Tax Foundation exec, citing security concerns, asks IRS to remove E-Pin page
In a letter to IRS Commissioner John Koskinen, a Tax Foundation executive, said the agency's "Get My Electronic Filing PIN" page has security holes.
The Internal Revenue Service's (IRS) “Get My Electronic Filing PIN” webpage should be removed “quickly” because it continues to offer the potential for identity theft, an executive at the Tax Foundation wrote in a letter to IRS Commissioner John Koskinen.
“The IRS is using identifiers to verify identity that are not secret, and it represents a massive vulnerability waiting to happen,” Joseph D. Henchman, vice president of legal and state projects at the organization, wrote to Koskinen and other officials, including Rep. Jason Chaffetz (R-Utah), chairman of the House Committee on Oversight and Government Reform, and Sen. Mike Crapo (R-Idaho), chairman of the Senate Finance Committee Subcommittee on Taxation and IRS Oversight.
Henchman pointed to a report by Tax Analysts that said the page, designed for taxpayers who can't self select a PIN or don't have access to previous AGI [adjusted gross income] data, “lacks the security features that would be necessary to prevent its usage as an instrument of defrauding taxpayers.” Missing from the site's security scheme is a CAPTCHA or the requirement that “information beyond that which any hacker or data thief would have access to” must be used to verify identity.
And, Henchman noted, “My web browser (Chrome) produces an error message on the page warning that it ‘uses a weak security configuration' including that ‘the server did not supply any Certificate Transparency information' and that the ‘connection is encrypted using an obsolete cypher suite.'”
Calling the IRS's claims to play down the webpage's “identity theft potential” as simply “not good enough,” Henchman requested the swift removal of the site and improved security “before taxpayers are hurt.”
In early February, the IRS pinned a recent attempt to infiltrate its systems on malfeasants using a bot and Social Security numbers stolen from other sources but said the attackers "didn't compromise or expose personal information of taxpayers.”
The agency said in a statement that “identity thieves used malware in an attempt to generate E-file PINs for stolen social security numbers.” The agency's investigators found that attackers made “unauthorized attempts involving approximately 464,000 unique SSNs” but that only 101,000 of those were successfully used to access an E-file PIN. The IRS said it was working with other agencies as well as the Treasury Inspector General for Tax Administration to further assess the hack and is sharing results with state and private sector partners in its Security Summit.