Featured Articles

IRS Argues Against Making E-File PINs Harder to Obtain

Posted on May 19, 2016 by Gattoni-Celli, Luca

Months after disclosing a January cyberattack that it said compromised some 101,000 electronic-filing personal identification numbers, the IRS has taken no apparent action to alter or strengthen the user authentication of its e-file PIN application, saying that doing so would burden legitimate taxpayers while having no clear impact on fraud.

In a May 18 statement to Tax Analysts, the IRS said that an e-file PIN, which in theory serves to verify the identity of a taxpayer filing a return electronically, "merely enables the filing of an electronic return, and does not enable the holder of the e-File PIN to access personal taxpayer information."

"The IRS screens all types of returns, including those filed using an e-File PIN, for fraud and identity theft at multiple points in the processing cycle. The personal information criminals need to fraudulently obtain an e-File PIN is the same information they could use to file a false return whether they file it electronically or on paper," the agency statement said. "Therefore, further limiting access to the e-file PIN would not likely curb refund fraud; however, it would limit the ability of honest taxpayers to file tax returns electronically."

E-file PINs are usable for only one year and are designed to be easier to obtain than self-select PINs, which require a taxpayer's prior-year adjusted gross income or previous self-select PIN (plus date of birth). The IRS said in its statement that most e-filers use the self-select PIN.

The automated attack on the e-file PIN tool occurred in late January, based on a February 9 IRS statement initially disclosing it and comments made February 10 by IRS Commissioner John Koskinen.

In a report published February 18 by Tax Analysts, the IRS confirmed that the e-file PIN application requires only a taxpayer's name, date of birth, home address, filing status, and Social Security number (or individual taxpayer identification number). Information security experts and tax observers characterized those requirements as inadequate, noting that SSNs are widely available for sale on the dark Web.

The IRS said February 19 that it was closely managing and monitoring the security of the application, having implemented additional security features around the e-file PIN Web page to help protect against inappropriate access.

The office of House Ways and Means Committee Chair Kevin Brady, R-Texas, expressed displeasure with the IRS response to the e-file PIN attack. "After three months, it's outrageous that the IRS has failed to fix this app and that taxpayers remain at risk," a Brady spokeswoman said May 18. "Our committee is continuing to review IRS plans and calling on the IRS to protect taxpayers and deliver safer service."


21st-Century Challenges

Jeffrey Eisenach, a visiting scholar at the American Enterprise Institute who commented for Tax Analysts' initial investigation of the e-file PIN tool's apparently flawed authentication process, said the lack of visually apparent change to the application in the months since was "unfortunate, but not surprising" given the federal government's chronic mismanagement of digital security and challenges the IRS faces procuring information technology goods and services.

In broad terms, the U.S. government has a 20th-century mentality in the face of 21st-century challenges, "and it is not going well," said Eisenach, who directs the institute's Center for Internet, Communications, and Technology Policy.

Daniel Ingevaldson, chief technology officer of digital anti-fraud company Easy Solutions Inc., said the IRS should strengthen the e-file PIN application's authentication process, but not simply by requiring taxpayers to answer questions based on their self-knowledge.

"It is widely known that 'out-of-wallet' questions (such as pseudo-private personal info) is obsolete because it is easy for attackers to acquire," Ingevaldson said in an email. "The IRS should aggressively adopt a fraud-risk management approach, as financial institutions have done, to weigh the cost of advanced authentication" against risk to taxpayers.

"For attackers targeting the IRS e-file system, the risk is low and the reward is high," Ingevaldson said. "I hope that the IRS takes aggressive measures to change the calculus and to further protect the system."

A multifactor "e-authentication" process the IRS is expected to launch soon will restore previously revoked online access to the IRS's Get Transcript tax record as well as identity protection PIN retrieval tools, National Taxpayer Advocate Nina Olson said May 17 during a Taxpayer Advocate Service public forum at IRS headquarters in Washington.

E-authentication is expected to eventually undergird full-featured online taxpayer accounts that will in theory be a one-stop shop for disparate IRS services, perhaps including e-file PIN retrieval.

Follow Luca Gattoni-Celli (@TheGattoniCelli) on Twitter for real-time updates.