belief is time-biased - I've only lived in one State this past decade, so if the several States have changed this century, it's possible that I would have just missed it....
  
  --
  
  "I do not agree with what you say, but I will defend to the death your right to say it"
5. Re:DoB, SSN & Filing Status?? by Anonymous Coward · 2015-05-26 09:37 · Score: 0
  
  They require more than that. They tie into a credit agency.
  ^^ This. When I tried to register an account back in February, it needed lending info from a 3 yr car loan from 10+ years ago. Needless to say, I didn't remember or get my account that day.
6. Re:DoB, SSN & Filing Status?? by pehrs · 2015-05-26 10:07 · Score: 4, Interesting
  
  Say after me ten times: Identity is not Authentication, nor Authorization. Identity is not Authentication, nor Authorization. Identity is not...
  Now, got that? You are making the same sad mistake that the IRS did. You are confusing Identity with Authentication.
  SSN & DoB are perfectly fine identifiers for a person. Not quite unique, but they will work for the purpose.
  The problem is that there is no authentication, nor any authorization infrastructure for them to use as far as I know. There are in other countries (see for example https://www.bankid.com/en/). I have understood that there are ideological reasons not to roll out a decent Authentication/Authorization infrastructure in the US, but the lack of such an infrastructure will cost US business (and private person) more and more dearly as important information moves to the internet.
7. Re:DoB, SSN & Filing Status?? by Charliemopps · 2015-05-26 10:19 · Score: 4, Insightful
  
  That's all the ID the IRS requires to use their "secure" site???
  Jaysus, you can get most of that (SSN & DoB) by looking at someone's Driver License in most States.
  And guessing Married Filing Jointly will work more often than not, I expect....
  I know, it's hilarious. These agencies/companies get hacked due to their own willful negligence... then scream "Hackers did it!" like hackers have magic hacking wands that turn servers inside out. It seems that the only piece of info that would have been remotely hard to get was filing status... which the "hackers" just guessed at. It looks like they were 50% successful, and I bet if compared with the victims filing status, they likely had a 50% chance of filing jointly or something. What a joke. This is completely and entirely the IRS's fault.
  Make a new law, if you get hacked, you have to pay the person whos data you lost $100,000. Problem solved. You can then decide if spending time on securing the data is worth it, or if you just want to not store it. It IS possible to prevent this sort of thing. These agencies and companies just don't think it's profitable to do so when the penalty for losing a persons info is nothing more than a press release.
8. Re:DoB, SSN & Filing Status?? by Loconut1389 · 2015-05-26 10:37 · Score: 1
  
  well and does it let you try a second time with single if the other doesn't work?
9. Re:DoB, SSN & Filing Status?? by Anonymous Coward · 2015-05-26 11:11 · Score: 0
  
  you can get most of that (SSN & DoB) by looking at someone's Driver License in most States
  Are there still states that want to use SSN as driver's license id number? I lived in a state that did that (VA) years ago but you could refuse and have them generate a DL number. The employees at the DMV hated that request and tried to bully you out of it, but would eventually relent. I thought I heard they started generating DL numbers for everyone though, so what's with your assertion?
  
  Use of the SSN in State drivers license systems is already authorized by Federal law, and 29 States currently use the SSN as the drivers license number or show it on the license. The 1996 immigration reform provision on improved identification-related documents requires the SSN to be included on State drivers licenses by the year 2000. Thus, the drivers license and Social Security card can both be used to verify the SSN.
  http://www.ssa.gov/history/reports/ssnreportc6.html
10. Re:DoB, SSN & Filing Status?? by Anonymous Coward · 2015-05-26 11:11 · Score: 0
  
  And every other form in the universe ever. And everything else everywhere. Also, everything.
  Shit, grocery stores swipe your drivers license for pretty much any reason these days - cough syrup, product returns, razor blades. Assume your DoB and SSN are public knowledge because they probably are by now, or they will be by tomorrow. Assuming anyone can keep a 9 digit number secret their entire natural lives, that they are expected to use EVERYWHERE (or, no service folks :D), and is printed on your fucking drivers license is both:
  - Mind bogglingly naive.
  - Grotesquely stupid.
  No-one should have your SSN beyond the government. We're given those numbers by the government so they know who we are. No business has any business knowing how we talk to the government. It's just that they came along first and created a handy-dandy unique number and then some bank came along and said "gee! we could use that too!"...then a shop, then a website, then everything else. Function creep 101. Someone really needed to say "NO" right then.
11. Re:DoB, SSN & Filing Status?? by Anonymous Coward · 2015-05-26 11:22 · Score: 0
  
  Lived in VA all my life (30 years) and my LP and DL all have had the "Customer Number" on them.
12. Re:DoB, SSN & Filing Status?? by LynnwoodRooster · 2015-05-26 11:50 · Score: 1
  
  Better yet, those same agencies are 100% supportive of fining private enterprise for the same thing... But they believe they are simply innocent victims of outside attacks and shouldn't be held responsible.
  
  --
  Browsing at +1 - no ACs, I ignore their posts. So refreshing!
13. Re:DoB, SSN & Filing Status?? by ShanghaiBill · 2015-05-26 12:34 · Score: 4, Insightful
  
  No-one should have your SSN beyond the government.
  That is silly. The original point of SSNs was so that employers could use them to identify workers when paying social security taxes to the government. So, obviously, your employer needs to know it.
  We need to get away from the ridiculous idea that something can be both widely known and secret. SSNs should only be used for identification, and should never be used for authentication. We should have a separate system for that.
14. Re:DoB, SSN & Filing Status?? by NicBenjamin · 2015-05-26 15:06 · Score: 3, Informative
  
  There's more to it then that.
  There's a section asking questions taken partly from the IRS database, and partly from your credit report. The questions are hard enough that when I did taxes at H and R Block it was not unusual for people to fail the test. In particular the form was very finicky about your address, and god help you getting on the site if you'd misspelled your street name on your tax return. But if I had been a determined hacker with one of those PII databases I probably could have turned a good half of them into transcripts, and used the transcripts to file tax returns. You get a couple tries a day, after all.
  BTW, it's currently illegal to use an SSN as a Driver's License number. Has been since 2004:
  [Public Law 108-458] "Prohibits Federal, State, and local governments from displaying SSNs, or any derivative thereof, on drivers' licenses, motor vehicle registrations, or other identification documents issued by State departments of motor vehicles."
15. Re:DoB, SSN & Filing Status?? by Anonymous Coward · 2015-05-26 18:46 · Score: 0
  
  Agree with you totally. $100,000 is to high. I would make it $500 plus any expenses. This way when there is a breach of 100,000 users, this will be a shitload of money.
  They also need to come up with a system for authenticating one properly. Perhaps, through the written mail that goes to the address that is on file with the IRS/W2 for your employer.
16. Re:DoB, SSN & Filing Status?? by Anonymous Coward · 2015-05-26 23:26 · Score: 0
  
  My SS card specifically states it is NOT to be used for identification....when did THAT change?
17. Re:DoB, SSN & Filing Status?? by Dog-Cow · 2015-05-27 00:15 · Score: 1
  
  I have a license issued in 2011. No SSN on it anywhere.
18. Re:DoB, SSN & Filing Status?? by Charliemopps · 2015-05-27 01:00 · Score: 2
  
  Better yet, those same agencies are 100% supportive of fining private enterprise for the same thing... But they believe they are simply innocent victims of outside attacks and shouldn't be held responsible.
  But this wasn't even an "attack" they used the form as it was intended to be used and just guessed at the inputs. That's like putting a combination lock on your safe that only has 1 digit, setting it to "1" then, after your customers Jewelry is stolen claiming there's nothing to can do to stop a determined Global criminal organizations that employ master safe crackers.
19. Re:DoB, SSN & Filing Status?? by Muad'Dave · 2015-05-27 01:38 · Score: 1
  
  Are you sure? Do you have a PDF-417 barcode on the back?
  https://www.google.com/search?...
  http://www.onlinebarcodereader...
  http://zxing.org/w/decode.jspx
  http://online-barcode-reader.c...
  
  --
  Tiller's Rule: Never use a word in written form that you've only heard and never read. You will end up looking foolish.
20. Re:DoB, SSN & Filing Status?? by Anonymous Coward · 2015-05-27 02:21 · Score: 0
  
  That's all the ID the IRS requires to use their "secure" site???
  Because in the US, that's all you have to "prove" your identity. That, and bullshit like "mother's maiden name." There are no other identifiers. There is no other authentication scheme.
  The IRS does offer an "identity protection PIN" in some cases, but how do you set one up? Well, they ask you your date of birth, your SSN, and your prior year's filing status (or possibly your prior year's refund amount, which is a little better.)
21. Re:DoB, SSN & Filing Status?? by Anonymous Coward · 2015-05-27 02:55 · Score: 0
  
  SSNs should only be used for identification, and should never be used for authentication.
  Indeed. I think the government should publish all SSNs or at least provide a system to validate an SSN (from a security standpoint, both are almost equivalent). If anyone knows an SSN, he's welcome to pay the taxes or into the pension fund of that person. Anything else is just plain ridiculous.
22. Re:DoB, SSN & Filing Status?? by operagost · 2015-05-27 03:17 · Score: 1
  
  Make a new law, if you get hacked, you have to pay the person whos data you lost $100,000.
  
  Yeah, that will work really well with the government. Hey, we got hacked 100 times last year. In totally unrelated news, income taxes are going up and we just hired 1,000 new IRS employees because, obviously, those people need more help.
  
  --
  
  Gamingmuseum.com: Give your 3D accelerator a rest.
23. Re:DoB, SSN & Filing Status?? by Richy_T · 2015-05-27 04:42 · Score: 1
  
  Q21: When did Social Security cards bear the legend "NOT FOR IDENTIFICATION"?
  A: The first Social Security cards were issued starting in 1936, they did not have this legend. Beginning with the sixth design version of the card, issued starting in 1946, SSA added a legend to the bottom of the card reading "FOR SOCIAL SECURITY PURPOSES -- NOT FOR IDENTIFICATION." This legend was removed as part of the design changes for the 18th version of the card, issued beginning in 1972. The legend has not been on any new cards issued since 1972.
  Feeling old?
24. Re:DoB, SSN & Filing Status?? by Richy_T · 2015-05-27 04:46 · Score: 1
  
  This is largely because the government should not be getting into all this stuff anyway. Therefore you get the tension between what they need to do what they're doing and what they shouldn't be needing to ask for in the first place, leading to these half-arsed compromises.
25. Re:DoB, SSN & Filing Status?? by Anonymous Coward · 2015-05-27 05:47 · Score: 0
  
  PA and MA both generate DL numbers for you when you get your license, and in the case of PA, state-issued ID cards as well.
26. Re:DoB, SSN & Filing Status?? by PrimaryConsult · 2015-05-27 07:09 · Score: 1
  
  NY issued an identifier when I applied for a non-driver ID in the 90s, and that number hasn't changed since. Same with my mother when she got hers in the 80s (at the latest). Afaik we were never asked.
27. Re:DoB, SSN & Filing Status?? by DutchUncle · 2015-05-28 06:12 · Score: 1
  
  I graduated high school in 1972. Signing up for SSNs was about like signing up for the draft, except girls were included - we all filled out the form one day in home room, maybe 9th grade. So, yes, my original card DID say that very clearly . . . and then it became used as a "secret password" almost immediately.
Seriously by Guy+From+V · 2015-05-26 09:09 · Score: 1

This took a lot longer to happen than I thought it should've.
Contradictory information by Anonymous Coward · 2015-05-26 09:13 · Score: 2, Insightful

In order to access the information, the thieves cleared a security screen that required knowledge about the taxpayer, including Social Security number, date of birth, tax filing status and street address.
In all, about 200,000 attempts were made from questionable email domains, with more than 100,000 of those attempts successfully clearing authentication hurdles.
Email doesn't go through a "security screen". Do they mean "questionable IP addresses" rather than "email domains"?
1. Re:Contradictory information by Loconut1389 · 2015-05-26 10:39 · Score: 2
  
  I believe they meant:
  After the page where you fill in security questions, they ask for the email and send you the report and the addresses the reports were sent to were suspicious.
Lawsuit by g0bshiTe · 2015-05-26 09:16 · Score: 1

Those affected should be able to sue, there needs to be accountability.

--
I am Bennett Haselton! I am Bennett Haselton!
1. Re:Lawsuit by acoustix · 2015-05-26 09:35 · Score: 2
  
  Those affected should be able to sue, there needs to be accountability.
  While I agree 100%, we're talking about the US government here. Nobody will be fired. Nothing will change.
  
  --
  "A plan fiendishly clever in its intricacies"- Homer Simpson
2. Re:Lawsuit by Anonymous Coward · 2015-05-26 09:43 · Score: 0
  
  You could try to sue, but good luck proving damages. It's the same situation as when a corporation leaks your data.
3. Re:Lawsuit by Stan92057 · 2015-05-26 11:09 · Score: 1
  
  I agree, have they caught any of the scum hackers yet?
  
  --
  Jack of all trades,master of none
Mad Lib by Voyager529 · 2015-05-26 09:17 · Score: 4, Insightful

[NEWS_OUTLET] reports that an online service provided by [ORGANIZATION_WITH_PERSONAL_DATA] was used to gather the personal information of [CUSTOMERS_OR_USERS]. Criminals were able to scrape [INSECURE_SYSTEM] to acquire [SUPPOSEDLY_SECURED_INFORMATION]. The system has been shut down while [OVERPAID_AND_INCOMPETENT_ANALYSTS] investigate and [PROMISE], and they're notifying [CUSTOMERS_OR_USERS] whose information was accessed.
At this point, you can turn this story into a Mad Lib, and fill in the blanks with basically any set of nouns, and it'll mostly be true.
1. Re:Mad Lib by Anonymous Coward · 2015-05-26 09:20 · Score: 0
  
  Anonymous Coward reports that an online service provided by Slashdot was used to gather the personal information of abject retards. Criminals were able to scrape The -1 Comments to acquire Golden Girls, HOSTS FILE, and Ponies. The system has been shut down while Anonymous Coward investigate and deliver liberty and justice for all, and they're notifying trolls whose information was accessed.
2. Re:Mad Lib by Anonymous Coward · 2015-05-26 09:27 · Score: 1
  
  Criminals were able to scrape The -1 Comments to acquire Golden Girls, HOSTS FILE, and Ponies
  OMG!
3. Re:Mad Lib by khallow · 2015-05-26 13:54 · Score: 1
  
  We must shut down society until this breech is contained!
4. Re:Mad Lib by operagost · 2015-05-27 03:24 · Score: 1
  
  That's not how Mad Libs looked when I was a kid. We usually came up with something like:
  
  The system has been shut down while BUTTS investigate and FART, and they're notifying BOOGERS whose information was accessed.
  
  --
  
  Gamingmuseum.com: Give your 3D accelerator a rest.
Very Serious by Anonymous Coward · 2015-05-26 09:18 · Score: 3, Insightful

This is actual even more serious than it sounds since the IRS basically gave the criminal a mean of mass validating their existing data. They have in effect proven valid SSN/Birthday pairs now ready to be used and abused.
1. Re:Very Serious by Anonymous Coward · 2015-05-26 09:38 · Score: 0
  
  What is this, the 1970s? Instead of the US giving me a SSN for identification, why don't they ask me to generate a private key and ask me to send them the corresponding public key?
2. Re:Very Serious by DaHat · 2015-05-26 09:47 · Score: 2
  
  We are talking about the same national government that couldn't rollout a website with major issues, on time or for a reasonable cost... why do you think a national PKI would be any easier or efficient to implement & rollout?
  
  --
  Help Brendan pay off his student loans
3. Re:Very Serious by Anonymous Coward · 2015-05-26 09:59 · Score: 0
  
  You mean the national and state governments that got suckered by a bunch of private companies that couldn't provide what they promised...who would be the same guys behind anything else.
  And who are still making mistakes around us.
  Makes you wonder what else they're fucking up.
4. Re:Very Serious by mark-t · 2015-05-26 10:29 · Score: 1
  
  One would think that if one were liable to want to use such info for criminal purposes, that one would tend to be reasonably expeditious about it, since the more time elapses while you are trying to use that information, the greater the chance that you will be discovered. The reality is, however, that there's a whole heaping mountain of red tape that even someone who has genuinely lost their wallet will have to go through just to prove their identity in today's society, and if you lose your wallet within about one year or so of having moved, and nobody has your current address on record yet, you can wind up completely screwed for months. I can't imagine that in practice, it would generally be possible for someone else to do anything useful with such minimal info.
  
  --
  File under 'M' for 'Manic ranting'
5. Re:Very Serious by Anonymous Coward · 2015-05-26 11:14 · Score: 0
  
  One criminal enterprise helping out another. Shocking.
6. Re:Very Serious by DaHat · 2015-05-26 11:25 · Score: 2
  
  Exactly... and even if they happened to create a perfect system on day one, the training required to get the average person to be able to use it would be herculean task.
  It's hard enough convincing many of our parents not to type in their username & password to just everywhere "Look for the lock icon in the address bar" we used to say, until malicious sites started setting the icon of the site to a lock.
  PKI is fantastic when it's largely automated and transparent... and I trust my parents web browser and OS's binary signature checking far more than I do their ability to learn how to actively participate in such a system.
  
  --
  Help Brendan pay off his student loans
7. Re:Very Serious by drkstr1 · 2015-05-26 12:48 · Score: 1
  
  I'm not so sure. Someone's identity isn't going anywhere soon. Once you have the info, it seems like the sensible thing to do would be to sit on it for awhile. This way you distance yourself from the breach. Assuming the breach is known and made public, the affected individuals will be on guard, checking for suspicious activity. But for how long? Maybe in a year or so, take out a bunch of credit cards and convert to cash as quick as possible. Bam, done! The info is just as valuable (minus a small percent), and with a much lower risk of getting caught. At least that's how I would go about it, were it a problem I was interested in solving.
  
  --
  Fanboy Status: Apache Flex, C#, Eclipse, KDE, Pirate Party, Ron Paul, Slackware, Windows 7
8. Re:Very Serious by Jason+Levine · 2015-05-26 13:33 · Score: 2
  
  I've done some research on the topic, being a victim of identity theft myself. From what I understand, the person who steals the identity rarely uses the stolen identity. Instead, they sell it to someone else who then uses it. This way, the real thief gets some quick cash with less risk of getting caught - especially if it's an inside job. (e.g. Someone in HR at your company downloads your company's employee records to a USB drive and decides to make a little money on the side.) Meanwhile, the people using the stolen identities can run up a big tab on the stolen credit lines without needing to do any messy hacking of computer systems. It's a win-win for the criminals - and a lose-lose for the person whose identity was stolen.
  
  --
  My sci-fi novel, Ghost Thief, is now available from Amazon.com.
Yeah by Anonymous Coward · 2015-05-26 09:20 · Score: 5, Interesting

The existence of this system was reported previously on slashdot, and people were recommending that you sign up before a criminal signs up in your name. That way you can protect the account with your own strong password.
Which is exactly what I did. And I am now quite happy I did. And I don't mind a bit that they shut it down anyway.
1. Re:Yeah by Anonymous Coward · 2015-05-26 10:22 · Score: 0
  
  Yup. I signed up as a prevention measure as well. password is `openssl rand -base64 32`. ;)
2. Re:Yeah by ChromaticDragon · 2015-05-26 14:01 · Score: 5, Interesting
  
  So did I.
  But then I stopped and thought a bit about the concept of Testing for Success vs. Testing for Failure. The former is weak testing... lazy testing. It WORKS. That's nice... But does it fail as it should? Have you tested when and how it fails? Do you know the limits?
  So... I decided to act as an identify thief. As previously reported then and now, getting the credentials to sign up are easy. OK. But I had already signed up. So that'd protect me, right?
  NOT AT ALL.
  It was trivially easy to sign up again. Oh sure, an email gets sent to the first email address set up. But this leads to one of two situations. First, the proper user doesn't check his email for a while. Then whatever the thief is going to do they can do. Second, the proper users finds out immediately and gets on and takes it back over. All good? Comically, no. Believe it or not (and I was really stunned at this part) the webapp doesn't force logout the identity thief when the proper user reregisters.
  I was a tad sickened at this point.
  As far as I could tell, this was utterly and completely insecure. The only way for an "average joe" to protect themself here was to sign up and then freeze credit completely at all the credit bureaus. Supposedly (haven't finished this part yet) once you do that, the 20-question stuff will IMMEDIATELY fail and anything like this IRS.GOV site that depends on it will also fail.
  Oh... but it was rather interesting to see what the IRS had stored on me... and what they didn't have. It was somewhat perplexing.
Uh Oh by Anonymous Coward · 2015-05-26 09:26 · Score: 0

I hope they don't think I was one of the MFers that did this. I have been checking my transcript regularly to make sure a correction to an incorrectly filled out form was made and I can finally get my refund.
efiling asks for last years AGI as passwd by peter303 · 2015-05-26 09:32 · Score: 1

They probably acessed the transcript to obtain this number. The AGI would not be in other identity leaks like SSN, DOB and address.
Last Straw by frovingslosh · 2015-05-26 09:35 · Score: 5, Funny

That does it. I'm going to quit giving them my business.

--
I'm an American. I love this country and the freedoms that we used to have.
1. Re:Last Straw by Anonymous Coward · 2015-05-26 10:04 · Score: 1
  
  That's it. I'm terminating my citizenship and leaving the United States and the IRS behind. hmm now which country was it that would allow you in and didn't have a tax authority again? Ohh that's right. I'm screwed no matter what.
2. Re:Last Straw by Anonymous Coward · 2015-05-26 10:52 · Score: 2, Funny
  
  I guess the IRS couldn't fix their security because they were too busy harassing any groups that the Obama Administration didn't like.
3. Re:Last Straw by Anonymous Coward · 2015-05-26 11:41 · Score: 0
  
  Lois Lerner is a Republican? Well that's got to be the news of this thread!
4. Re:Last Straw by frovingslosh · 2015-05-26 11:45 · Score: 1
  
  and too busy deleting and hiding the e-mail that documented it.
  
  --
  I'm an American. I love this country and the freedoms that we used to have.
5. Re:Last Straw by Anonymous Coward · 2015-05-26 11:58 · Score: 0
  
  She is jewish.... so almost certainly a democrat.
6. Re:Last Straw by Sarius64 · 2015-05-26 16:54 · Score: 1
  
  Last time I checked, it's the current Democratic Attorney General that confiscated grandma's house for her grandson selling a joint on the back porch. Democrats; the party of theft.
7. Re:Last Straw by Bob+the+Super+Hamste · 2015-05-27 00:12 · Score: 1
  
  too busy deleting and hiding the e-mail that documented it.
  So your are saying that they do have some secure systems then?
  
  --
  Time to offend someone
8. Re:Last Straw by Richy_T · 2015-05-27 04:48 · Score: 1
  
  They're all addicted to other peoples money, the lot of them.
I SEEEEE you! by Anonymous Coward · 2015-05-26 09:52 · Score: 0

Yes, you! The guy fucking with the layout again, indenting replies with an inch of white space and letting the beta bullshit leak into slashdot classic. Stop that! How many fucking times do we have to riot to get you to stop shitting up the comments section with bullshit useless whitespace?
Freeze your credit. Problem solved. by Anonymous Coward · 2015-05-26 10:00 · Score: 1

Unless you're in the market for something you cannot pay for in cash or with the current line of credit, your credit must be frozen. This solution costs about $30 ($10 per freeze x 3 agencies) and that is a small price to pay for a reduced risk of a stolen identity. This is due to the fact that in many cases your financial history is used to verify your identity and a credit freeze makes the financial history unavailable. For example, if you try to register for an IRS account while having a credit freeze, the system will deny your request. You can lift the freeze any time you want.
1. Re:Freeze your credit. Problem solved. by Jason+Levine · 2015-05-26 13:41 · Score: 2
  
  That's what we did when my identity was stolen. My name, address, SSN, and DOB were used to open a card in my name. I was lucky and the credit card company sent it to me (due to the thieves paying for rush delivery) instead of processing the address change and sending it to the thieves. It's a pain when I want to use my credit (refinance mortgage, buy a car, etc), but most days I don't need to touch my credit and don't want anyone else touching it either.
  Of course, the credit agencies don't like when you freeze your credit. Frozen credit files are less profitable (can't sell them to credit card companies hawking even more lines of credit) and so they like pushing "fraud alerts" instead. These expire every 90 days unless you renew them and are voluntary. If I were a credit card company opening a line of credit on someone, it's recommended that I check the fraud alert, but I could just ignore it, open the credit line, and suffer no consequences.
  To credit agencies and credit card companies, identity theft is an inconvenience that you just write off. No big deal. To the victim, though, it's a horrible experience. I felt completely violated knowing that someone was walking around with my private information, pretending to be me, and doing their best to run up a huge tab to send my way.
  
  --
  My sci-fi novel, Ghost Thief, is now available from Amazon.com.
2. Re:Freeze your credit. Problem solved. by Bob+the+Super+Hamste · 2015-05-27 00:18 · Score: 1
  
  While this will solve most of the problems it still shouldn't be something that needs to be done, or at least something that shouldn't cost money to have done.
  
  --
  Time to offend someone
Adding insult... by vanyel · 2015-05-26 10:19 · Score: 1

I'm in the process of dealing with something like that now: someone filed a tax return for me before I got around to it. As a result, I had to file on paper, including an "identity theft affidavit" and a copy of some id, but they still sent back a letter requiring me to verify my identity. The online system rejected me (probably because it was asking for information on the fraudulent return), requiring me to call in. After wading through a 5 minute phone tree to get to a human, the system says "sorry, we're too busy go away". OK, it doesn't say "go away" but says call back later and hangs up, which is effectively the same. In the future, I will definitely be using the system to get a PIN ahead of time... If I owed money, I'd probably say fine - if you don't want to talk to me, I don't care, but sadly that's not the case...
1. Re:Adding insult... by NicBenjamin · 2015-05-26 15:17 · Score: 2
  
  If you owed money you'd have to send it in anyway. Identity theft is not gonna get you out of the failure to pay penalty.
  Keep in mind all this would go away if we were just willing to wait for our tax refunds. He beats you to the IRS? Who cares -- by May they will have the correct income documents so they'll know which one of you is you and which is the fraudster. But since we have to have our money NOW we deal with fraud.
  OTOH, since we basically run our Welfare State through the tax system (ObamaCare is technically an income tax subsidy, the Earned income Credit is the major cash benefit we give poor people, much of our higher education subsidy is the American Opportunity Credit, etc.) many of them genuinely need the money as quickly as possible. But the tradeoff for getting them the money quickly is that fraudsters can claim those credits quickly and get paid quickly.
2. Re:Adding insult... by vanyel · 2015-05-26 20:30 · Score: 1
  
  No, for the same reason you couldn't get away with not paying, you can't get away with ignoring the refund - the right tax return has to be filed. They could already tell if they cared to look, as my tax return is not simple and it's highly unlikely that the fraudulent one looks anything like the real one. The best case that would come out of ignoring it is an audit, and no one wants that.
3. Re:Adding insult... by RealGene · 2015-05-27 04:34 · Score: 1
  
  This is exactly what happened to me, due to the Anthem breach.
  Here's a hint: call the IRS at exactly 0800 ET, when the lines open. I waited on hold for about 2 minutes, and it took approximately 45 minutes to complete the process.
  NOTE: Check your junk mail carefully. I detected the fraud because a 'Green Dot' prepaid debit card arrived in the mail. The fraudster had purchased a generic card retail with $10 loaded on it, as the IRS, in their infinite wisdom, accepts these accounts for refund payments.
  It was registered with my name and address, so Green Dot "helpfully" sent me a personalized card.
  I froze the card, but the fraudulent return had already been filed. Fortunately, the IRS was unable to make the (fraudulent) refund payment to the (now frozen) debit card (and even helpfully sent a letter about it). So I screwed the fraudster out of $10.
  I've been told I might see my (legitimate) refund in 6 months.
  
  --
  Mission: To provide products that consume time and energy as entertainingly as permitted by the laws of thermodynamics.
4. Re:Adding insult... by vanyel · 2015-05-28 15:15 · Score: 1
  
  Gave up on trying to call into the IRS and went down to the a nearby (well, 40 miles) office yesterday early afternoon. It wasn't actually crowded surprisingly, but the guy that handles real things (as opposed to taking checks and other minor receptionist duties) wasn't there, so I had to come back today. Got there bright and early and got it taken care of with a "they say up to 180 days for your refund". The receptionist had said "he can push it through" but apparently not really. Oh well, hopefully it won't take that long. They recommend filing a local police report, so I stopped in on my way to work and did that too. That actually took longer because they had to call a cop in off the street to take the report!? Although this tax refund fraud isn't usually taken beyond that to real identity theft, I filled out a form with a password that puts a flag on me so that if they deal with someone who claims to be me, they ask for the password to make sure it's really me and not an imposter.
  But at least my state refund got deposited last week...
Re:All I want are the learner emails by Anonymous Coward · 2015-05-26 10:19 · Score: 0

If congressional Republicans had a spine, Ms. Lerner would be occupying a cell in Leavenworth.
It's not just the IRS by Sir_Eptishous · 2015-05-26 10:40 · Score: 3, Insightful

Yea, /. had a story about the IRS and SS sites a while back.
Make sure your log in and create an account for the Social Security Administration too.

It really is getting ridiculous how frequent this shit is happening now.
It's almost to the point where people don't even pay attention:
"Oh wow, another big financial institution got hacked... Another fifty million Americans data is in the hands of criminals... What can we do about it?"

The average American is at their wits fucking end trying to keep up with all their accounts, passwords, blah diddy fucking blah shit they have to keep track of. For most of us this isn't an issue, but you can guarantee that for the vast majority of Americans, they are flying blind when it comes to all various requirements for being secure online. Oh, and lest I forget(how could I?) all of these security problems we encounter daily are always for convenience of the user(Trust Us!). Convenient apps/plugins/sites/tools to make your life easier:
"Isn't your life easier with our no security, pro-hacker enabled widget? Why, within a matter of moments of using our widget your personal data, financial data and medical data will be in the hands of our trusty hacker/malware infested servers in DerkaDerkaStan, where our trusty staff of well trained consultants will bleed you dry before you can click the X in the upper right hand corner. Why, to deny such a widget would be an affront to America, to the very meaning of Freedom and Capitalism!"

To be less hyperbolic, think of what it takes to have even a modicum of security online. We've got to have hardened browsers(NoScript, AdBlock, etc), we have to have different id/pw combinations for all important sites(that one really messes with people...), we have to have an account with a credit monitoring/credit agency(Equifax, etc) to monitor our financial accounts, we have to have up to date settings, firmware on our DSL/Cable modems, we have to have our OS security settings correct, AV/AntiMalware, etc, etc, etc

Have fun with all that, average American(it's bad enough for "advanced" users).

--
We play the game with the bravery of being out of range
1. Re:It's not just the IRS by sudon't · 2015-05-27 04:49 · Score: 1
  
  A password manager solves most of these problems. You don't have to be an "advanced user" to use one, but since Microsoft hasn't seen fit to include one with their OS, few people have them. Mac OS has come with a password manager since 1999, but that's a much smaller user base. I can't understand why they haven't made it part of iOS.
  
  --
  -- sudon't
  Air-ride Equipped
taxed if you do by frovingslosh · 2015-05-26 11:44 · Score: 1

You can't even officially renounce your citizenship without going to another country and renouncing it at an official government building there.... and you need to buy a U.S. passport to do that. So much for "Land of the Free".

--
I'm an American. I love this country and the freedoms that we used to have.
Oh that explains Lois Lerner by Anonymous Coward · 2015-05-26 12:25 · Score: 0

She couldn't find the emails because the HACKERS had destroyed her hard drive!
Accountability by Sarius64 · 2015-05-26 16:51 · Score: 1

Yet, no one get's fired. No one is held accountable. The organization continues to operate as a political operative.
simple solution by mbaGeek · 2015-05-27 01:02 · Score: 1

simplify the tax code, institute a flat tax, abolish the bloated corrupt bureaucracy that is the IRS
although I for one welcome our kinder gentler overlords at the IRS that I'm sure will come out of this obvious example of incompetence /duck and run

--
It ain't what they call you. It's what you answer to. http://mylyceum.us/
Lawsuit by operagost · 2015-05-27 03:00 · Score: 1

Everyone sue the IRS! That'll teach them! Oh wait, you can't. Tough luck, buddy. Just keep trusting your government though-- because you really have no choice.

--

Gamingmuseum.com: Give your 3D accelerator a rest.
How can they tell? by DutchUncle · 2015-05-28 06:16 · Score: 1

I used this system to get a reprint of last year's form, lost to a hard drive crash (yes, I know, backups). How can anyone distinguish legitimate from illegitimate access?