It has taken more than two months for the IRS to finally acknowledge on May 26 that hackers had taken advantage of an app to steal the data of more than 100,000 taxpayers this year between February and May. IRS Commissioner John Koskinen announced Tuesday that the thieves engaged in filing fraudulent tax refund requests were using the IRS’s own Web site to obtain taxpayer data needed to complete the phony requests. However KrebsOnSecurity broke the news about the problem on March 15, 2015 after hearing from a victim of the crime, Michael Kasper, a 35-year-old reader of the well-respected blog.
In March KrebsOnSecurity wrote about the nightmarish story of Kasper, one of millions of Americans victimized by tax refund fraud each year. “When Kasper tried to get a transcript of the fraudulent return using the ‘Get Transcript’ function on IRS.gov, he learned that someone had already registered through the IRS’s site using his Social Security number and an unknown email address.”
“Get Transcript” is an IRS program where taxpayers can get tax returns and other filings from previous years. In order to access the information, the thieves cleared a security screen that required prior knowledge about the taxpayer, including Social Security number, date of birth, tax filing status and street address. It has now been turned off, but prior to that shutdown the IRS estimates that thieves used the data to steal up to $50 million in fraudulent refunds.
Kasper called the IRS Hotline and asked for help. He was told that a direct deposit was being made that very same day for his tax refund. That was only the beginning of his months of frustration and long hours of work trying to clear the record.
“Since I was alerting them that this transaction was fraudulent, their privacy rules prevented them from telling me any more information, such as the routing number and account number of that deposit,” Kasper told Krebs. “They basically admitted this was to protect the privacy of the criminal, not because they were going to investigate right away. In fact, they were very clear that the matter would not be investigated further until a fraud affidavit and accompanying documentation were processed by mail.”
Kasper continued to call the IRS trying to get new information on his case, sometimes sitting on hold for more than an hour. At one point he was told all the IRS would do is ban access to eServices for his account. In order to get a copy of the fraudulent return the IRS required him to pay a $50 processing fee. IRS finally mailed Kasper a photocopy of the fraudulent return filed in his name — “complete with the bank routing and account number that received the $8,936 phony refund filed in his name.”
Kasper then contacted First National Bank of Pennsylvania whose routing number was listed in the phony tax refund request. They confirmed the deposit but needed a legal request (as in police subpoena) to release additional information. Kasper tried to get help from his local police department that would not get involved so called the police agency in the city where the person who received the money lived.
Jay Foley of ID Theft Info Source told us that Kasper’s story isn’t unusual. “Unfortunately local police have so many cases that they typically only get involved when the victim and suspect are in the same area. I have had to make in excess of 10 calls to different agencies to help a victim get resolution. Sometimes it took weeks before the process of resolution even began. The IRS has a fraud resolution department. It is disappointing that in 2015 victims are still given the run-around.”
Kasper finally got help from a detective in the area where the suspect lived. He told Krebs that suddenly his case finally started to progress. It ended up that the person who owned the bank account was a student at a local Pennsylvania university and simply answered a Craigslist ad for a moneymaking opportunity. She didn’t realize that she was being used as a “money-mule” and that the directions to send the money to Nigeria via Western Union were a scam, and illegal.
IRS commissioner John Koskinen played down the data leak. “Our basic information is secure,” he said at a May 26 press conference. “This is just the latest manifestation of people getting enough data to masquerade as a taxpayer.”
Jay Foley isn’t buying that answer. “The IRS has been put on notice after numerous investigations in the past 10 years by governmental oversight agencies and Congressional committees. The criteria (information) needed to unlock the online ‘Get Transcript’ tool needs to ask more difficult ‘knowledge-based questions.’ The questions can no longer be mother’s maiden name, high school you attended, date of birth and other information found on many social media sites.
“The average consumer doesn’t understand the danger in posting this type of information but the IRS should understand this information is no longer secret. The IRS needs to take the necessary steps to protect citizens. They also need to pay attention to claims of fraud. If they had followed up on calls starting in February and detailed in KrebsOnSecurity’s story of Michael Kasper, maybe less than 100,000 people would now be struggling to clean up the mess left by the hackers.”