Tag Archive for: irs

IRS Will Soon Require Selfies for Online Access – Krebs on Security

/in


If you created an online account to manage your tax records with the U.S. Internal Revenue Service (IRS), those login credentials will cease to work later this year. The agency says that by the summer of 2022, the only way to log in to irs.gov will be through ID.me, an online identity verification service that requires applicants to submit copies of bills and identity documents, as well as a live video feed of their faces via a mobile device.

The IRS says it will require ID.me for all logins later this summer.

McLean, Va.-based ID.me was originally launched in 2010 with the goal of helping e-commerce sites validate the identities of customers who might be eligible for discounts at various retail establishments, such as veterans, teachers, students, nurses and first responders.

These days, ID.me is perhaps better known as the online identity verification service that many states now use to help staunch the loss of billions of dollars in unemployment insurance and pandemic assistance stolen each year by identity thieves. The privately-held company says it has approximately 64 million users, and gains roughly 145,000 new users each day.

Some 27 states already use ID.me to screen for identity thieves applying for benefits in someone else’s name, and now the IRS is joining them. The service requires applicants to supply a great deal more information than typically requested for online verification schemes, such as scans of their driver’s license or other government-issued ID, copies of utility or insurance bills, and details about their mobile phone service.

When an applicant doesn’t have one or more of the above — or if something about their application triggers potential fraud flags — ID.me may require a recorded, live video chat with the person applying for benefits.

Since my credentials at the IRS will soon no longer work, I opted to create an ID.me account and share the experience here. An important preface to this walk-through is that verifying one’s self with Id.me requires one to be able to take a live, video selfie — either with the camera on a mobile device or a webcam attached to a computer (your webcam must be able to open on the device you’re…

Source…

IRS warns of ongoing twists on phishing scams

/in


The Internal Revenue Service and its partners in the Security Summit are warning tax professionals against a new variation on an old scam in which fraudsters use pandemic-related themes in their phishing attempts to steal client data.

The Security Summit noted that, with so many people working remotely, fraudsters will pose as clients or potential clients trying to get in touch with a tax pro digitally — whether through emails or text messages — and then try to trick them into clicking on links or opening attachments that infect their computer systems.

“Identity thieves have been relentless in exploiting the pandemic and the resulting economic pain to trick taxpayers and tax professionals to disclose sensitive information,” said IRS Commissioner Chuck Rettig in a statement. “Fighting back against phishing scams requires constant vigilance, and we urge tax pros to take some basic steps to help protect their clients and themselves.”

Whether they’re phishing emails or “smishing” texts or instant messages, the fraudulent messages will usually appear to come from a known and trusted sender — a client, a colleague, a bank or even sometimes the IRS itself — and aim to project a sense of urgency to encourage the tax pro to act quickly and without taking basic precautions.

That said, in a recent version of the scam that the IRS described as “reoccurring and very successful,” the fraudsters engaged with their targets over a period of time, exchanging a number of emails with the tax professionals before finally sending them an attachment that they claimed was their tax information, but which actually downloaded malware onto the tax pro’s computer when they opened it.

Since the large amounts of valuable client data that tax professionals handle make them a natural target for scammers, the IRS strongly recommends that practitioners at least take the following steps to start protecting themselves and their clients:

  • Using two- or multifactor authentication;
  • Keeping antivirus software updated;
  • Using drive encryption; and,
  • Regularly backing up files.

For more, see the IRS’s Publication 4557, “Safeguarding Taxpayer Data.”

Source…

IRS to Make ID Protection PIN Open to All — Krebs on Security

/in


The U.S. Internal Revenue Service (IRS) said this week that beginning in 2021 it will allow all taxpayers to apply for an identity protection personal identification number (IP PIN), a single-use code designed to block identity thieves from falsely claiming a tax refund in your name. Currently, IP PINs are issued only to those who fill out an ID theft affidavit, or to taxpayers who’ve experienced tax refund fraud in previous years.

Tax refund fraud is a perennial problem involving the use of identity information and often stolen or misdirected W-2 forms to electronically file an unauthorized tax return for the purposes of claiming a refund in the name of a taxpayer.

Victims usually first learn of the crime after having their returns rejected because scammers beat them to it. Even those who are not required to file a return can be victims of refund fraud, as can those who are not actually due a refund from the IRS.  

Many of the reasons why refund fraud remains a problem have to do with timing, and some of them are described in more detail here. But the short answer is the IRS is under tremendous pressure to issue refunds quickly and to minimize “false positives” (flagging legitimate claims as fraud) — even when it may not yet have all of the information needed to accurately distinguish phony filings from legitimate ones.

One way the IRS has sought to stem the flow of bogus tax refund applications is to issue the IP PIN, which is a six-digit number assigned to eligible taxpayers to help prevent the use of their Social Security number on a fraudulent income tax return. Each PIN is good only for the tax year for which it was issued.

But up until now, the IRS has restricted who can apply for an IP PIN, although it has over the past few years issued them proactively to some taxpayers as part of a multi-state experiment to determine if doing so more widely might reduce the overall incidence of refund fraud.

The IRS says it will make its Get IP PIN tool available to all taxpayers in mid-January. Until then, if you haven’t already done so you should plant your flag at the IRS by stepping through the agency’s “secure access authentication” process.

Creating…

Source…

ICE, IRS Explored Using Hacking Tools, New Documents Show

/in


ICE

Image: Smith Collection/Gado/Getty Images

Federal agencies including Immigration and Customs Enforcement (ICE) and the Internal Revenue Service (IRS) are at least exploring the use of, if not actively deploying, hacking tools in criminal investigations, according to a newly released cache of documents shared with Motherboard.

The documents, which stem from a Freedom of Information Act lawsuit between activist group Privacy International and various government agencies, are heavily redacted, but draw the contours of how other federal law enforcement agencies beyond the FBI and DEA are interested in hacking criminal suspects.

“The documents show a growing perception among agencies that government hacking is not just acceptable, but an efficient and desirable solution for law enforcement activities. The fact that we’ve seen interest in acquiring hacking capabilities by organisations such as the U.S. Secret Service, the Drug Enforcement Agency, and even the Internal Revenue Service, reveals that there is a broader range of circumstances for which hacking is likely to be used,” Laura Lazaro Cabrera, a legal officer from Privacy International, told Motherboard in an emailed statement.

Do you produce NITs for the government? Do you deploy NITs or know anything else about them? We’d love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on [email protected], or email [email protected].

Some parts of the Department of Justice, including the FBI, use the term network investigative techniques (NITs) to broadly refer to hacking tools that agencies may use in cases. The FBI has deployed NITs against child abusers, people making bomb threats, and cybercriminals. Often they consist of Word documents or other files that are designed to communicate to an FBI controlled server once opened by a target, revealing their real IP address, particularly if they are using the Tor anonymity network to hide their location. Motherboard previously reported how other NITs deployed by the FBI include exploits targeting the Tails operating system and Tor Browser.

As Motherboard recently revealed, the U.S….

Source…