Your IRS IP PIN Might Actually Hand Your Refund to Criminals, Unless...
Freezing Your Credit - The Gift That Keeps on Giving
You thought the worst had already passed. After you got a notification in the mail that your SSN and other personal information had been leaked in a data breach, you enrolled in that feel good free credit monitoring service offered to you. You even opted-in to the IRS Identity Protection PIN program to protect your tax refund from fraud since your SSN is now available to the public. You submit your tax return with your IP PIN ... and then you are told it has been rejected as a duplicate submission? Apparently your tax refund was sent to someone else months ago.
How did the IRS system designed to prevent this exact type of crime let it happen again after 724,000 previous cases? The blame lies with those archaic easy to guess/google questions about your past residences, loans, and credit.
A closer look into the IRS IP PIN retrieval tool clearly shows that it accesses your credit file to generate these questions:
The good news is that you already froze your credit. (You did right?) That little blurb at the bottom of the webpage explains exactly why freezing your credit should help you avoid this IRS IP PIN attack; criminals will not be able to guess these easy credit file based questions because the IRS shouldn't be able to execute a soft credit pull to obtain them in the first place. Freezing your credit at the main credit bureaus is not a panacea for these type of weak questions, but the freeze seems to work at the IRS site because they apparently use one of the main credit bureaus. If the IRS chooses to source information from a different firm like LexisNexis in the future, you could still be vulnerable.
To go beyond the basic protections of a credit freeze, go ahead and create an account with the IRS that uses a strong password and uses custom challenge questions with fake answers that only you know. I tried to attack my own account at the IRS PIN retrieval tool online, but since I already had an online IRS account, I was only able to get to the custom challenge questions+answers I provided, not the generic credit based questions. While you are at it, do the same at the Social Security Administration website which also supports 2-Factor Authentication with your phone.
Update 03/07/2016: The IRS disabled the online tool due to the fraudulent activity described above.
Update 03/15/2016: I called the IRS PIN hotline and the representative confirmed that the online PIN retrieval tool would not have been able to generate challenge questions if you froze your credit at the appropriate credit bureau. Of course one representative's answer isn't a guarantee, so if you found you were able to successfully replay the attack on your own account even though you froze your credit please leave a comment below.
Hopefully, the IRS will have a better system in place for the 2016 tax year.