Tuesday, April 18, 2017

A letter from the IRS

Fraudsters may have viewed information appearing on your federal tax return. Information viewed may include: type of tax return filed, type and amounts of income reported, income tax, untaxed pensions, untaxed individual retirement account distributions and payments, exemptions, and education credits.


This weekend I had the dubious pleasure of reading a letter that begins with these two paragraphs.

In March, the Internal Revenue Service removed a Data Retrieval Tool from its website, a tool used by many families to retrieve income and tax information necessary to fill out the Free Application for Financial Student Aid, but also a tool that had been compromised by criminals to obtain personal information on some 100,000 taxpayers.

According to a story by Brian Krebs, the Data Retrieval Tool was intended as a way for students who may not have ready access to their parents' tax returns, to look up the parents' Adjusted Gross Income - a key figure used by colleges and universities to determine how much and what forms of aid to award enrollees.

The letter from the IRS though suggests far more information could be accessed through the Data Retrieval Tool though.
"Fraudsters may have viewed information appearing on your federal tax return. Information viewed may include: type of tax return filed, type and amounts of income reported, income tax, untaxed pensions, untaxed individual retirement account distributions and payments, exemptions, and education credits."
The IRS has arranged for credit monitoring, identity theft insurance, and "other services that will allow you to monitor your personal accounts." A possible interpretation of this letter is, the attackers could see complete federal tax returns rather than just the income information intended to be accessed through this tool. I have no inside knowledge of what was truly exposed. I am only reading between the lines based on what the IRS stated in their letter.

Depending on exactly what was exposed, "IRA distributions" could include not only the dollar amount but also the financial institution and account numbers. IRS form 5498 ("IRA Contribution Information," which your financial institution provided to the IRS) includes a field for your account number. In other words, a tax return has more than enough information for a scammer to convincingly impersonate you to your bank, to social engineer bank personnel into granting them access to bank accounts.



What can you do?


If you are affected by this data breach (or any breach of personally identifying information for that matter), here are a few things you can do:

  1. Take advantage of the credit monitoring offered by the IRS. Stolen identity information can be used to open new credit accounts in your name, and as far as the lender is concerned, you are on the hook. Credit monitoring alerts you to such new accounts quickly, giving you a chance to do something about it before the crook runs up debt.
     
  2. Place a Fraud Alert or Security Freeze on your credit report. In truth, every US consumer should do this, whether or not you are the victim of identity theft. A Fraud Alert tells potential creditors to take extra care in verifying your identity before issuing credit. Generally that means the creditor will call you at the phone number you provide in the fraud alert. While it is not mandatory, it is in the creditor's best interest since by US law they are on the hook for fraudulent credit.

    A Security Freeze, on the other hand, denies would-be creditors access to your credit report. They cannot view your credit history, and they cannot place new accounts on your credit report.
     
  3. Establish an IRS Identity Protection PIN (IP PIN). An IP PIN is essentially a password for your tax return. Crooks use taxpayer information to file fraudulent tax returns, claiming significant refunds. While the tax filing deadline for the 2016 calendar year just ended, tax fraud will undoubtedly spike again next February and March. With an IP PIN, a fraudster cannot file a return using your identity without also having that PIN.
     
  4. File early next year (and every year following). A criminal cannot file "your" tax return if you get there first.
     
  5. Call your bank: alert them to the possibility someone may try to impersonate you. Ask what options they have for extra protection. USAA just sent the below memo to all of its customers, extending multifactor authentication to telephone customer service. This is a fantastic idea: customers calling in for service (or scammers calling in to steal your money) will need an extra password sent by email or SMS. To my knowledge USAA is the only bank that offers this added layer of security, but I will be very happy to be proven wrong -- please comment below if you are aware of other banks that do this.

USAA is extending multifactor authentication to customer service calls.


Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at) securityforrealpeople.com, or hit me up on Twitter at @dnlongen