It’s been a while since I’ve posted here, and in the time that I’ve been gone, the IRS has expanded its Identity Protection PIN program to all taxpayers, not just confirmed victims of identiy theft.
Normally, an individual taxpayer (i.e., not an organization) would only need to input their Social Security Number to file their income tax returns. Under the program, individuals with stolen identities (and, now, anyone who opts in) would also need a 6-digit PIN mailed to them at the start of every year.
It’s long overdue that the IRS has begun to move away from its old position on the PIN program. Under the old system, it would seem to me that by the time a person would be enrolled in it, it would already be too late to prevent the vast majority of the damage. If a person has to wait until after they have their identity stolen to seek protection, then by the time they do so, the thief could already have filed fradulent tax returns with the IRS, causing a world of trouble for the real person (which would eventually be sorted out but at the great cost of time and stress).
Who would do such a thing? Maybe a disgruntled former spouse/significant other, who would likely be fully aware of your social security number, and decent amounts of other possibly-identifying information (e.g., your adjusted gross income for prior tax years, your phone number and address, etc.). Maybe a professional identity thief who buys your SSN on the dark web for a bargain and uses the threat of fradulent returns to extort you (the elderly may be disproportionately susceptible to such an attack). Maybe that same thief thinks that by filing a fradulent return they can claim a refund in your name, cash that refund, and move on just before the IRS gets wise to the fradulent return. I’m not sure how feasible that last option is, but the matter of fact remains that anyone with your name, date of birth, and SSN can steal your identity. Only the last piece of information is private (name and DOB is public record, at least in Florida), and an honest mistake can quickly make your SSN “public record” too.
They can open bank accounts in your name, use them for money laundering, and have the FBI knocking on your door instead of theirs. They can take out credit in your name, max out their lines, and leave you to foot the bill (not to mention your credit score!). There’s a lot of money to be made in identity theft. It’s rather simple, too.
I recently had the pleasure of applying to various apartment complexes. Most of the leases I was offered had my name, date of birth, and last 4 digits of my SSN as my identifying markers. One of them had my name, date of birth, and first 5 digits of my SSN. Take that lease and any of my other leases and you’ve just stolen my identity.
What’s your redress if this happens? The Social Security Administration will only issue you a new number if the old one is actively being used, which means that if you’ve had your identity stolen once, and you’re currently not experiencing any additional theft, you’ll have to wait until you (inevitably) start experiencing theft again before you can get a new number. And that doesn’t revoke the old number, either. Again, the same issue with the IRS’s old program: by the time you can fix the issue, it’s already too late. The SSA won’t even explain the situation to the credit bureaus, you have to do that, making more headaches and financial stress. All of this is eventually resolvable, but not with a plainly excessive amount of work that could be avoided by just using a better system.
My “better system” would take the IP PIN program and use that as the SSN. At the start of every year, you’ll get a new SSN in the mail. The old one will be revoked 3 months later. That creates a small headache whereby you’ll have to give your new SSN to the people and companies you’re still affiliated with. It avoids the much larger headache that happens when the people you’re no longer affiliated with are hacked and lose your SSN.
And, of course, you can at any point in time for any reason at all get a new SSN and have the old one revoked immediately or 3 months from the time of renewal. If you lose the old number, no biggie, get a new one. If you read in the news that your bank just got hacked and had all their SSNs stolen, no biggie, get a new one. The SSA might even proactively revoke SSNs that companies report as stolen and renew them without you ever asking.
The only other flaw in this process is the question of authenticating you each time you renew. If your SSN is stolen, and your hacker is faster than you, they could renew your SSN in your name and really screw you over. This could happen because all the SSA has to identify you is your name and date of birth. If they also had biometric information, this wouldn’t be necessary. The SSA could have a photo of you and require you to supply a new one every couple of years before you renew, or if you undergo major facial changes. Then, when you elect to renew in the middle of the year, or whenever you change your mailing address, you’ll be able to “freeze” the number instantly but you’ll have to show up in person to complete the process of replacing the number. It’s a lot harder to steal identities when in-person visits are necessary, because most identity theft is conducted exclusively online or by mail.
Alternatively, states and companies that need to verify your identity can just implement their own verification procedures. It would save the taxpayer a decent amount of money if the states and companies independently verified identities, and a federal system could leverage these decentralized verification procedures by “hooking into” them (so now, instead of needing just your name, DOB, and SSN, a hacker would also need the state where you had your SSN issued). We already kind of have this state procedure in the form of state ID cards and driver’s license numbers (although these aren’t always free, and those numbers are also prone to theft, but at least the physical card has your face on it).
In the meantime, enroll in the IP PIN program to save yourself more interaction with the IRS than is strictly necessary. Identity theft can happen to everyone, and if you’re expecting a refund next year, you’d better hope that you can file faster than the other guy.