The short answer to the above question is that in a perfect world, yes, you should not just have a PIN code (most tax returns require one)—you should be issued a new one every year.
The IRS estimated that it paid $239 million in “suspect” tax refunds in 2016. The good news: During the first nine months of 2016, the agency was able to stop 787,000 fraudulent returns totaling more than $4 billion. The bad news: the IRS has to implement a new tax law with a slashed budget, and more people than ever are exposed to the threat of tax fraud.
The reason for this increased threat is the Equifax data breach, which compromised the most sensitive information of more than 145.5 million people—a data security fail of epic proportions. The Social Security numbers of at least 143 million taxpayers were leaked along with everything else a criminal would need to file a fraudulent tax return.
In case you’re not crystal clear on this: that’s a problem, especially if you work at the budget-challenged Internal Revenue Service. That said, IRS officials have been downplaying the situation.
“We actually think that it won’t make any significantly or noticeable difference,” IRS Commissioner John Koskinen said after the Equifax breach. “Our estimate is a significant percent of those taxpayers already had their information in the hands of criminals.”
The official IRS estimate of the number of Americans whose personally identifiable information has been stolen is 100 million. That means, according to the agency’s own logic the Equifax breach only really exposed 40 million or so taxpayers. The rest were already compromised.
Let’s say for the time being that as screwy as those estimates seem, they are more or less correct. 152,235,000 tax returns were filed in 2017. So, if you’re an exceedingly lucky person, you can relax. Because about 10 million taxpayers are perfectly safe.
While it may seem like common sense given the pandemic state of information insecurity that every taxpayer would be issued an annual (i.e., one-use) PIN code to protect against the pilfering of their tax refund, that’s not presently an option for most taxpayers.
If you’re wondering why that’s the case, remember that we’re dealing with Washington, where, on a good day, government agencies are about as fleet of foot as a three-legged turtle.
There is a PIN option available to nearly all taxpayers. It is called the self-select PIN, which is designed to be used when signing an electronic Form 1040 and Form 4868. This PIN can be any five numbers (except all zeros) that the taxpayer chooses, and it serves as an electronic signature. Unless you’re a minor with income, you’re eligible to use the self-select PIN, and to get one you only need to provide your date of birth and your adjusted gross income from the prior year.
One of the main issues I have with the self-select PIN is that it stays with the taxpayer—it’s re-used. Re-use creates the potential for tax fraud, because if your self-select PIN is stolen or compromised, a criminal can use it to file a return and steal your refund. Wondering what the chances are of something like that happening? Think back to 2016 when news broke about thieves successfully accessing more than 600,000 taxpayer records (including PINs) from January 2015 through May 2016 by gaming the IRS’s Get Transcript service.
There Is a Solution
The Identity Protection PIN, or IP PIN (as distinguished from the self-select PIN), is a 6-digit, anti-fraud identifier that the IRS creates for victims of identity-related fraud. It is a one-time PIN, with a new number being issued every December.
If you have been a victim of identity theft, you can file an identity theft affidavit with the IRS (using Form 14039), and the IRS will let you know if you qualify. They do this by sending a CP01A notice, which includes the IP PIN. Residents of Florida, Georgia and the District of Columbia are able to get an IP PIN, whether or not they are a victim of ID theft, as part of an IRS pilot program to determine demand among taxpayers.
Given the fact that a majority of taxpayers are in a position to be robbed of their tax refunds, it makes sense that the more secure PIN method should be opt-in like the self-select PIN, and not issued at agency discretion.
Many companies, both in the tax preparation and tax fraud prevention business, will tell you that you don’t need the IP PIN. This is not the same thing as saying you don’t need a parachute while travelling on a commercial airline, but it’s a lot like saying you don’t need a seatbelt in moving vehicle.
While the IRS figures out how to keep all taxpayers safe (hint: universally available IP PINs), there are things you can do. (The IRS has a “Dirty Dozen” list of crimes to avoid.) The three most important action items: Protect your personally identifiable information, always do a background check on your tax preparer, and file as early as possible.