The U.S. Internal Revenue Service (IRS) announced last week that it has decided to shut down the electronic filing PIN tool on its website after detecting more automated attacks.
The e-File PIN tool on IRS.gov allowed taxpayers to generate PINs that they could use to file tax returns online. The agency reported in February that identity thieves had obtained more than 100,000 PINs by launching an automated bot attack against the tool.
Fraudsters had used names, addresses, dates of birth, filing statuses and social security numbers obtained from other sources to abuse the e-File PIN tool. The IRS kept the application online – at the time it had been used by most commercial tax software products – but implemented additional security features.
The agency recently detected another round of automated attacks at an increasing frequency and despite only a small number of PINs being affected, it has decided to shut down the program as a safety measure. The IRS believes only a small segment of taxpayers are affected because most users don’t actually need the PIN to electronically file tax returns.
The IRS said taxpayers can use the adjusted gross income that can be found in the tax returns from the prior year. For those who don’t have copies of tax returns, they can be obtained via the Get Transcript service.
“Prior to this, the IRS had been working with industry to assess elimination of the e-File PIN later this year,” the agency said.
Earlier this year, the organization also suspended its Identity Protection PIN tool due to security concerns. The tool allows taxpayers to generate or recover a PIN that provides an extra layer of protection against fraudulent tax returns.
The IRS recently relaunched its Get Transcript service after it had been shut down for more than a year. The service was launched in January 2014 and suspended in May 2015 due to abuse. Several people have been prosecuted for running fraud schemes involving Get Transcript.
The agency says it has made some significant improvements to the Get Transcript authentication process in an effort to prevent fraudsters from abusing the system.