A few weeks back, I was helping my fiancee complete her taxes and we found ourselves short a couple needed numbers from prior years.
We turned to the IRS website for her old returns expecting it to be difficult, but were surprised at how little information she needed to enter to access very sensitive tax data.
It turns out I wasn’t the only one who noticed.
In a recent article, computer security website Krebs on Security says criminals may be able to sign up as you on Irs.gov and access your personal and tax data, using nothing but freely available Internet search engines.
Sign up for an account at the IRS website
Before you read any further, head to the IRS website and sign up on their Get Transcript page here:
After years of bad experiences trying to pay traffic tickets online or access a Thrift Savings Plan account, I was expecting another struggle with a confusing government website. But this was definitely not the case; both my fiancee and I were able to create accounts within minutes.
It was, perhaps, too easy.
Sometimes, too easy is a bad thing
The potential security flaw lies within how the IRS verifies your identity. As laid out on this page, you’ll need to provide some personal information:
- Social Security Number or Individual Tax ID Number
- Date of birth
- Filing status
- Mailing address
And you’ll have to answer some:
- Third-party verification questions
If a criminal manages to find, steal, or buy your personal information, the last hurdle are these third-party verification questions — sometimes also called knowledge-based authentication (KBA) — which take the form of questions about your current and previous addresses, the size of loans you’ve taken, and dates you opened those loans.
Krebs’ issue with the IRS reliance on KBA is that it can easily be defeated with information crooks can easily purchase wholesale in the seedy cyber-crime underbelly, search for with publicly accessible websites (similar to Bing), or — if they’re patient — just with random guessing.
To find out just how easy it could be, Krebs put it to the test with the help of Nicholas Weaver, of the International Computer Science Institute at the University of California, Berkeley (Go Bears!), who found that just by searching on Spokeo and Zillow, he was able to accurately answer three out of four questions. And, like he said in the article, for the last question “you don’t need to guess blind either with a bit more Google searching.”
And once a criminal creates an account in your name, they can see your prior W2s, prior returns — in other words, everything they would need to wreak havoc on your personal finances including the ability to fraudulently file your taxes next year with a big refund sent straight to their criminal hands.
So what can you do?
You can sign up at the IRS website here: http://www.irs.gov/Individuals/Get-Transcript.
Sure, no method will ever make your personal information impenetrable, but at least now, you’ll have your password standing in between a criminal and your tax records already available on IRS.gov. Moreover, if a criminal tries to sign up as you after you’ve already done so, they’ll get this error message:
And if they click “retrieve your User ID” on this screen, it will only give them the option to send your ID to the email address that you registered with previously.
More generally, you should take steps to safeguard your personal information and use the free sites I’ve mentioned in a previous post to monitor your credit.