Hacker News new | past | comments | ask | show | jobs | submit login
TurboTax halts all state e-filing amid data breach probe (wsj.com)
248 points by anigbrowl on Feb 6, 2015 | hide | past | favorite | 108 comments



Lots of speculation in this thread. Here's my hypothesis.

Federal tax return fraud is huge. It's a growing problem that the IRS is struggling to cope with and it's been going on for years. State tax return fraud has been largely non-existent... so non-existent in fact that USA Today reported the state of Minnesota got suspicious when there were 2 reported cases of fraud[0].

So what's going on and why is TurboTax being called out by these states? First off, know that when a tax return is e-filed either to the fed (who also handles most state e-filing) or directly to the state, every software provider transmits an identifier along with it. So if you get a bunch of bogus tax returns submitted it's trivial to see where they're all originating from. Second, the rise in federal tax return fraud has grown steadily in relation to the number of software providers offering a free option... the reason we haven't seen state fraud as rampant is because it has always cost money to prepare your state return with software. But what's new this year besides a dramatic increase in state tax return fraud? TurboTax's Absolute Zero campaign. That's right, a whole lot more people can file their states taxes for free using TurboTax's software. That may seem great at first blush if you qualify, but an unintended consequence of that is it's now a completely free roll for a fraudster to file a state tax return IN ADDITION to a federal one.

[0] http://www.usatoday.com/story/money/personalfinance/2015/02/...


Why would free filing increase fraud? It's always been free to file if you do it yourself.

Can't it be that there's just more at stake with the Federal return in terms of total dollars, and far more tax deductions available?


If it cost $10 per filing that would be a huge up front cost for someone, especially if it turns out many of their fake returns are invalidated en mass. It's pretty hard to file several thousand fake returns with plausible data (esp if you have last years or several years ago data) by hand, if you are putting up that much work you might as well just prepare people's taxes in a legitimate way.


Free filing is going to increase fraud since $10 means the attackers need enough credit card numbers to not set off Intuit's or the payment networks' fraud systems. That probably means almost a 1:1 ratio between returns and working CCs, with Intuit having the obvious option of checking zip codes against the returns.


e-fraud is about minimal investment and casting a wide net. Even a few dollars of cost to file means there is lower hanging fruit out there.


>>State tax return fraud has been largely non-existent... so non-existent in fact that USA Today reported the state of Minnesota got suspicious when there were 2 reported cases of fraud

I doubt it. Most states are poor at fraud detection, they are likely losing a lot but just don't know it.


I actually don't doubt that State tax return fraud is much less prominent than Federal tax return fraud, for one key reason: there's less money at stake, because of lower state income tax rates (more importantly, lower per-taxpayer state withholdings -- which are in part due to lower rates, but I also get the impression that at least some states use withholding formulas that are more likely to underwithhold than the federal withholding formula, resulting in both lower refunds and less money that can be stolen by tax return fraud, even compared to the nominal tax rate.)

Its more profitable to do fraud where the money is.


The title of the article is misleading. "Data breach" implies a release of sensitive data, which is not what appears to have happened.

Intuit said its TurboTax unit took action Thursday after seeing attempts to use stolen personal information to file fraudulent returns for tax refunds.

The tax-software company said that after a preliminary examination with Palantir Technologies, which provides security and antifraud services, it believes there wasn’t a breach of Intuit systems and that “the information used to file fraudulent returns was obtained from other sources outside the tax preparation process.”


Someone's security seems to have compromised on a large scale, just not necessarily Intuit's. It might be the IRS, it might be malware on customer computers that is set up to look for prior years' tax data, or something else. It is a bit ambiguous but that's a general problem with headlines.


This is the key point. Internet-connected systems have proven to be fundamentally insecure. Sorry to say it but the biggest organizations with the most to lose and the most resources to devote to security still fail. Smaller organizations and individuals probably leak like sieves.

We just have to assume that anything anyone knows about you that is stored in a computer somewhere will at some point become public. Possession of any amount of personal information should no longer be adequate to prove identity. We need something else. I don't know what that is, but it has to be something that is already public or doesn't rely on secure computer systems.


Services like SSNDOB have been around for years now. We're talking 10 years old breaches here.


Well, there was a breach -- just not at TurboTax. If I were Intuit I'd be pissed about that headline, but it's not technically wrong.


It's not just the headline. "A TaxAct spokeswoman said that company is not seeing similar fraud issues and that customers can file state and federal returns as usual." "Minnesota announced it has stopped accepting tax returns submitted by individuals using TurboTax, although it is still accepting returns filed using Intuit professional-preparer products."


Its use of the singular is technically wrong. This is a downstream effect of the thousands of data breaches that have occurred in the past few years. Anything that provides a name and social security number could do it.


Actually I'm pretty sure it's referring correctly to a singular probe. And unless you know something I don't, it's entirely plausible it's the result of a single data breach (e.g. the recent one at Anthem).


The article indicated that the fraudulent returns seemed to be based on last year's returns for the individuals in question, so it sounds like a lot more than name and SSN were involved here.


“Fraudsters obtained information that’s generally only found on income-tax returns.” In some cases, the fraudulent 2014 returns closely resemble 2013 returns, with only minor alterations—implying that the scammer had access to the taxpayers’ 2013 returns.

There was a data breach.


The tax-software company said that after a preliminary examination with Palantir Technologies, which provides security and antifraud services, it believes there wasn’t a breach of Intuit systems and that "the information used to file fraudulent returns was obtained from other sources outside the tax preparation process."

Did you read the article?


There is a single, solitary sentence in this article that implies there might not be a data breach: Perhaps someone got a name and guessed a password,” she said. The rest of the article is full of evidence that there was a data breach.

Edit: including the part you quoted, information used to file fraudulent returns was obtained from other sources outside the tax preparation process.


Someone getting a name and guessing a password would be a data breach. What else can you call it?


The question is where, though. Intercepted mail? IRS systems? State systems? TurboTax? Weak passwords and brute forcing?


Where?


As far as I know, TaxACT[0] is the only tax software whose parent company doesn't actively lobby against tax filing simplification. I haven't used them nor do I have any stake in them, but I figure it is good for people to know of this TurboTax alternative.

[0] http://www.taxact.com/


Has anyone actually used TaxACT recently and can compare the experience with TurboTax?

I've used TurboTax almost every year for the last decade, except one in which I used TaxACT because it was a lot cheaper (my taxes are moderately complex enough to send me into the more expensive TurboTax price brackets).

At the time the software felt shoddy compared to TurboTax in almost every way; it was certainly better than form-filling myself but it didn't inspire confidence.


If your taxes are complicated enough to pay for a high tier of TurboTax, you may be better off finding a good CPA.

I'm an independent consultant, use QuickBooks throughout each year, and have used TurboTax for quite a while out of inertia from having my data already in a friendly format in QB. I finally decided to give an actual CPA a try last year. Among other things, she has already saved me an order of magnitude more than her fee just by amending my old TurboTax returns. Not to mention the value of the time that she has saved me.

I would never go back to TurboTax (or TaxACT or similar) unless I was a straight W-2 salaried employee (and only maybe then).


I have used TaxACT for several years now. I haven't used turbo tax so I can't compare. But I have been very happy with TaxACT.


I also have been using TaxACT for a couple years. I used a few other only ones in the past and honestly can't really tell much difference. They've all seemed fine to me. That said, my taxes are your standard pile of 1099s type deal. Nothing too fancy.


I've used tax act since I was 18. It doesn't charge extra for schedule k s for all of those llcs we entrepreneurs have. Also, their capital gains and business expenses have seemed easier


There many tax software companies. The vast majority of them do not actively lobby against tax filing simplification.


Other than Intuit (TurboTax), H&R Block, and Jackson Hewitt, of course:

http://sunlightfoundation.com/blog/2013/04/15/tax-preparers-...

Unfortunately, even TaxACT is a member of a lobbying group which fights against making filing taxes easier (ACTR).


Many? I was able to find 5 consumer tax software companies (including H&R Block). Any chance you could list a few others?

I find it hard to believe there are tons of them out there unless perhaps tax software is regional software and there's companies in some states that don't move beyond the state?


There are many. The top 14 are members of the Free File Alliance[0]. There are tens, if not hundreds more that do federal filing. Unfortunately many are cheap clones of TurboTax or re-skinned versions of Drake[1].

Disclosure - I'm the CEO of Common Form[2]. My co-founders and I are all ex-Intuit employees. We currently only cover the 1040EZ, but we're expanding as fast as we can.

[0] http://apps.irs.gov/app/freeFile/jsp/index.jsp?ck

[1] https://www.1040.com/

[2] https://common-form.com

edit: formatting.


I'm surprised there are so many, I would have expected that keeping up with the changes in the tax law would be a pretty expensive barrier to entry, especially given the IRS sometimes isn't totally sure themselves. Although it seems like the vast majority focus only on the 1040EZ which I guess radically simplifies things.


Thanks for sharing I will give them a try next year. For some stupid reason it would never cross my mind to do my own research - I always thought it is doing it yourself, HR Block or Turbo Tax.

I just did TT and it cost me $37 for what TaxACT wants $12. Further if you want to pay from your refund, there is hefty $37 extra with TT. It looks like TaxACT doesn't have this fee...

Most likely the result of your return should be the same from both companies, as long as they understand tax law, and I would assume they do otherwise they would be gone long time ago.


There was some discussion relating to this on /r/personalfinance earlier today: http://www.reddit.com/r/personalfinance/comments/2uzfel/minn...


Wow. According to several posters in that thread, Intuit was allowing guest users to pull up data from prior years' tax returns (and subsequently file this year with correct data) by providing only an SSN and not any other form of authentication. If true, that's basically a criminal level of negligence.


That means you could brute force your way into getting someone else's tax return... scary


This has always been possible. I knew a guy who bulk downloaded returns from hr block because they required only last name, zip, and partial ssn. He picked a zip where everyone is named Stein and was born at the same hospital (which gets its own ssn shard) and went to town. Naturally they had no rate limiting.


How do you find a zipcode where everyone has the same last name? I'm guessing a very small town several hours from a single hospital?


Wrong it's one of the most populous zips in the nation and I'm being flippant about the name but when you are brute forcing things an unusual probability is all you need.


Oh seems like it would have been just as easy to grab census data for the past 50 years and run through last names by decreasing frequency.

Here I thought you had found a unique zipcode.


Can anyone on HN with a TurboTax account confirm this is true?


Criminal! If only.


If you're wondering what folks are going to do with that treasure trove of Anthem data, I've got two ideas:

1) File fraudulent tax returns

2) Fill bogus prescriptions


So who's ultimately going to pay for fighting this fraud? Lemme guess: probably not Anthem.


Well the US revenue service is already in a world of hurt, it takes them 18 months to change their systems even slightly and the crooks can change theirs in a few hours. I will not be surprised if we see a temporary disablement of 'e-filing' before this gets fixed.

Prescription fraud is generally laid on the insurers who will pass it on as premium increases. In California it might be tough to do that as the Insurance Commissioner might be smart enough to realize they got into this mess themselves, but at the end of the day you can't really have the crooks putting the insurance companies out of business as that just devolves into anarchy. So look for some more rules like no filling prescriptions out of state, or more than 10 miles from your home address without calling in from your registered cell phone and requesting a code and then texting back the code you get. Or some other TFA that makes the lives of honest folks more difficult, and the opportunities for frictionless secure systems more lucrative.


As with most data breaches involving theft of personal information, especially the type that have the potential to exploit a single point of failure (otherwise known as your SSN) the affected company needs to offer credit protection and credit monitoring for a period of time. I sure hope Anthem has good re-insurance. By one account (http://www.forbes.com/sites/brucejapsen/2015/02/06/anthem-di...) it seems they were storing SSNs in the clear, which is probably akin to begging for something like this to happen in this day and age.


It seems like every 2 or 3 months there is data-breach in the news and a bunch of plain-text info is stolen. And ever-time I am inclined to imagine the companies storing in plain-text would think "oh we should change something about this"

But then it happens again 2 or 3 months later anyways ...


Before we go to encryption, let's talk about all the SSN you put on paper you file for bank, government, employment. That's right. They are all in clear. Whatever you sent to your employer over email (rather than fax) are still in clear.

A lot of these attacks are trojan already breached the network and insider attacker. The latter is often due to infection (e.g. USB, browsing problematic website). Encrypting file, encrypting SSN field is not a full solution but is definitely a really good solution.


Tax and Identity Fraud are not anything new - but the way they are accomplished has changed significantly.

Sure you can physically intercept mail - but there is a huge difference in magnitude. I wager you could not in any practical way intercept millions (or even thousands) of paper records without being traced.

That's why these poorly protected digital records are such a gold mine.


What surprises me most is that the US doesn't seem to have the same law as here in Canada. Here, pretty much only the bank, government, or your employer can ask for your social as that's the law. Plus, they don't send it in the clear on-line. You'll get receipts either from a secure Web site or physically mailed to your address.


It's of no use when it's encrypted.

Oh, right, decrypt it real quick in the app, right? How will you protect that decryption key?


Decryption can require several servers to participate rather than one - don't allow for a privileged user on one server to have an easy path way to access and escalate on another server.

From the way it looks, the security precautions they are failing at are so trivial that most developers probably have more secure personal servers / computers.


I dunno; they have deep pockets, and state AGs can be pretty aggressive if you make it worth their while. I could easily see some state AG taking them to court on a variety of theories if they are actually the source.


Wasn't Anthem was attacked by super-chinese state-sponsored ninja hackers? That;s what bloomberg was saying.

http://www.bloomberg.com/news/articles/2015-02-05/signs-of-c...


It's always the "super-ninja hackers". You can't exactly announce: oh sorry, our manager's password was his phone-number can you?


No kidding. When the city of ottawa was hit with a DNS hijacking it turned the account password could be found in the Whois record and the challenge question pointed to it!!! Super ninja hacker indeed.


Out of curiosity, if someone e-files fraudulently for you, are you held liable by the IRS if you are audited?


I've had it happen to me. My experience was:

1. Scammer filed a tax return under my name/SSN, probably with a large return to their bank account/address

2. Later in the year I filed my tax return, but it was rejected because it thinks you have already filed

3. I called the IRS, then had to sign and mail affidavit confirming I am me and a fraudulent person filed my return. Then I mailed in my tax return.

4. ~8 months later the IRS mailed me something that confirmed fraud occurred and I wasn't liable for anything.

5. I wasn't audited so presumably they sorted it out and accepted my valid return

6. Now the IRS mails me a PIN number that needs to be used for filing my tax return [1]

I'll also note that in all the support phone calls with the IRS, they were really incredibly helpful, pleasant, and I never had any long wait times or anything.

1: http://www.irs.gov/Individuals/The-Identity-Protection-PIN-I...


If I recall - a PIN number of some sort is already part of TurboTax's filing process. Wouldn't that alleviate much of this problem?


Yeah, it is a bit confusing. There are 2 types of PIN numbers.

1. The E-file PIN (5 digit PIN). This is the one most people use when they e-file. You either use a special IRS website or phone number to get it by verifying basic identification information about yourself. The problem is I believe all of this information is based on your 2013 tax return, so if a criminal has that, they can get your 5-digit PIN. This PIN is also delivered electronically, so there is no verification that the address information you enter is actually your address.

So when you are worried about somebody having your 2013 tax return, you are really worried about them stealing your e-file 5-digit PIN number.

2. Then you have the 6-digit PIN, which is generally only given out in the case of proven identity theft (though it seems as part of a pilot program they are giving it out more often). This PIN is mailed to your current address on file with the IRS, and is a randomly generated 6-digit PIN number which changes every year. If you are signed up for this program, your tax return will only be accepted if it has the proper 6 digit PIN number.

So if you have this, in order for somebody to fraudulently file a tax return under your name they'd have to steal your mail, which obviously is a lot harder.

More details:

https://ttlc.intuit.com/questions/2579455

http://www.irs.gov/Individuals/Get-An-Identity-Protection-PI...


In Canada, you get a unique code (for that year) physically mailed to your address from the 2013 return (unless you change addresses). If you change addresses in a tax year, you can't file electronically.

It's not technically a PIN as there are letters in the code. Basically, we have a similar system to your second type.


I don't have much insight into the legal end of this, but I will say I've had (or at least been involved with) "run-ins" with the IRS twice, both times were legitimate misunderstandings on our part. We were in the wrong, but no actual malice was intended. Both times the IRS was quite flexible in getting the problem sorted out. It's just personal experience, but that experience was not of the IRS as a monolithic government body that bulldozes people. They wanted their money and were willing to work with me to get it.


Yeah, that is my experience with dealing with them as well. They actually have very good "customer service" if they don't believe you are deliberately keeping money from them. They want their money, and if you want to give them their money, then they seem to be very reasonable.


Nitpick: they wanted your money. It's not "theirs" by any stretch.


If we're nitpicking, it's the result of a transaction. Granted it's a transaction you're not opting out of, but it's still an exchange of service for payment.

By any other measure in a transaction that money ceases to be yours and becomes theirs. We can argue the merits of income tax or taxation in general, but in our (and many similar) systems, it's not your money if you wish to live in the country and thus partake in this transaction.


No you're not held liable, but it's a giant pain in the butt proving that you're the actual owner of your SSN. It also significantly delays your refund (if you're due a refund).


Another reason I try to arrange my witholding so I owe a little bit.


Yeah I'm eagerly awaiting someone filing my taxes fraudulently and paying my bill :)


Assuming you've prepared and filed your own non-fraudulent returns, I can't imagine why you would be.


From the TurboTax blog:

http://blog.turbotax.intuit.com/2015/02/06/intuit-working-wi...

(Shouldn't this be the proper link for the HN post?)


With the language being used to describe what's going on, combined with the numbers that Alabama is estimating, it smells a lot like malware-infected PCs combined with the desktop edition of Turbotax (which offers free e-file if you buy the software).

That would explain: * why it seems to be only hitting Turbotax users * the availability of 2013 data (Turbotax users usually buy every year) * the availability of logins to these sites

While I wouldn't go so far as to say that this is the source of the data/problem, malware + desktop app + efile through Turbotax online fits the public information really well.


Yeah this happens more than just with Turbo Tax.

It used to be a scam that prisoners did by requesting 1040 forms and having some help on the outside to make bank accounts to direct deposit the money for refunds into it. They would get fake W2 forms and make them from fictitious companies and enter a large withholding tax on them. File the 1040EZ form with the standard deduction and file a state form too for extra money. Everything was done via postal mail before Turbo Tax and others provided e-filing.

A friend of our family had someone file taxes as her, and we think the SSN got stolen from the church we go to by ex-employees because they need it for donation tracking. She hadn't filed taxes in a while and Turbo Tax would not help and she was seeking an accountant to find out someone else already filed taxes as her.

I buy the desktop Turbo Tax edition and I try to file early before anyone else can file as me. I am disabled and don't make a lot, but there have been many data breaches that include SSNs over the past decade or so. When I had a student loan, someone stole a laptop with a harddrive on it that had SSNs and other info on it from the company that managed my student loan.

Actually if people are getting SSNs from outside of Turbo Tax they can e-file with the other tax filing software as well.


How to file fraudulent tax returns:

  Step 1. Take someone's W2.
  Step 2. File.
Why would they stop all state filing because of this?


Just to be clear, this is a major problem:

http://www.irs.gov/uac/Newsroom/IRS-Combats-Identity-Theft-a...

It's called SIRF (Stolen Identity Refund Fraud) and it likely costs billions a year at the federal level (I could not find data on states).

The difference seems to be that Turbo Tax was just the vector because it could be automated. Not a lot of payoff in doing it by hand.


I'd be interested to know how hard it is to trace the destination of fraudulent tax refunds.


It's trivial for the IRS. They either cut a check (and mail it to an address) or direct deposit it in to an account. Most fraudsters opt for the check option... so much so in fact that one of the new fraud prevention mechanism the IRS introduced this year was to cap the total number of refund checks to any specific address at 10(!).


I'm not USAian, so I'm not familiar with the US system. But why would criminals want to fill in someone elses tax details?!


To claim a refund based on incorrect/falsified statements of income, deductions, and withholdings.

Claim that SSN 123-45-6789 worked a job where they made $19K in income, had $4K in taxes withheld, and owed a total tax of $0, so please mail the $4K refund check to 12A Main Street, Fraudville, MA 02341.

The tax authorities are often compelled to process the refund in a certain time window that precludes cross-checking all the information and certainly precludes waiting to see if the actual taxpayer will file an actual (non-fraudulent) return.


So, what is the best way to find out if you are the victim?

Call IRS? (Assuming you haven't filed it yet) Check TurboTax? (Essentially filing yours and wait for it to be rejected?)

Maybe TurboTax should have a tool that checks against their system(based on SSN and some credit history questions, etc) to see if you(the fraudster in this case) has filed your taxes or not.


Unfortunately there isn't an existing easy way to find out if your SSN has been used to file a tax return. When you file your taxes via efile[0], the IRS system will reject the tax return if a tax return with the same SSN has already been filed for that processing year.

If this happens to you you're forced to file by mail.

[0] Doesn't matter who you use to do your taxes. Even an accountant that has access to e-file.


In Canada, you can't get the e-file code if you've moved in the tax year so you have to mail in your tax return.


If Intuit wasn't breached, that means the problem could affect everyone in those states, not just TurboTax users.


It sounds like someone has collected personal information and has a script filing fraudulent tax returns through TurboTax.

We know an enormous amount of PI was leaked from various major breaches last year, if that is what happening TurboTax is really just a tool being exploited for profit.


Fraudulent tax refunds are a huge issues that the IRS has not kept up with. The IRS itself estimates it paid $5.2 billion to identity theives[1]. Protecting taxpayers without creating too much of a hurdle to tax paying is a very hard problem to solve.

[1] http://time.com/money/3419136/identity-theft-social-security...


It's an easy problem to solve but the solutions (Estonia style national identity cards or a flat PAYE tax on all forms of income) are not politically viable in the US.


Taxes should not be collected on income or in any way that requires individuals to "file" anything. Problem solved.


Why is PAYE unviable? It wouldn't have to be flat.


Because there is an entire industry of which Intuit is part of that profits off the complexity of current tax system. Simplify the system and profits go down.

HR Block was caught lobbying against simplification of the tax system for this very reason.


Because Congress never votes for a reform of tax codes because the lobbying from Intuit and HR Block et al is too strong, while there's no lobby for the populace at large to say "This sucks."


I would imagine that the sort of politics involved is Lobbying rather than ideological.

I'm sure people would be very happy to not have to file tax returns.


A mandatory national identity card would be an ideological non-starter to the small government wings of both parties, despite the fact that the information industrial complex would love a government project of that scale to attach pork to.


Oh, yeah the ID card side of things is a problem, same here. But we do have a national PAYE system that no-one complains about - they might moan about the levels of taxation but I've never heard of anyone bemoaning the mechanism.


This doesn't seem to affect federal tax returns or anything related to the IRS. (This time.)


> Fraudulent tax refunds are a huge issues that the IRS has not kept up with. The IRS itself estimates it paid $5.2 billion to identity theives[1]. Protecting taxpayers without creating too much of a hurdle to tax paying is a very hard problem to solve.

Eliminate advance tax withholding and pay all taxes in arrears with allowance for a no-penalty payment plan for up to one year after the end of the tax year. You have significant one-time cost from shifting obligations forward, and a bit of an ongoing cost from the time value of money, but you eliminate the problem of fraudulent refunds by simply eliminating routine refunds.


States also claim they weren't breached. They just said data was filed through "third party" tax filing services.

As others pointed out, it does look like one of those two entities above were breached, as data filed in forms is very similar to data from 2013.


People reuse the same user names and passwords all over the place. Most likely criminals have gathered a large list of user credentials from breaches of other web sites and then found that some of those credentials also worked on TurboTax.


I would guess this is happening largely because Intuit started offering free state filing to a greater subset of users. This has been an ongoing problem at the federal level, but just started this year with the various states. Strong correlation between fraudulent returns filed and it costing $0 for a fraudster to take a shot.


If people can anonymously get money from refunds, doesn't that mean they're also using a fake ID to open their bank account, meaning the bank is being negligent and now "knowing its customer"? Or does the IRS pay people with cash?? Something's missing here.


Maybe somebody's figured out an automated way to harvest the data from infected individual PCs? Then they use that information to file new returns.


Not sure if you're being sarcastic, but there have been bots doing this for well over 10 years now.


No, not being sarcastic - this is the first I've heard of it. And if it's been going on already, what turned it into a bigger problem all of a sudden?


Just trends in the cybercrime world, and the increased publicity.


Why doesn't the IRS issue pin codes to every registered social security number or entity? They don't even have to mail the pins. A simple web portal, where you log in, enter your SSN or EIN and it sends the pin via SMS or e-mail. Pins reset every year.


That wouldn't stop this fraud, nothing preventing the bad guy from requesting a pin. What if you need multiple pin resets, what happens to documents mid-process?


what about the people who don't have internet access?

edit: I'm also pretty sure the IRS and e-tax filers already do this for (edit: electronically filed) Federal returns, there it makes sense because if you're e-filing already, you can deal with a website for a PIN.

if you file without a PIN, they request more identifying information from you later, via mail.


You can also call 211 (United Way) in your area to see if you qualify for My Free Taxes.

http://www.myfreetaxes.com/


They are starting to trial it, and offer it to those who have had their identity stolen.

http://www.irs.gov/Individuals/Identity-Protection-PIN-Pilot...




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: