Tax Analysts®Tax Analysts®

My Subscriptions:

Featured News

February 18, 2016
Flawed Authentication May Have Exposed E-File PINs
by Luca Gattoni-Celli

Full Text Published by Tax Analysts®

The IRS's reliance on Social Security numbers to authenticate users of its electronic filing personal identification number application endangers the program's integrity, security experts and tax practitioners said in the wake of a major cyberattack on the agency.

One practitioner approached by Tax Analysts said he decided to retrieve his own e-file PIN as a proof of concept and found the experience unsettling.

"I was able to obtain an e-file PIN very easily by providing my name, Social Security number, and filing status," among other basic personal data, said Kevin M. Johnson of Pepper Hamilton LLP.

Johnson, who previously served as an IRS revenue agent, called the process "somewhat disconcerting because it is too easy to obtain the PINs."

"I would think that those with fraudulent intent would not have a difficult time obtaining e-file PINs if they had the address and SSN from another source," said Johnson, adding that an identity thief might also find clues about a taxpayer's filing status from other sources.

In May 2015 IRS Commissioner John Koskinen speculated that filers' social media accounts may have exposed otherwise obscure "out-of-wallet" identifying information used to gain unauthorized access to the Service's Get Transcript application.

The automated malware attack that compromised the e-file PINs was disclosed late February 9 by the IRS, which said it affected some 101,000 SSN holders. An e-file PIN is one of the verification options for filing tax returns electronically.

The attack relied on approximately 464,000 unique SSNs acquired elsewhere, the IRS said. The IRS later confirmed to Tax Analysts that the 101,000 figure for the number of successful hits was also an approximation, though it said it identified and notified the affected filers.

According to an IRS Web page (https://goo.gl/ltPL2P), filers can create their own self-select PIN to file electronically, if they can supply their previous year's adjusted gross income and date of birth. The Web page adds, "If you are unable to access your tax year 2014 return information for electronic signature authentication purposes, the IRS Web application Get Your Electronic Filing PIN can issue a temporary electronic filing PIN (EFP) to eligible taxpayers."

Another IRS Web page (https://goo.gl/bIhOhr) states that filers must only submit their SSN, and basic personal information such as filing status, date of birth, and address of record -- reflecting their previous year's tax return -- to access an e-file PIN online. A separate page (https://goo.gl/YXCFpG) that provides access to the e-file PIN requires filers to provide their:

  • SSN (or individual taxpayer identification number);
  • first name;
  • last name;
  • date of birth;
  • filing status (single, married filing jointly, etc.);
  • address (number and street);
  • apartment number;
  • country;
  • city;
  • state or U.S. territory; and
  • ZIP code.

The Web pages include a Spanish-language assistance page (https://goo.gl/ZLszKr) that similarly instructs non-English speakers to simply enter their SSN, filing status, and the other basic personal information into the e-file PIN application form, then click the "Submit" button.

"This is an ongoing criminal investigation," the IRS told Tax Analysts in a written statement responding to questions about the e-file PIN application's authentication process. "We have tried to provide as much information as we can without disclosing security details."

"The e-file PIN serves as an alternative for those taxpayers who have access to neither their prior year AGI or their prior year Self Select PIN," the IRS said. "To access the e-file PIN, you must enter your name, SSN, date of birth, prior year filing status and address as it was on the prior year tax return."

"If you accurately complete that information, the tool will display your current-year, 5-digit e-file PIN," the IRS continued, noting the e-file PIN could be used only for the current-year tax return.


SSNs the 'De Facto Identifier'

Many observers credit the Get Transcript incident with spurring the IRS to think more creatively and proactively about combating tax fraud and identity theft.

The IRS may have other security measures around the e-file PIN program, such as monitoring metadata and sharing information with state government and private sector partners in its ongoing security summit anti-fraud initiative.

Kathy Pickering, executive director of the Tax Institute at H&R Block, said the IRS contacted its private partners as quickly as possible about the e-file PIN program attack to brief them, and that H&R Block "was very pleased with the IRS'[s] communication and information sharing."

However, she also expressed concern given that SSNs have "become the de facto identifier not only for tax returns but for many other personal needs and records."

Providing filers a unique individual identifier for their returns aside from their SSNs would be one potential step toward addressing that problem, Pickering said. She added that the IRS should develop a comprehensive approach to taxpayer authentication, noting that filers currently access separate applications with separate authentication methods to transact with the IRS.

The IRS needs an overarching strategy to authenticate filers' identities, "leveraging tools, technology, and partners that will evolve and adapt over time," Pickering said.


'They're Not Secret'

Jeffrey Eisenach, a visiting scholar at the American Enterprise Institute, characterized the IRS's single-factor authentication process for the e-file PIN application as totally inadequate.

"The authentication that they are using now is something out of the 20th century," said Eisenach, who directs AEI's Center for Internet, Communications, and Technology Policy. "It's hard to believe that the U.S. government checkbook would be so poorly protected in 2016."

When asked about the apparent authentication requirements, Joseph Lorenzo Hall, chief technologist at the Center for Democracy & Technology, also said he found them disturbing.

SSNs, dates of birth, and the other required information described on the IRS Web pages "are not adequate as authenticators because they're not secret," Hall said. "These things are easy to discover about people," he added, noting that stolen SSNs, which he said were created as identifiers, not security keys, are widely available on the dark Web.

Hall said the authentication process described on the IRS Web pages would have made the e-file PIN program extremely vulnerable to an automated attack of the type the IRS disclosed.

"I don't know what's going on here," Hall said, "but on its face this set of data is not adequate to protect against automated attacks."

Such concerns about the e-file PIN program's authentication process may increase scrutiny of how the IRS handles personal information and secures its IT systems.

A House Oversight and Government Reform Committee Web page (https://goo.gl/4qLfny) summarizing a February 11 hearing on IRS data retention practices presents accusations that the Service only disclosed "a recent security breach" -- referring to the e-file PIN attack -- after committee investigators asked the IRS about a separate incident.

During that hearing, committee Chair Jason Chaffetz, R-Utah, said the e-file PIN attack "raises serious concerns about the security of the system overall as well as the potential for paying out fraudulent claims." Chaffetz also said that the attackers made at least 950,000 attempts to obtain an e-file PIN.


Simple Fix?

Johnson said he was unsure whether the e-file PIN authentication process played a role in the automated attack on the program, but he suggested that the IRS could and should take simple actions to make the system more secure without overburdening everyday taxpayers.

Johnson proposed that the IRS implement a simple CAPTCHA system on its e-file PIN application page, which would require users to demonstrate that they are human by reading and correctly inputting a written phrase displayed in a format difficult for a bot to decipher.

"There needs to be a balance between making the system user-friendly, but still secure," Johnson said. "It seems to me that this result could be achieved with some additional minor security measures."

Fred Stokeld contributed to this article.

Follow Luca Gattoni-Celli (@TheGattoniCelli) on Twitter for real-time updates.

About Tax Analysts

Tax Analysts is an influential provider of tax news and analysis for the global community. Over 150,000 tax professionals in law and accounting firms, corporations, and government agencies rely on Tax Analysts' federal, state, and international content daily. Key products include Tax Notes, Tax Notes Today, State Tax Notes, State Tax Today, Tax Notes International, and Worldwide Tax Daily. Founded in 1970 as a nonprofit organization, Tax Analysts has the industry's largest tax-dedicated correspondent staff, with more than 250 domestic and international correspondents. For more information, visit our home page.

For reprint permission or other information, contact communications@tax.org