IRS and Identity Theft; Lifelock etc

[marko]

This is a bit of a twist on the thread concerning CC theft.

SIL sent in her taxes the other day via TT. She was notified yesterday that she had already filed and had been given a refund (or something along those lines).

Seems someone got hold of her SS and other info and filed a return.

Spooked, DW and I are now considering Lifelock et al but from what I read, those outfits can't monitor something like that and focus more on CC useage.

We do receive notifications whenever a charge to our cards is made over $50 and I tend to check our checking/CC accounts every day or so.

So...any insights on the likes of Lifelock before I drop $200 a year on this?

 

[dixonge]

Tax return fraud seems to be a one-shot item. Check your credit reports, but unless you see something going on there you're probably safe. Either way, I'd avoid Lifelock...

https://www.reddit.com/r/todayilearned/comments/3xauwi/til_lifelocks_ceo_todd_davis_who_famously/

 

[audreyh1]

This is a bit of a twist on the thread concerning CC theft.

SIL sent in her taxes the other day via TT. She was notified yesterday that she had already filed and had been given a refund (or something along those lines).

Seems someone got hold of her SS and other info and filed a return.

Spooked, DW and I are now considering Lifelock et al but from what I read, those outfits can't monitor something like that and focus more on CC useage.

We do receive notifications whenever a charge to our cards is made over $50 and I tend to check our checking/CC accounts every day or so.

So...any insights on the likes of Lifelock before I drop $200 a year on this?

Lifelock no - only find out after the fact, and nothing about tax fraud ID theft.

Security Freeze - yes. Then someone can't get your tax credentials and pretend to be you to file their taxes.

http://krebsonsecurity.com/2015/06/how-i-learned-to-stop-worrying-and-embrace-the-security-freeze/

 

[audreyh1]

Tax return fraud seems to be a one-shot item. Check your credit reports, but unless you see something going on there you're probably safe. Either way, I'd avoid Lifelock...

You can be victimized again, until the IRS cleans up their act and quits using credit bureau questions to verify identity.

 

[Ian S]

You can be victimized again, until the IRS cleans up their act and quits using credit bureau questions to verify identity.

My tax software asked for my drivers license for e-filing saying the IRS and the states were using it to reduce the incidence of fraud. Says it's not required so I wonder how much it could actually help.

 

[audreyh1]

My tax software asked for my drivers license for e-filing saying the IRS and the states were using it to reduce the incidence of fraud. Says it's not required so I wonder how much it could actually help.

Maybe the IRS will clean up their act next year by using more sensible identification verifiers.

But a DL number might be stolen along with a SS number - it depends on the breach that gave out the information in the first place.

One problem this year was that the IRS was using an already known to be insufficiently secure method for giving people the tax ID pins that were issued to victims of tax fraud, so some of those victims got hit again. Thieves Nab IRS PINs to Hijack Tax Refunds

 

[Sunset]

You can be victimized again, until the IRS cleans up their act and quits using credit bureau questions to verify identity.

+1
I just paid some taxes today to the IRS.

I think anyone with Google and my SSN could have answered the questions easily.
Unfortunately for me, it turns out no scammer has been paying my tax bill

 

[gauss]

No to the Lifelock. Most of what they "guarantee" is already covered - ie FDIC Bank accounts etc.

If you are concerned about identity theft consider placing a "security freeze" at all 3 credit bureaus.

In my state it costs $10 each and then nobody can pull a credit report on you, thus nobody will be able to open a new account in your name while the freezes are in effect.

If you experienced Identity Theft wrt IRS, then you need to go through the process to request an IP Pin from them. You will then use the number sent to you in a letter each year to file.

This link from the IRS will help you get started in requesting an IP PIN. You basically need to fill out the Form 14039, Identity Theft Affidavit to get the ball rolling.

One thing that I don't loose sleep over is identity theft.

-gauss

 

[audreyh1]

If you experienced Identity Theft wrt IRS, then you need to go through the process to request an IP Pin from them. You will then use the number sent to you in a letter each year to file.

This link from the IRS will help you get started in requesting an IP PIN. You basically need to fill out the Form 14039, Identity Theft Affidavit to get the ball rolling.

One thing that I don't loose sleep over is identity theft.

-gauss

Except that the IP PIN is not protecting you yet. The IRS hasn't been able to keep thieves from stealing the IP PINs!!!

But if you have credit freezes in place, it's unlikely that the thieves will be able to get enough info to fraudulently file using your credentials in the first place. And shouldn't be able to get at your IP PIN after the fact, if you are already a victim of tax fraud.

 

[donheff]

I am a believer in credit freezes and have had one for many years but that didn't keep IRS from accepting my e-file. They used my drivers license, last year's AGI, a question about where I met my wife, etc. If they need a response from the CC on the questions they either didn't get an answer or the CCs provide it despite the freeze.

 

[gauss]

audreyh1 wrote: But if you have credit freezes in place, it's unlikely that the thieves will be able to get enough info to fraudulently file using your credentials in the first place. And shouldn't be able to get at your IP PIN after the fact, if you are already a victim of tax fraud.

Accessing CC Credit Reports is not part of the IRS procedure to accept an e-file and issue a refund check. The information needed for this can typically be found in any medical office.

The IRS needs much less information to accept an efile return for a refund than a typical new financial account provider (ie bank, CC etc.) will need.

CC Credit Reports were part of the compromised system to re-access IP PINs via online means up until recently.

Within the past month or so, IRS has discontinued use of the online IP PIN tool. (https://www.irs.gov/uac/Newsroom/IRS-Statement-on-IP-PIN)

You can still apply with the form I mentioned above if you qualify to receive an IP PIN.

CC freezes are the best method to prevent a runaway identity theft situation where multiple accounts get created in your name (ie the typical nightmare scenario from 10 years ago before credit freezes were nationally available is still in our psyche.)

With IRS fraud, the taxpayers (collective) money is being stolen, not your individual money. You will be made whole, although delayed, if you follow the IRS procedure (ie submit form and documentation described above). It is purely a delayed cash-flow issue and a bit of hoops to jump through with the IRS. This should not be an issue for typical posters here who are intelligent, rational, and typically don't live paycheck to paycheck.

It is nothing to be afraid of, contrary to what Lifelock may be trying to get you to believe.

I would not freak out if I had an e-file reject in my name (well I like to think that I would not). I would conclude that someone sold my SSN and some related info. With CC freezes in place, I know that this will not go very far.

-gauss

 

[audreyh1]

I am a believer in credit freezes and have had one for many years but that didn't keep IRS from accepting my e-file. They used my drivers license, last year's AGI, a question about where I met my wife, etc. If they need a response from the CC on the questions they either didn't get an answer or the CCs provide it despite the freeze.

A credit freeze wouldn't normally keep you from efiling.

Last year's AGI and where you met your wife wouldn't be in your credit report.

Now if they do access your credit history to ask "identity verification" questions, a freeze will block that. But you can temporarily lift the freeze to get past that.

 

[audreyh1]

Accessing CC Credit Reports is not part of the IRS procedure to accept an e-file and issue a refund check. The information needed for this can typically be found in any medical office.

The IRS needs much less information to accept an efile return for a refund than a typical new financial account provider (ie bank, CC etc.) will need.

CC Credit Reports were part of the compromised system to re-access IP PINs via online means up until recently.

Within the past month or so, IRS has discontinued use of the online IP PIN tool. (https://www.irs.gov/uac/Newsroom/IRS-Statement-on-IP-PIN)

You can still apply with the form I mentioned above if you qualify to receive an IP PIN.

CC freezes are the best method to prevent a runaway identity theft situation where multiple accounts get created in your name (ie the typical nightmare scenario from 10 years ago before credit freezes were nationally available is still in our psyche.)

With IRS fraud, the taxpayers (collective) money is being stolen, not your individual money. You will be made whole, although delayed, if you follow the IRS procedure (ie submit form and documentation described above). It is purely a delayed cash-flow issue and a bit of hoops to jump through with the IRS. This should not be an issue for typical posters here who are intelligent, rational, and typically don't live paycheck to paycheck.

It is nothing to be afraid of, contrary to what Lifelock may be trying to get you to believe.

I would not freak out if I had an e-file reject in my name (well I like to think that I would not). I would conclude that someone sold my SSN and some related info. With CC freezes in place, I know that this will not go very far.

-gauss

I never said a credit freeze had anything to do with a legit person efiling and getting a refund.

But it does have to do with someone fraudulently impersonating you so that they can get access to your personal information from the IRS.

The IRS does actually need more information to set up efiling than what can be stolen from a doctor's office - they need last year's AGI at least. That is not available from your credit history. So how did thieves get that information to fraudulently efile? Well, one way* is they broke into people's IRS information by using the get transcript capability at IRS online (which was finally shut down in May). They accessed like 770,000 accounts tax history in 2015. For someone to get this info they answer questions for your credit history - and they are too easy to guess, especially with a little Googling.

And for people who "forgot" last years AGI they do the same thing - identity verification through credit history questions - over the phone.

And they were still doing the same thing this year for people you "forgot" their new tax victim IP PIN - call in and answer credit history questions.

That's how a credit freeze can protect you from someone else accessing your IRS transcript which includes most of your filing information, and getting access to you efile or IP PIN credentials.

*other methods include phishing the victim, breaking into victim's online filing accounts like at Turbotax (usually from phishing), stolen W2s, stealing info from tax preparers, etc. The Krebs series on tax refund fraud is informing - http://krebsonsecurity.com/category/tax-refund-fraud/

 

[gauss]

I never said a credit freeze had anything to do with efiling and getting a refund.

But it does have to do with someone fraudulently impersonating you so that they can get access to your personal information from the IRS.

The IRS does actually need more information to set up efiling than what can be stolen from a doctor's office - they need last year's AGI at least.

True! It was donheff who mentioned CC bureaus and efiling. Sorry for the confusion.

Well I suppose it depends on what efile method/channel your ERO uses (Practioner PIN, Self-Select PIN etc).

Most of the systems marketed at the retail taxpayer probably rely on prior years AGI.

I, on the other hand, have legally/ethically efiled dozens of returns for taxpayers without providing prior years AGI after they provided proper ID documentation to me that they were who they said they were.

"Criminals don't always come in through the front door."

-gauss

 

[audreyh1]

True! It was donheff who mentioned CC bureaus and efiling. Sorry for the confusion.

Well I suppose it depends on what efile method/channel your ERO uses (Practioner PIN, Self-Select PIN etc).

Most of the systems marketed at the retail taxpayer probably rely on prior years AGI.

I, on the other hand, have legally/ethically efiled dozens of returns for taxpayers without providing prior years AGI after they provided proper ID documentation to me that they were who they said they were.

"Criminals don't always come in through the front door."

-gauss

Yeah - sometimes they own the building.

This is another avenue being exploited at present:

TAX FRAUDSTERS GOING PRO?

Magee said Alabama and other states are dealing with a huge spike this year in fraudulent refund requests filed via criminals who use online software firms that specialize in selling e-filing services to tax professionals.

According to Magee, crooks first register with the IRS as “electronic return originators.” EROs are typically accountants or tax preparation firms authorized by the IRS to prepare and transmit tax returns for people and companies electronically. Magee said thieves have been registering as EROs and then buying tax preparation software and services from firms like PETZ Enterprises to push through large numbers of phony refund requets.

“The biggest move [in refund fraud] this year is in the so-called ‘professional services applications,’ which are being flagged in high rates this year for fraud,” Magee said. “And that’s not just Alabama. A great number of other states are seeing the same thing. We have always had fraud in that area, but we’re seeing significantly higher rates of fraud there now.”

Magee said tax software prep firms should be required to conduct more due diligence on their clients.

“In the state of Alabama, you need a license to cut someone’s hair, to be a barber or a cosmetologist, but anyone can become a tax preparation professional with no certification at all,” Magee said. “The software firms are where all the fraud is going now. The criminal becomes an ERO, and then he can just sit there all day and file an unlimited number of fraudulent returns.”

From http://krebsonsecurity.com/2016/03/phishing-victims-muddle-tax-fraud-fight/

 

[meierlde]

Actually if you were willing to delay refunds till april, there would be a reasonable way to do it. By that time the IRS has W-2s and 1099s in hand. So the question would be for your (w-2 or 1099) from xyz what was the amount in box x? (w-2 might be for example amount withheld etc)

 

[audreyh1]

Actually if you were willing to delay refunds till april, there would be a reasonable way to do it. By that time the IRS has W-2s and 1099s in hand. So the question would be for your (w-2 or 1099) from xyz what was the amount in box x? (w-2 might be for example amount withheld etc)

That's fine as long as someone didn't swipe a copy of your W2.

Phishing for W2s has been rampant thus year. Several companies have sent copies of W2s out in response to a phishing email. Krebs has several stories.

 

[easysurfer]

Except that the IP PIN is not protecting you yet. The IRS hasn't been able to keep thieves from stealing the IP PINs!!!

But if you have credit freezes in place, it's unlikely that the thieves will be able to get enough info to fraudulently file using your credentials in the first place. And shouldn't be able to get at your IP PIN after the fact, if you are already a victim of tax fraud.

Can't comment on Lifelock as I haven't used that. But got notified my tax info got hacked last year, so as of Sept 2015 have one year free credit monitoring from Equifax. I'm sure when the year is almost up, I'll get a chance to continue the subscription but I plan on declining and just sticking with keeping my credit frozen and the free annual credit reports each year.

 

[audreyh1]

Krebs on Security announced that the IRS reenabled their online Get Transcript feature with some additional security measures that include having a credit card number (not Amex) and a mobile phone number in your name.
http://krebsonsecurity.com/2016/06/irs-re-enables-get-transcript-feature/?replytocom=407594#respond

We were able to update our accounts with the new security profile (after logging in with the old credentials). Every time you log in now, you have to use a code sent to your phone to access your tax return info.

The best way to prevent someone accessing your account through Get Transcript is to have a credit freeze with the credit bureaus. Equifax is being used in this case. If you create or update credentials on an account with the IRS, then temporarily unfreeze with Equifax. You can always get a transcript by mail without dealing with any credit unfreezing.

The transcript is basically a copy of your tax return for any of the last four years as well as estimated taxes paid and tax refunds and your account status. You can also see the login history fo your account.

 

[MichaelB]

Krebs on Security announced that the IRS reenabled their online Get Transcript feature with some additional security measures that include having a credit card number (not Amex) and a mobile phone number in your name.
http://krebsonsecurity.com/2016/06/irs-re-enables-get-transcript-feature/?replytocom=407594#respond

We were able to update our accounts with the new security profile (after logging in with the old credentials). Every time you log in now, you have to use a code sent to your phone to access your tax return info.

The best way to prevent someone accessing your account through Get Transcript is to have a credit freeze with the credit bureaus. Equifax is being used in this case. If you create or update credentials on an account with the IRS, then temporarily unfreeze with Experian. You can always get a transcript by mail without dealing with any credit unfreezing.

The transcript is basically a copy of your tax return for that last four years as well as estimated taxes paid and tax refunds and your account status. You can also see the login history fo your account.

This is good to know - thanks for the update.

 

[audreyh1]

This is good to know - thanks for the update.

Oops it should be Equifax in both cases. I made a couple of corrections to my post.

 

[gauss]

It appears that maintaining a contract cell phone in your name is no longer the only way to get access to IRS "Get Transcript" and related services protected by the fairly new IRS Secure Access Authentication platform.

This was personally causing me some trouble in that I only use pre-paid / pay-as-you-go types of cell phones. I would have been happy to visit an IRS office to authenticate myself but that has not been an option.

There now appears to be a US Mail based authentication method, in lieu of the contract cell phone, that is available to initially setup your account.

A cell phone is still required to receive the SMS two-factor authentication codes each time you access the system going forward.

From the IRS page:

Note: If you have a pay-as-you-go mobile phone or a business/family plan mobile phone not associated with your name, you may request that we mail an activation code to the address we have on file for you. You still must have a text-enabled, U.S.-based phone to receive a security code text that completes the validation process and allows returning users to access their accounts.

Additional details can be found at the IRS page for the Secure Access system.

-gauss