Slashdot Mirror

← Back to Stories (view on slashdot.org)

Identity Thieves Obtain 100,000 Electronic Filing PINs From IRS System (csoonline.com)

Posted by yaelk on from the identity-theft dept.

itwbennett writes: In January attackers targeted an IRS Web application in an attempt to obtain E-file PINs corresponding to 464,000 previously stolen social security numbers (SSNs) and other taxpayer data. The automated bot was blocked by the IRS after obtaining 100,000 PINs. The IRS said in a statement Tuesday that the SSNs were not stolen from the agency and that the agency would be notifying affected taxpayers.

16 of 107 comments (clear)

  1. I have a datafile by buchner.johannes · · Score: 4, Funny

    with ten-thousand 4-digit PINs. Interested?

    --
    NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
  2. Good opportunity for legal earnings by SuperKendall · · Score: 2

    I'm pretty sure I forgot my e-file pin, it would be ever so helpful if the hackers would offer to sell it to me for a reasonable fee so I wouldn't have to go through the bother of a reset.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
  3. Excellent! by avandesande · · Score: 2

    Would love to be hacked and have someone pay my back taxes for me!

    --
    love is just extroverted narcissism
    1. Re:Excellent! by quetwo · · Score: 4, Informative

      If it only worked that way. The real game they are playing is to file your taxes with a bunch of fake dependents, every dedication they can take, etc., in order to drive up a refund. They then send the refund to a bank account they own and run away with the money, usually several thousand dollars. This often happens without you knowing at all. When you try to submit your real tax return, the IRS bounces it because you already filed. You then have to go through all sorts of hoops to prove to the IRS you are filing your real taxes and you don't need to pay them back the refund they've already send "you".

      It happened to one of my co-workers last year. He didn't get it cleaned up until nearly August -- and he had to spend several hundred hours on the phone, in court, at the IRS office, etc. to get everything straightened out.

    2. Re:Excellent! by Mateorabi · · Score: 3, Informative

      If e-file is blocked you paper file. It takes several affidavits and certified mail and some phone calls, not 100s of hours and court. Though in my case they sent ME the initial "we think something's hinkey with your return" letter before I had even tried to file. I did have to wait 6 months from April to get the check in the mail.

      What annoys me is that the IRS reps always give you a condescending tone about getting your taxes in early, because first-through-the-gate wins. They ignore the fact that fraudsters are making up the filing data and don't have to wait for the actual W2 to get sent out. It's February and I'm still waiting on some 1099s to finish my paperwork.

      I'm a bit scared now because their PIN system was down last Nov/Dec, and when I tried to get in early January after it was back up an account had already been made and PIN accessed but I have no memory of signing up. I was able to "recover" the account. The lady on the phone with IRS insisted I just forgot I had done it already (impossible) and insisted there was no way I was hacked and recommended AGAINST voiding the PIN and getting a replacement--which is apparently a PITA for them and a huge delay to file. "Just file early" she said.....

      --
      "You saved 1968." - Ms. Valerie Pringle to the crew of Apollo 8

  4. Password Security 101 by 14erCleaner · · Score: 2

    Since when do systems allow brute-force attacks on PIN numbers? Many systems have been locking out (or slowing down) logins after a certain number of failed attempts for a long time now. While this allows for denial-of-service attacks, it seems better than allowing a bot to try 1000 passwords per second until it succeeds.

    --
    Have you read my blog lately?
    1. Re:Password Security 101 by amicusNYCL · · Score: 3, Funny

      Since when do systems allow brute-force attacks on PIN numbers? Many systems have been locking out (or slowing down) logins after a certain number of failed attempts for a long time now.

      Yes, and obviously the IRS is using such a system. They have a rule in their firewall which says something like "if the IP address makes 100,000 requests within a minute, then block it." Boom, problem solved. Intrusion Detection systems have come a long way, and the IRS is leading the way.

      --
      "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
    2. Re:Password Security 101 by gstoddart · · Score: 2

      Since when do systems allow brute-force attacks on PIN numbers?

      Who said brute force?

      The attack occurred in January and targeted an IRS Web application that taxpayers use to obtain their so-called Electronic Filing (E-file) PINs. The app requires taxpayer information such as name, Social Security number, date of birth and full address.

      This sucker just harvested them.

      Because, really, HOW many different places will have those 4 pieces of information? I'm betting FAR too many for comfort ... and I'm betting some combination of them have been hacked in the last few years.

      Oh, and of course:

      While the IRS said that externally-acquired taxpayer data was used, the agency did suffer a security breach last year that allowed attackers to gain information such as Social Security information, date of birth and street address for over 300,000 taxpayers.

      the IRS has already coughed this up before.

      Who needs brute force when it's just a matter of entering the information you already have?

      --
      Lost at C:>. Found at C.
  5. PIN numbers are a bad idea by spork+invasion · · Score: 2

    The IRS really should assign everyone PINs or, preferably, better security. There's no good reason that additional security is restricted to people in Georgia, Florida, or those who have suffered tax-related identity theft. Also, why not simply maintain a registry of public keys for individuals? Require tax returns to be filed electronically and digitally sign them using the private key of individuals. As long as people don't allow anyone access to their private keys, this could prevent a lot of the problem. Why we're still using SSNs for identity information in the 21st century is beyond me. They were supposed to serve one purpose and one purpose only -- an identifier to track people's contributions to social security.

    --
    I hate all anonymous shitbags. Log in, you filthy bastards.
  6. IRS computer shutdown last week? by OzPeter · · Score: 2, Interesting

    Seeing this makes me wonder if this was the real reason for the IRS stopping to accept electronically filed returns last week. No mention of it in TFA, but the Christian Science Monitor was a bit cynical when reporting Tax filing halted by IRS computer outage. Will refunds be delayed? by putting quotes around the "hardware failure".

    A "hardware failure" forced the shutdown of several tax processing systems, including the e-file system, the IRS said in a statement.

    whereas the actual IRS statement was (in the same article)

    The IRS experienced a hardware failure this afternoon affecting a number of tax processing systems, which are currently unavailable. Several of our systems are not currently operating, including our modernized e-file system and a number of other related systems. The IRS is currently in the process of making repairs and working to restore normal operations as soon as possible. We anticipate some of the systems will remain unavailable until tomorrow.

    --
    I am Slashdot. Are you Slashdot as well?
  7. Re:So? by spork+invasion · · Score: 2

    A fraudulent return means the IRS won't accept your legitimately filed return. As a result, you'll need to prove your identity to the IRS, and then wait a lengthy amount of time for them to process your return. This happened to my parents and it took a few months for them to get their refund. If the IRS owes you a refund, you won't get it for a long time. While you're not liable for the fraudulent return, you'll have to wait a long time for your refund and it's quite a hassle. Also, a substantial amount of federal money is spent on fraud and waste. As a taxpayer, a portion of your money is wasted by fraudulent refunds. While I'm not necessarily opposed to most taxation, I have no interest in paying any taxes where the money ends up going to fraudsters.

    --
    I hate all anonymous shitbags. Log in, you filthy bastards.
  8. Re:IRS = ObamaCare by jklovanc · · Score: 2

    Wrong. The Affordable Care Act (some call it Obamacare) is administered by the Health and Human Services Department.

  9. Re:IRS = ObamaCare by amicusNYCL · · Score: 2

    In case you're curious, this is how APK spent his day yesterday. I see about 7 waking hours throughout the day when he was not trolling Slashdot, although I may have missed a few posts. All times are correct at least for my timezone. The vast majority of these are replies to you (that's how it's easy to find them - just go through your post history and he's there like stink on shit), some of the ones late at night were trolling replies to me. This is who we're dealing with. Something tells me that this is not a one-off thing for him, I think this is his normal day. He goes online and trolls all day, and spends a few hours to eat, shit, masturbate, play games, etc.

    Note this is only for yesterday. He's back today continuing his crap flood and I haven't even included any of those posts, these are just for the 9th (my time).

    8:56 http://slashdot.org/comments.p...
    9:14 http://slashdot.org/comments.p...
    9:16 http://slashdot.org/comments.p...
    10:02 http://slashdot.org/comments.p...
    10:06 http://slashdot.org/comments.p...
    10:20 http://slashdot.org/comments.p...
    10:29 http://slashdot.org/comments.p...
    10:52 http://slashdot.org/comments.p...
    10:56 http://slashdot.org/comments.p...
    11:02 http://slashdot.org/comments.p...
    11:12 http://slashdot.org/comments.p...
    11:15 http://slashdot.org/comments.p...
    11:25 http://slashdot.org/comments.p...
    11:39 http://slashdot.org/comments.p...
    11:51 http://slashdot.org/comments.p...
    11:53 http://slashdot.org/comments.p...
    12:08 http://slashdot.org/comments.p...
    12:15 http://slashdot.org/comments.p...
    12:20 http://slashdot.org/comments.p...
    12:35 http://slashdot.org/comments.p...
    12:52 http://slashdot.org/comments.p...
    13:02 http://slashdot.org/comments.p...
    15:08 http://slashdot.org/comments.p...
    15:19 http://slashdot.org/comments.p...
    15:22 http://slashdot.org/comments.p...
    15:27 http://slashdot.org/comments.p...
    15:29 http://slashdot.org/comments.p...

    --
    "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
  10. Re:I have no sympathy for procrastinators. by SQLGuru · · Score: 2

    I'm ready for a system where I don't have to bother filing taxes........either a flat tax that is taken out of each paycheck or a national sales tax where it's taken at the register or whatever. I know taxes are needed to pay for stuff for the greater good, but holy cow, taxes are a pain. I'll pay my fair share (emphasis on fair), just make it easier for me.

  11. Re:IRS = ObamaCare by amicusNYCL · · Score: 2

    Here it is. I kind of appreciate the vagueness of it. Hopefully they aren't just outright stopping the AC tradition though, that would probably be overkill, even for APK.

    --
    "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
  12. Honeypot / Prevention by Etherwalk · · Score: 2

    How is it that these people don't get tracked?

    Require refunds to go to a domestic bank with an account name matching the name on the return. Better yet, require refunds to be processed through the employer who collected the taxes in the first place if the taxpayer is still employed there.