Last year the US Internal Revenue System revealed that they had been hacked. At first they said that up to 100,000 people were affected by the hack, only to then bump that up to 334, 000 in August. The latest figures put that closer to 724,000 and set to only get worse as it seems they have been hacked yet again.
When filing a tax return you are now required to provide the “Identity protection PIN” that you are given by the IRS. These are specific codes given to people to place on tax returns, failure to do so invalidates the tax return and the IRS will reject it. Sounds like a good idea doesn’t it? So what happens when the IRS’s record of these secret PIN’s are hacked?
Becky Wittrock, an accountant in South Dakota, went to file her tax return this year only to find that the pin had already been used to file a “large refund request” more than three weeks prior. How did the hackers get access to the PIN? Seems that if you lose your PIN you can retrieve it by logging into the IRS website. Seems this is where the problem lies, as the technology used to secure this login process is the same technology that was breached last year.
That’s right, in order to protect people from a hack the IRS used the same technology that was breached by that hack. In order to retrieve your PIN you were asked questions (known as KBA or knowledge-based authentication) such as “on which of the following streets have you lived?” and other multiple choice questions, a system that allowed a hacker to answer the questions correctly.
Seems like a big mistake for the IRS to make, costing both the government and hard working people time, money and stress because they didn’t check that their fix didn’t use the very thing that got them into trouble in the first place.