IRS stops issuing e-file PINs after new hacker attack
Friday, June 24, 2016
Hackers continue to assault the Internal Revenue Service's online options, forcing the agency to shut down yet another website tool.
Another automated bot hacking attempt by identity thieves has forced the IRS to stop issuing e-file PINs.
On Thursday, June 23, the IRS announced that taxpayers can no longer obtain an electronic filing personal identification number, or e-file PIN, at either IRS.gov or even via phone.
And due to growing identity theft and tax refund fraud threats, the shutdown of the e-file ID option might be permanent.
Who needs an e-file PIN? Some taxpayers use an e-file PIN to verify their identity when they don't have their prior-year adjusted gross income info from those earlier tax returns. Getting access to those prior returns was hampered recently by limits on the IRS' Get Transcript tool.
The online option to immediately download old filing info was down for more than year, finally returning to full operation earlier this month.
But now another IRS online app has taken Get Transcript's place in the "closed" category.
If you go to the agency's Get Your Electronic Filing PIN web page, you'll see this:
The e-File PIN tool is no longer available. Instead, you will need to use your prior-year adjusted gross income (AGI) to validate your signature. If you do not have your prior-year tax return, you may use Get Transcript Online or Get Transcript by Mail to obtain your prior-year AGI. You may use your AGI to validate your signature and continue with electronic filing of your tax return.
The IRS says the closure of the e-file PIN option is a "precautionary step to protect taxpayers" following increased "questionable activity" at the electronic ID website.
Bots, bots and more bots: The latest illegal attempts to obtain IRS data apparently are once again from an automated program.
They follow the IRS' announcement in February that hackers, using taxpayer data -- names, addresses, filing status, dates of birth and Social Security numbers -- stolen elsewhere, used that info and a bot attack program, to access more than 100,000 e-File PINs through the agency website.
Back then, the IRS assured taxpayers that its online e-file PIN tool only reveals the identification numbers, not any specific taxpayer data.
The IRS said it dealt with the earlier attack by implementing additional defenses for filer protections within its processing systems. This included extra scrutiny for any return with an e-File PIN.
Challenge accepted: Apparently, the hackers took the new security hurdles as a challenge.
"Recently, the IRS observed additional automated attacks taking place at an increasing frequency, but only affecting a small number of e-File PINs," the agency said in a statement about the cessation of e-file PIN issuance.
"We were able to identify this issue because of additional defenses put in place earlier this year, and backend protections remain in place. However, the IRS decided to remove the e-File PIN program as a safety measure."
That's probably a good idea, since the Treasury Inspector General for Tax Administration's investigation of the original Get Transcript hack accused the IRS of missing some taxpayers whose information fell into criminal hands.
Who's inconvenienced? Although, according to the IRS, only "a smaller segment of taxpayers who have not filed their tax returns this year and need a replacement e-File PIN" are affected, that's no consolation if you're part of that group.
If that's your situation, talk with your tax professional or contact the IRS or help desk of your filing software for guidance.
Meanwhile, the IRS says it "continues to work with the tax software community to make this change as smooth as possible for affected taxpayers."
And get ready to possibly do without e-file PINs altogether.
In its statement, the agency also noted that it already has "been working with [the tax] industry to assess elimination of the e-File PIN later this year."
Given how the hackers aren't slowing down, it might well be a wise move to take away at least one target.
You also might find these items of interest:
You can follow this conversation by subscribing to the comment feed for this post.