WEBVTT

00:00:01.459 --> 00:00:05.670
JACK: Internal Revenue Service is the American tax collection agency and guess how much money

00:00:05.670 --> 00:00:07.920
they collect every year from American taxpayers.

00:00:07.920 --> 00:00:11.790
COMM’R: We collect three trillion dollars a year in a voluntary compliance system.

00:00:11.790 --> 00:00:15.910
JACK: [MUSIC] That’s the IRS Commissioner himself. Three trillion dollars is a lot of

00:00:15.910 --> 00:00:20.069
money that travels through the IRS’s fingers and something I’ve learned over the years

00:00:20.069 --> 00:00:24.759
is that if that kind of money is going through an organization, it’s going to attract criminals

00:00:24.759 --> 00:00:30.130
and hackers like a hound dog attracts fleas. A lot has to be done to protect the IRS from

00:00:30.130 --> 00:00:35.179
attackers. There are problems; first of all, the budget is shrinking. Again, here’s the

00:00:35.179 --> 00:00:36.760
commissioner from 2015.

00:00:36.760 --> 00:00:44.140
COMM’R: The IRS is now at its lowest level of funding since 2008. If you adjust for inflation

00:00:44.140 --> 00:00:49.579
our budget is now comparable to where we were in 1998. While our budget has been shrinking

00:00:49.579 --> 00:00:55.050
however, the taxpayer base has grown by millions. But after five years of budget cuts and a

00:00:55.050 --> 00:01:00.140
hiring freeze that has lasted for four years, people need to understand that the IRS is

00:01:00.140 --> 00:01:05.820
going to have to do less with less. It means that both enforcement and tax payer service

00:01:05.820 --> 00:01:06.820
will suffer.

00:01:06.820 --> 00:01:12.320
JACK: From 2010 to 2015 the budget had gone down by 20%. You can already start to guess

00:01:12.320 --> 00:01:14.860
what kind of impact this may have on an organization.

00:01:14.860 --> 00:01:22.000
COMM’R: Between 2010 and 2014 the IRS lost over 13,000 employees. We expect to lose another

00:01:22.000 --> 00:01:28.530
3,000 more or less through attrition by the end of this year. We have only 650 employees

00:01:28.530 --> 00:01:31.619
out of 87,000 who are twenty-five or younger.

00:01:31.619 --> 00:01:37.600
JACK: 87,000 employees and only 650 of them are under twenty-five? That’s like, less

00:01:37.600 --> 00:01:43.079
than 1%. Huh. Combine the dwindling staff and the budget cuts with aging equipment and

00:01:43.079 --> 00:01:47.651
computers and you can start to see that this could become a serious problem, and a problem

00:01:47.651 --> 00:01:51.560
for the IRS is a dream come true for hackers.

00:01:51.560 --> 00:01:59.890
JACK (INTRO): [INTRO MUSIC] These are true stories from the dark side of the internet.

00:01:59.890 --> 00:02:16.450
I’m Jack Rhysider. This is Darknet Diaries. [INTRO MUSIC ENDS]

00:02:16.450 --> 00:02:25.590
JACK: 2015 was a year full of data breaches. Starting the year off were two big breaches

00:02:25.590 --> 00:02:30.460
from healthcare providers. In February, Anthem announced that eighty million patient records

00:02:30.460 --> 00:02:35.690
were stolen. [MUSIC] Discovered around the same time was Premera Blue Cross and they

00:02:35.690 --> 00:02:39.440
found that possibly the same actors were in their network and admitted to a breach of

00:02:39.440 --> 00:02:44.970
eleven million patient records. So just in the first quarter of 2015 we saw almost one

00:02:44.970 --> 00:02:50.090
hundred million patient records get pinched by hackers. They didn’t actually steal medical

00:02:50.090 --> 00:02:54.720
records; instead they grabbed stuff like names, birthdays, medical IDs, social security numbers,

00:02:54.720 --> 00:02:58.950
street addresses, e-mail addresses, employee information, and income data. People weren’t

00:02:58.950 --> 00:03:02.550
sure what it could be used for and who’s doing this and why.

00:03:02.550 --> 00:03:06.650
Was it just being sold on the dark market for a quick Bitcoin? Was this information

00:03:06.650 --> 00:03:11.510
collected as part of a multi-stage attack? In what ways could this information be valuable

00:03:11.510 --> 00:03:16.190
to hackers? How can you make money if you know someone’s name, address, social security

00:03:16.190 --> 00:03:22.520
number, and stuff like that? I’ll let you think about that for a minute. Let’s talk

00:03:22.520 --> 00:03:27.250
about the IRS. For my non-American listeners, the Internal Revenue Service is the US government

00:03:27.250 --> 00:03:32.560
agency that collects taxes. Most US citizens and businesses have to report their income

00:03:32.560 --> 00:03:37.170
to the IRS every year and pay taxes based on how much money they made. The IRS has to

00:03:37.170 --> 00:03:43.300
process hundreds of millions of tax forms a year. It’s an archaic and overly-complicated

00:03:43.300 --> 00:03:47.430
system. Basically us Americans pay a percentage of the money we make to the government so

00:03:47.430 --> 00:03:52.480
they can pay off national debts for military, social security, medical care for the elderly,

00:03:52.480 --> 00:03:53.480
and stuff like that.

00:03:53.480 --> 00:03:59.490
The US government needs a lot of our money. On average they take about 14% of our paychecks.

00:03:59.490 --> 00:04:04.960
If you made $67,000 dollars a year, they want $9,000 of that. But here’s the thing; American’s

00:04:04.960 --> 00:04:09.770
don’t save up $9,000 to give it to them every year. We simply ask our employers to

00:04:09.770 --> 00:04:13.520
take out that money from our paycheck before we even get it. That way it’s all paid up

00:04:13.520 --> 00:04:17.800
and stuff. But we don’t always know how much to pay and sometimes we underpay and

00:04:17.800 --> 00:04:21.090
come tax time we have to pay a little bit more. But what a lot of people actually do

00:04:21.090 --> 00:04:25.350
is overpay and then the IRS gives us back the money we didn’t need to pay. This can

00:04:25.350 --> 00:04:30.620
sometimes be a nice-sized tax return, thousands of dollars. This process of tax filing is

00:04:30.620 --> 00:04:35.370
all super complicated and traditionally the IRS has handled all of this through paper

00:04:35.370 --> 00:04:40.159
forms. If you wanted to see your old tax records you had to fill out the IRS form 4506 and

00:04:40.159 --> 00:04:44.250
pay $50 and you can get your old tax record sent to you in the mail.

00:04:44.250 --> 00:04:47.430
But in the last decade they’ve been moving to electronic filings where you can do the

00:04:47.430 --> 00:04:53.449
whole thing through the website, irs.gov. In January 2014 they made a new feature to

00:04:53.449 --> 00:04:59.900
irs.gov website called Get Transcript. [MUSIC] This would allow you to see your tax records

00:04:59.900 --> 00:05:03.490
from last year in case [00:05:00] you wanted to use them to help submit for this year.

00:05:03.490 --> 00:05:07.780
It was a fantastic feature and right away millions of Americans were using it to look

00:05:07.780 --> 00:05:12.580
up their tax forms from last year. Normally when you sign up for a bank account or medical

00:05:12.580 --> 00:05:16.659
provider you’re put through a sign-up process which often includes setting up a password

00:05:16.659 --> 00:05:20.719
and then some account recovery questions such as where you met your spouse or what high

00:05:20.719 --> 00:05:26.280
school you went to. The irs.gov website is different. They use something called instant

00:05:26.280 --> 00:05:29.630
KBA, or knowledge-based authentication.

00:05:29.630 --> 00:05:34.080
This is a series of questions they ask that only you would know the answer to, like what

00:05:34.080 --> 00:05:38.749
your mortgage payment is and where you bought your car. It’s called instant KBA because

00:05:38.749 --> 00:05:43.460
they already have the answers on their side. This is a little different than a bank account

00:05:43.460 --> 00:05:46.620
where when they ask you the question, they don’t know the answer and you put the answer

00:05:46.620 --> 00:05:51.270
and then they save that for next time. With instant KBA they already know what high school

00:05:51.270 --> 00:05:55.389
you went to from your credit records. The IRS partners with one of the big credit reporting

00:05:55.389 --> 00:06:00.220
companies like EquiFax to learn more about you. Through this the IRS knows what streets

00:06:00.220 --> 00:06:04.360
you previously lived on and what credit cards you currently have and stuff like that. When

00:06:04.360 --> 00:06:08.780
you want to use the Get Transcript feature of the irs.gov website you’re asked a series

00:06:08.780 --> 00:06:13.169
of questions like this, questions only you would know the answer to which proves who

00:06:13.169 --> 00:06:16.199
you are and then they show you your old tax records.

00:06:16.199 --> 00:06:21.680
But can you maybe guess at what a few problems are with this instant KBA? Well first of all,

00:06:21.680 --> 00:06:27.169
the IRS says 22% of people cannot answer the questions correctly themselves. Do you remember

00:06:27.169 --> 00:06:31.479
your phone number you had ten years ago or the address you had in college? Maybe, but

00:06:31.479 --> 00:06:36.199
when you’re seventy will you? Here’s another problem with instant KBA; you can’t opt

00:06:36.199 --> 00:06:40.190
out of it. The IRS and EquiFax have collected and stored this information about you that

00:06:40.190 --> 00:06:45.560
you didn’t give them authorization to keep. It can become a privacy issue. In fact NIST,

00:06:45.560 --> 00:06:50.150
a government-ran standards board, comments on this specifically, saying “It is inappropriate

00:06:50.150 --> 00:06:55.379
to involuntarily expose the privacy of unknown citizens of an instant KBA authentication

00:06:55.379 --> 00:07:00.040
scheme unless the risk is close to zero.” Another big issue with this knowledge-based

00:07:00.040 --> 00:07:03.509
authentication relies on knowing secret information about you.

00:07:03.509 --> 00:07:08.569
As our data becomes more exposed to the world through breaches, this secret information

00:07:08.569 --> 00:07:14.499
is no longer secret. [MUSIC] Let’s go back to 2014 when this Get Transcript service was

00:07:14.499 --> 00:07:19.190
first introduced to the irs.gov website. Let’s say we wanted to get our old transcripts.

00:07:19.190 --> 00:07:25.449
First off, the site asks the following: name, social security number, address. Now historically

00:07:25.449 --> 00:07:29.550
your social security number is private and only a few people would know it but as data

00:07:29.550 --> 00:07:33.960
breaches happen, it’s becoming not as private anymore. Name and address are not that hard

00:07:33.960 --> 00:07:37.659
to figure out so these first questions could easily be defeated with anyone knowing this

00:07:37.659 --> 00:07:41.330
about you. At this point they make you sign up with an e-mail address and they send you

00:07:41.330 --> 00:07:46.919
an e-mail for next steps. Then you’re presented with four multiple choice instant KBA questions.

00:07:46.919 --> 00:07:48.770
Here’s a few samples.

00:07:48.770 --> 00:07:53.070
Please select the county of the address you provided. Well, obviously you can look that

00:07:53.070 --> 00:07:58.169
up on any map, so that’s easy. Next question. According to our records, you previously lived

00:07:58.169 --> 00:08:03.650
in…insert town. Please select the street which you resided on in that town. Well, it’s

00:08:03.650 --> 00:08:07.340
a multiple choice question so you can look at the answers and rule out any streets that

00:08:07.340 --> 00:08:11.990
don’t exist in that town and then you’d have a fairly high chance of getting the answer

00:08:11.990 --> 00:08:16.460
right. Please select the city you previously resided in. Well, if the hacker had any data

00:08:16.460 --> 00:08:20.800
on you from previous breaches then this is probably included. Or heck, the answer might

00:08:20.800 --> 00:08:24.909
even be in the previous question. According to our records, you graduated from which of

00:08:24.909 --> 00:08:28.870
the following high schools? Well, have you been on Facebook lately? Pretty much everyone

00:08:28.870 --> 00:08:32.970
is on there and they all love to write what high school they went to so this is usually

00:08:32.970 --> 00:08:34.800
pretty easy to find. That’s it.

00:08:34.800 --> 00:08:38.780
If you answer those questions correctly you get the historic tax records for that person.

00:08:38.780 --> 00:08:42.520
If you really look at it, because it’s multiple choice questions, we have a shot at getting

00:08:42.520 --> 00:08:46.620
all the questions right without even having breached data, just by Googling a person and

00:08:46.620 --> 00:08:51.130
where they used to live and stuff. This Get Transcript option at the irs.gov website was

00:08:51.130 --> 00:08:57.400
used by millions of people in 2014 and then again in 2015. It was a great feature but

00:08:57.400 --> 00:09:03.090
you may have noticed by now that the authentication method maybe wasn’t that secure. Let’s

00:09:03.090 --> 00:09:08.080
go to February 2015, same month that the Anthem breach was discovered. A guy named Michael

00:09:08.080 --> 00:09:13.060
Kasper goes to file his taxes. He fills out all the forms electronically and hits Submit

00:09:13.060 --> 00:09:17.340
but something’s wrong. The IRS’s website is telling him he’s already submitted his

00:09:17.340 --> 00:09:22.840
taxes but that’s impossible. He hasn’t submitted it yet. He calls the help line and

00:09:22.840 --> 00:09:24.640
you know what? I’ll let him tell the story.

00:09:24.640 --> 00:09:29.850
MICHAEL: On Monday morning I called the IRS and they confirmed my identity by asking tax

00:09:29.850 --> 00:09:35.050
history-related questions and showed me that a deposit was being made the same day that

00:09:35.050 --> 00:09:40.710
I was calling into somebody’s account, but that it was too late to stop it at that point.

00:09:40.710 --> 00:09:46.351
JACK: The IRS just told him that someone else filed a tax return in his name and a check

00:09:46.351 --> 00:09:51.760
was sent to that person. It had already been deposited. The IRS wasn’t able to tell him

00:09:51.760 --> 00:09:55.590
anything else like how much the check was worth, what bank it was deposited, or anything

00:09:55.590 --> 00:09:59.090
like that. The IRS can’t disclose this because of privacy.

00:09:59.090 --> 00:10:04.440
MICHAEL: I was frustrated by that. [00:10:00] That’s when I tried the Get Transcript function

00:10:04.440 --> 00:10:08.311
on the IRS website to see if I could get a transcript and found out someone else had

00:10:08.311 --> 00:10:12.560
already registered their e-mail address with my social security number.

00:10:12.560 --> 00:10:16.341
JACK: It appeared someone had already gone through the steps of doing a Get Transcript

00:10:16.341 --> 00:10:20.750
under Michael’s tax records and made an account as him. At this point Michael didn’t

00:10:20.750 --> 00:10:25.600
know what to think. He wondered if he got hacked or if someone stole his wallet or identity,

00:10:25.600 --> 00:10:29.980
or what had happened. Is it his fault this is happening? Over and over Michael had asked

00:10:29.980 --> 00:10:34.640
for more information about who filled out his taxes but the IRS was refusing to give

00:10:34.640 --> 00:10:39.530
any information. The law clearly states the IRS cannot share tax information with anyone

00:10:39.530 --> 00:10:43.950
and he wasn’t able to log into the IRS website and do the Get Transcript function because

00:10:43.950 --> 00:10:49.700
someone else already registered as his name. He felt stuck but he came up with a new plan.

00:10:49.700 --> 00:10:54.910
He figured out if you fill out the IRS form 4506 and include $50 they’ll send you a

00:10:54.910 --> 00:10:56.830
physical copy of your tax return.

00:10:56.830 --> 00:11:01.010
MICHAEL: I found out I could get a photocopy for $50. They had been telling me I couldn’t

00:11:01.010 --> 00:11:06.490
get the information but if I paid $50 I could get it. So March 17th, I got a photocopy of

00:11:06.490 --> 00:11:11.770
the return which is when I found out that whoever filed had seen my 2013 return because

00:11:11.770 --> 00:11:13.470
the information was almost identical.

00:11:13.470 --> 00:11:18.040
JACK: This was freaky. He was starting to put the pieces together now. Someone definitely

00:11:18.040 --> 00:11:23.020
did the Get Transcript process on irs.gov website, got a copy of his old tax return,

00:11:23.020 --> 00:11:27.220
and submitted a new one for this year. He looked at the tax return someone else submitted

00:11:27.220 --> 00:11:34.840
and they got a refund for $8,936. This was money the IRS owed Michael yet they sent it

00:11:34.840 --> 00:11:38.970
to this other person. Michael looked closer at his tax return…

00:11:38.970 --> 00:11:41.830
MICHAEL: And saw the bank account number.

00:11:41.830 --> 00:11:46.101
JACK: Michael is a smart guy, an engineer even, and wasn’t getting any help from the

00:11:46.101 --> 00:11:51.090
IRS and he was getting angry, angry that someone else stole his money from him. He decided

00:11:51.090 --> 00:11:52.790
to try to figure this out on his own.

00:11:52.790 --> 00:11:59.000
MICHAEL: But I contacted the bank in Pennsylvania. They confirmed a deposit was made. I guess

00:11:59.000 --> 00:12:03.760
the metadata in the deposit actually showed my name and my social security going into

00:12:03.760 --> 00:12:08.250
someone else’s checking account. They told me the location, Williamsport, Pennsylvania

00:12:08.250 --> 00:12:12.310
where all the money was withdrawn. I contacted the local police there.

00:12:12.310 --> 00:12:17.870
JACK: [MUSIC] The police called him back right away and wanted to know more. They opened

00:12:17.870 --> 00:12:22.750
up a case and began investigating who deposited the check. On that same day, Michael got a

00:12:22.750 --> 00:12:23.750
letter.

00:12:23.750 --> 00:12:26.760
MICHAEL: I got a letter in the mail from the IRS that they had, six weeks later, received

00:12:26.760 --> 00:12:29.270
my documentation and that they would get back to me in six months.

00:12:29.270 --> 00:12:33.250
JACK: This kind of made Michael mad. Almost immediately upon getting his tax records he

00:12:33.250 --> 00:12:37.920
was able to make a lot of progress by opening a police investigation, and here the IRS is

00:12:37.920 --> 00:12:40.470
saying it’s going to take them six months to investigate this?

00:12:40.470 --> 00:12:44.250
MICHAEL: I also got a letter that week from Anthem Healthcare offering me free credit

00:12:44.250 --> 00:12:48.420
monitoring. I don’t really know if that is related to how my information was obtained.

00:12:48.420 --> 00:12:52.810
JACK: Michael had his personal information stolen in the Anthem breach and remembered

00:12:52.810 --> 00:12:57.160
the data stolen in the Anthem breach included his name, social security number, and past

00:12:57.160 --> 00:13:01.630
addresses. This would probably be enough to pass the KBA and do the Get Transcript. The

00:13:01.630 --> 00:13:05.640
police went to the person’s house in Pennsylvania and they found this person who deposited the

00:13:05.640 --> 00:13:08.200
check was a young female college student.

00:13:08.200 --> 00:13:12.210
MICHAEL: She had responded to a Craigslist ad offering a job opportunity.

00:13:12.210 --> 00:13:17.281
JACK: Oh yeah, the old money mule scam. Okay, here’s how this works. [MUSIC] Criminals

00:13:17.281 --> 00:13:21.120
who need to move money around will offer up jobs on Craigslist saying something like an

00:13:21.120 --> 00:13:25.180
international finance company needs assistance writing letters. Then they’re given the

00:13:25.180 --> 00:13:29.490
job interview and get hired. First they’re given some basic tasks to do like correct

00:13:29.490 --> 00:13:33.750
some English on some e-mails. These basic tasks are just there to earn trust, then the

00:13:33.750 --> 00:13:37.870
criminals will give some sad story about how they need to pay a client immediately but

00:13:37.870 --> 00:13:42.790
funds are tied up. They ask the victim hey, if we send money to you, could you then send

00:13:42.790 --> 00:13:48.100
the check to the client? If they agree, a money mule is born. It’s very illegal to

00:13:48.100 --> 00:13:53.100
be a money mule and this young woman had no clue it was illegal. She just needed some

00:13:53.100 --> 00:13:54.870
extra cash to get through college.

00:13:54.870 --> 00:14:00.680
MICHAEL: Money was deposited into her account and then she wired large amounts of it to

00:14:00.680 --> 00:14:02.730
Nigeria through Western Union.

00:14:02.730 --> 00:14:09.800
JACK: She sent $7,000 to Nigeria and as a reward she was able to keep the other $1,900

00:14:09.800 --> 00:14:13.810
which she used mostly on rent, leaving just $5 left in the account when the police caught

00:14:13.810 --> 00:14:22.510
her. She was arrested for being a money mule and later got out on bail, having to pay $8,500.

00:14:22.510 --> 00:14:26.550
Michael was frustrated with this whole ordeal so at the end of March he contacted the journalist

00:14:26.550 --> 00:14:31.140
Brian Krebs to share his story. Right away, his story showed up on Krebs on Security,

00:14:31.140 --> 00:14:36.060
a blog about breaches and security. The IRS noticed this blog post and eventually refunded

00:14:36.060 --> 00:14:40.740
the money back to him but this took months. Michael wasn’t the first to report this

00:14:40.740 --> 00:14:46.530
kind of fraud in 2015. Many more people were having the same issue, thousands of others.

00:14:46.530 --> 00:14:48.480
The IRS began looking into it.

00:14:48.480 --> 00:14:53.030
The commissioner of the IRS, John Koskinen, called together a security summit to determine

00:14:53.030 --> 00:14:57.730
what’s going on. They saw this post on Krebs on Security and they were also told by the

00:14:57.730 --> 00:15:01.860
Utah State Tax Commissioner that they were seeing ten times [00:15:00] as much tax fraud

00:15:01.860 --> 00:15:06.560
this year compared to last year. The IRS was seeing that on a lot of these fraudulent tax

00:15:06.560 --> 00:15:11.570
returns, the tax forms were filled out exactly the same as the previous year, complete with

00:15:11.570 --> 00:15:15.910
any typos that were on the year before. This made it obvious that someone had gotten a

00:15:15.910 --> 00:15:19.920
bunch of people’s tax returns from last year and were submitting them fraudulently

00:15:19.920 --> 00:15:25.090
this year. The IRS went and looked at these fraudulent tax returns to see if there was

00:15:25.090 --> 00:15:29.840
a Get Transcript request on the website and sure enough there was. A lot of them were

00:15:29.840 --> 00:15:34.290
using the same exact e-mail address; hundreds, maybe thousands.

00:15:34.290 --> 00:15:38.870
This was obviously a flaw in the IRS’s system, to have thousands of tax returns linked to

00:15:38.870 --> 00:15:44.610
the same e-mail address. The IRS conducted a deep dive investigation to see what was

00:15:44.610 --> 00:15:58.290
going on. Two months after that Krebs article, the IRS had figured it out. Through commonalities

00:15:58.290 --> 00:16:04.310
in e-mail addresses they found out that this crew had issued 13,000 fraudulent tax returns

00:16:04.310 --> 00:16:10.690
and if you add up all 13,000 tax refund checks, this crew stole around forty million dollars

00:16:10.690 --> 00:16:17.610
from the US Treasury. I want to take a moment to reflect on this for a second. When we hear

00:16:17.610 --> 00:16:21.760
about a breach of personal data stolen like at Anthem, we wonder how much this data can

00:16:21.760 --> 00:16:25.620
be worth and how could criminals use this to make money? Of course the obvious answer

00:16:25.620 --> 00:16:30.430
is that this information can be sold to others but using it to steal money from the IRS is

00:16:30.430 --> 00:16:33.510
not only more lucrative, it’s downright genius.

00:16:33.510 --> 00:16:37.600
These criminals knew the tax system well enough that they used data stolen from a breach to

00:16:37.600 --> 00:16:42.230
get old tax transcripts and then they used those old tax filings to submit that person’s

00:16:42.230 --> 00:16:46.290
taxes this year. Then they had to set up a whole network of money mules and keep in mind,

00:16:46.290 --> 00:16:50.290
this requires Craigslist ads, and job interviews, and all this other stuff. Then they had to

00:16:50.290 --> 00:16:55.440
launder the money all the way back to them. They did this 13,000 times in about three

00:16:55.440 --> 00:17:02.150
months’ time. Unbelievable. By this point in May, IRS was on really high alert for fraudsters

00:17:02.150 --> 00:17:06.659
and criminal activity. This is when they noticed a really large spike in people using the Get

00:17:06.659 --> 00:17:09.390
Transfer option on the irs.gov website.

00:17:09.390 --> 00:17:14.350
[MUSIC] This Get Transfer feature of the website was so popular that over twenty million requests

00:17:14.350 --> 00:17:18.759
were seen just in that year so during tax time that’s over 100,000 requests a day

00:17:18.759 --> 00:17:22.530
for the Get Transcript. But this spike was much more than that. This was like, hundreds

00:17:22.530 --> 00:17:26.919
of thousands more all in one day. In fact, it was so many requests that the systems started

00:17:26.919 --> 00:17:31.470
getting backed up and the IRS thought they were under a denial-of-service attack. They

00:17:31.470 --> 00:17:37.030
were able to keep the site up and sustain the flood of usage and things died down. A

00:17:37.030 --> 00:17:41.450
week later on May 21st, the security center within the IRS had discovered something terrible.

00:17:41.450 --> 00:17:47.460
It wasn’t legitimate users trying to do the Get Transfer of tax records. It was hackers,

00:17:47.460 --> 00:17:54.480
fraudsters, thieves. Over 200,000 suspicious attempts were made to Get Transcripts of taxpayers

00:17:54.480 --> 00:17:56.600
and half were successful.

00:17:56.600 --> 00:18:00.929
The thieves successfully used the Get Transcript feature of the irs.gov website to obtain the

00:18:00.929 --> 00:18:06.520
tax records of 100,000 people. Now keep in mind, this isn’t a hack. The thieves didn’t

00:18:06.520 --> 00:18:10.330
use any trick or exploit or vulnerability. They simply found a way to navigate through

00:18:10.330 --> 00:18:14.610
the authentication system, probably by using some personal information they obtained from

00:18:14.610 --> 00:18:19.270
other breaches. But even though this isn’t a hack, it’s certainly a breach of data,

00:18:19.270 --> 00:18:23.279
very personal data, and it’s super scary to think about what criminals like this will

00:18:23.279 --> 00:18:28.429
do with your past tax records. These people have a lot of resources and time to move fast

00:18:28.429 --> 00:18:33.139
and steal a lot of money so this could possibly cause problems for those people for years

00:18:33.139 --> 00:18:39.139
or even life. Once the IRS detected that 100,000 tax records were stolen from their website

00:18:39.139 --> 00:18:43.760
they immediately disabled the Get Transfer feature. Five days later they announced to

00:18:43.760 --> 00:18:48.770
the public that there had been a breach and 100,000 tax records were stolen. The IRS made

00:18:48.770 --> 00:18:52.530
a bunch of corrective actions after this breach. Here’s the IRS Commissioner.

00:18:52.530 --> 00:18:56.360
COMM’R: Letters have already gone out to the approximately 100,000 tax payers whose

00:18:56.360 --> 00:19:01.249
tax information was successfully obtained by unauthorized third parties. We are offering

00:19:01.249 --> 00:19:05.379
credit monitoring at our expense to this group of taxpayers, we’re also giving them the

00:19:05.379 --> 00:19:10.669
opportunity to obtain an Identity Protection Personal Identification Number, or IP PIN,

00:19:10.669 --> 00:19:16.160
as it’s known. This will further safeguard their IRS accounts. The Get Transcript application

00:19:16.160 --> 00:19:21.620
has also been taken down while we review options to make it more secure without rendering it

00:19:21.620 --> 00:19:23.790
inaccessible to legitimate taxpayers.

00:19:23.790 --> 00:19:29.040
JACK: The IRS created this option to get an IP PIN, or Identity Protection Personal Information

00:19:29.040 --> 00:19:33.039
Number. This is a six-digit code that the IRS can issue you which would then be required

00:19:33.039 --> 00:19:37.269
to complete your tax return. This makes it harder for the criminals to submit taxes if

00:19:37.269 --> 00:19:41.529
they don’t know this PIN. The news of the IRS being breached was the top story in almost

00:19:41.529 --> 00:19:46.220
all news outlets in the US. Citizens were angry, congress and senators had questions.

00:19:46.220 --> 00:19:50.590
A full senate committee hearing was held to have the IRS testify. This is the IRS Commissioner

00:19:50.590 --> 00:19:52.480
John Koskinen’s opening statements.

00:19:52.480 --> 00:19:57.450
COMM’R: The unauthorized attempts to access information using the Get Transcript application

00:19:57.450 --> 00:20:02.279
were made on approximately 200,000 taxpayer accounts from [00:20:00] questionable e-mail

00:20:02.279 --> 00:20:07.570
domains and the attempts were complex and sophisticated in nature. These attempts were

00:20:07.570 --> 00:20:12.480
made using taxpayer’s personal information already obtained from sources outside the

00:20:12.480 --> 00:20:18.780
IRS. During the middle of May our cyber-security team noticed unusual activity on the Get Transcript

00:20:18.780 --> 00:20:25.160
application. They ultimately uncovered questionable attempts to access the Get Transcript application.

00:20:25.160 --> 00:20:32.700
Of the approximately 100,000 successful attempts to access the application only 13,000 possibly

00:20:32.700 --> 00:20:38.049
fraudulent returns were filed for tax year 2014, for which the IRS issued refunds totalling

00:20:38.049 --> 00:20:39.049
about $39,000,000.

00:20:39.049 --> 00:20:43.970
JACK: In this hearing we also hear from Michael Kasper, that guy who tracked down who stole

00:20:43.970 --> 00:20:48.670
his tax return himself. In fact the clips you heard earlier from him are from this senate

00:20:48.670 --> 00:20:53.340
hearing. In fact there were multiple hearings that went on for hours and hours. During the

00:20:53.340 --> 00:20:57.110
hearing we hear a little bit about the types of computer problems the IRS faces.

00:20:57.110 --> 00:21:01.210
COMM’R: We are running an antiquated system with some applications that are fifty years

00:21:01.210 --> 00:21:07.159
old, as noted in some cases. Noted, we haven’t even been able to provide patches for all

00:21:07.159 --> 00:21:10.480
of the upgrades. Some of our systems don’t have patches ‘cause they’re no longer

00:21:10.480 --> 00:21:12.809
supported by the provider.

00:21:12.809 --> 00:21:17.289
JACK: On one report after an inspection they found that over 30%of the systems in the network

00:21:17.289 --> 00:21:21.169
weren’t being monitored at all. If you stop to think for a moment, the IRS has pretty

00:21:21.169 --> 00:21:26.179
much every US citizen as a customer or client. Compare that to Facebook which only has about

00:21:26.179 --> 00:21:32.941
68% of the US population as users. The IRS has a lot of users and with 87,000 people

00:21:32.941 --> 00:21:38.000
on the staff there are a lot of computers. At some point the size of the network becomes

00:21:38.000 --> 00:21:43.630
so big that it becomes a logistical nightmare to keep it secure. Both Democrats and Republicans

00:21:43.630 --> 00:21:47.740
offered their support and assistance to help the IRS combat this problem. They seemed to

00:21:47.740 --> 00:21:52.429
genuinely want this problem fixed. Here’s what one senator said to the IRS Commissioner

00:21:52.429 --> 00:21:53.429
during the testimony.

00:21:53.429 --> 00:21:55.970
SENATOR: I told you yesterday on the phone, I’m here to help. How can I help you?

00:21:55.970 --> 00:22:00.380
JACK: The senator seemed to understand the enormous complexity that the IRS faces in

00:22:00.380 --> 00:22:03.429
this situation and actually felt bad for the IRS Commissioner.

00:22:03.429 --> 00:22:08.080
SENATOR: Mr. Koskinen, you have a tough job. There’s no question about it and I don’t

00:22:08.080 --> 00:22:16.620
know anybody that approaches it with a smile like you do. I’d be upset every day. I think

00:22:16.620 --> 00:22:20.950
there’s something wrong with you that you’re not upset every day. [LAUGHTER]

00:22:20.950 --> 00:22:25.470
JACK: At some point in the hearing the senators wanted to know who was behind this attack.

00:22:25.470 --> 00:22:30.929
COMM’R: News reports indicate that the recent IRS identity thieves may have been in Russia.

00:22:30.929 --> 00:22:35.580
JACK: The IT inspector who conducted a security audit on the IRS commented on this.

00:22:35.580 --> 00:22:41.950
INSPECTOR: Eventually we were able to track them down but at this stage when the report

00:22:41.950 --> 00:22:46.030
– there was a report that it was solely Russia and I want to make it clear that’s

00:22:46.030 --> 00:22:51.700
not the case. It’s beyond Russia. I just wanted to get that on the record.

00:22:51.700 --> 00:22:53.789
COMM’R: When you say beyond Russia, what do you mean?

00:22:53.789 --> 00:22:59.169
INSPECTOR: That there are other domains – the domains are located in nations other than

00:22:59.169 --> 00:23:00.799
Russia, in addition to Russia.

00:23:00.799 --> 00:23:05.279
JACK: When the IRS became aware of this breach they immediately contacted Homeland Security

00:23:05.279 --> 00:23:09.549
to help them investigate who was behind this. Knowing that a lot of fraudulent uses of the

00:23:09.549 --> 00:23:14.140
Get Transcript had occurred, the IRS went back to look at the database. Over 23,000,000

00:23:14.140 --> 00:23:17.980
times the Get Transcript service was used that year. The security team combed through

00:23:17.980 --> 00:23:25.049
those 23,000,000 requests and found more fraudulent requests. Three months after the initial discovery

00:23:25.049 --> 00:23:31.179
of the 100,000 stolen tax records, the IRS announced there were another 220,000 tax records

00:23:31.179 --> 00:23:38.679
that were illegally accessed. This raised the full number of stolen tax records to 334,000.

00:23:38.679 --> 00:23:42.380
Looking at some numbers here, it looks like the thieves were able to access about 54%

00:23:42.380 --> 00:23:47.241
of the transcripts they attempted to get from the website. Compare that to the 22% success

00:23:47.241 --> 00:23:48.720
rate for normal people.

00:23:48.720 --> 00:23:53.489
It seems like criminals are better at knowing your personal information than you are. That’s

00:23:53.489 --> 00:23:58.730
just fascinating. If you remember, the IRS started using this IP PIN thing to add additional

00:23:58.730 --> 00:24:03.730
level of security to your taxes but this had a few problems of its own. First of all, your

00:24:03.730 --> 00:24:07.559
PIN is issued through the website. Compare that to where your bank sends you your PIN

00:24:07.559 --> 00:24:11.580
in the mail. If you lost your IRS PIN and you wanted to recover it, you had to go through

00:24:11.580 --> 00:24:17.419
the same irs.gov website to answer the same weak KBA questions that the attackers defeated

00:24:17.419 --> 00:24:22.090
to get your transcripts. Guess what? The criminals figured this out and began stealing PINs.

00:24:22.090 --> 00:24:29.710
On February 2016, the IRS issued a statement saying that there were over 464,000 unauthorized

00:24:29.710 --> 00:24:36.059
attempts to get the PIN. The hackers successfully got 101,000 PINs from taxpayers.

00:24:36.059 --> 00:24:40.440
Then the IRS discovered something else. They conducted another audit on the people who

00:24:40.440 --> 00:24:44.570
did Get Transcript on the website. They found the number was higher than they initially

00:24:44.570 --> 00:24:49.519
thought. First the IRS said it was 101,000 people and then they discovered it was 334,000.

00:24:49.519 --> 00:24:56.980
Now the IRS is saying it’s twice that; 724,000 people got their tax returns stolen by criminals

00:24:56.980 --> 00:25:02.210
through this Get Transcript feature of the website. [00:25:00] More letters were sent

00:25:02.210 --> 00:25:07.279
and more free credit monitoring was issued. Within the IRS is a whole department called

00:25:07.279 --> 00:25:12.429
the IRS Criminal Investigation Division and the IRS itself has over 2,000 special agents

00:25:12.429 --> 00:25:17.480
that specifically investigate tax fraud. These special agents will work with the FBI, secret

00:25:17.480 --> 00:25:21.600
service, Homeland Security, and local police to track and catch these criminals.

00:25:21.600 --> 00:25:25.700
But as budget cuts hits the IRS, this means about 4% of the special agents lose their

00:25:25.700 --> 00:25:31.380
job each year. When there’s less investigations there’s less arrests. The IRS Criminal Investigation

00:25:31.380 --> 00:25:36.100
Division opens about 3,5000 cases a year and they actually catch and convict about 3,000

00:25:36.100 --> 00:25:40.940
people a year. Did they find out who did this and bring them to justice? I’m not sure.

00:25:40.940 --> 00:25:45.649
Here’s what I found, though. [MUSIC] The Department of Justice issues a press release

00:25:45.649 --> 00:25:50.790
each time someone gets sentenced for stolen identity refund fraud. It lists hundreds and

00:25:50.790 --> 00:25:55.710
hundreds of cases going all the way back to 2010. I started combing through it looking

00:25:55.710 --> 00:26:01.129
at case notes, and dates, and crimes to see if anything matched this. Stuff started showing

00:26:01.129 --> 00:26:05.899
up. Probably the biggest one I saw was a Nigerian man who was caught and sentenced to fifteen

00:26:05.899 --> 00:26:09.320
years in prison for running one of the biggest tax fraud schemes ever.

00:26:09.320 --> 00:26:12.549
Here’s what happened; a bunch of people in the state of Oregon were reporting that

00:26:12.549 --> 00:26:16.780
someone had submitted their tax refund for them. The IRS criminal investigation team

00:26:16.780 --> 00:26:20.309
looked into it and found that someone was fraudulently submitting tax returns for the

00:26:20.309 --> 00:26:24.870
people in Oregon and taking all their refunds. They tracked this activity back to a Nigerian

00:26:24.870 --> 00:26:30.640
man named Kazeem who was living in Maryland. They arrested him and found in his house 150

00:26:30.640 --> 00:26:36.539
prepaid credit cards, $40,000 in money orders, and $14,000 in cash. During trial they learned

00:26:36.539 --> 00:26:41.320
what happened. Kazeem had purchased personal identification information from a Vietnamese

00:26:41.320 --> 00:26:47.789
hacker, specifically 259,000 records from a company in Oregon. Perhaps the Vietnamese

00:26:47.789 --> 00:26:52.260
hacker stole a database from a credit agency or a medical facility in Oregon.

00:26:52.260 --> 00:26:56.720
Kazeem then used this information to do Get Transcript on the irs.gov website and also

00:26:56.720 --> 00:27:02.110
get the PINs from the website to submit tax returns for those people. He submitted 10,000

00:27:02.110 --> 00:27:07.279
tax returns which would have resulted in $91,000,000 if he got all the returns but a lot of them

00:27:07.279 --> 00:27:12.799
didn’t get accepted. He was only successfully able to get $11,000,000 back from fraudulent

00:27:12.799 --> 00:27:17.370
returns. To throw the police off he funnelled a lot of the money through Nigeria and then

00:27:17.370 --> 00:27:21.649
back to him. He had five other people working for him, all who were arrested and put in

00:27:21.649 --> 00:27:27.039
prison. Maybe this guy Kazeem was one of the bigger players in this breach but I don’t

00:27:27.039 --> 00:27:31.179
think he was the only one. Looking through the other arrests on the DOJ’s website,

00:27:31.179 --> 00:27:34.690
I see some more, this time even more close to home.

00:27:34.690 --> 00:27:38.799
There’s a Texas guy that was caught and arrested for fraudulently using the Get Transcript

00:27:38.799 --> 00:27:42.450
feature and getting people’s information and submitting their tax returns for them.

00:27:42.450 --> 00:27:46.480
He was sentenced to two years in prison. Then there was a Georgia couple who were arrested

00:27:46.480 --> 00:27:50.780
for exploiting the Get Transcript feature and got over $1,000,000 in tax refunds. They

00:27:50.780 --> 00:27:55.149
were both put in prison for years, too. Then there was another guy in Texas who was also

00:27:55.149 --> 00:27:59.830
caught using the Get Transcript feature and submitted false tax returns, too. In fact,

00:27:59.830 --> 00:28:03.669
as I started looking at who’s been submitting fraudulent tax returns like this, the bottom

00:28:03.669 --> 00:28:08.759
of this story began to fall out. Take the case of Danielle, for example. She’s a 27

00:28:08.759 --> 00:28:13.640
year old exotic dancer in Tampa, Florida but she was arrested for tax fraud. She had stolen

00:28:13.640 --> 00:28:17.559
over $1,000,000 in tax refunds from people she didn’t know.

00:28:17.559 --> 00:28:22.019
She continued to get away with it for four years. In fact, in some circles she’s known

00:28:22.019 --> 00:28:26.600
as a pioneer of this stuff. She would organize something called drop parties. This is where

00:28:26.600 --> 00:28:30.590
you get together and swap tactics, stolen personal information data, and teach others

00:28:30.590 --> 00:28:35.679
how to do it. She was eventually caught and put in prison. This made me look up the term

00:28:35.679 --> 00:28:40.210
drop party. This could have been a term she invented but it’s slang used in some circles

00:28:40.210 --> 00:28:45.609
specifically in Tampa, Florida because only in Tampa have I found the term drop to mean

00:28:45.609 --> 00:28:50.549
tax fraud. Okay, okay, I’m gonna play you something that might blow your mind but I

00:28:50.549 --> 00:28:54.040
want to warn you, it’s not safe for work. If you have young kids or something you may

00:28:54.040 --> 00:28:58.460
want to skip ahead three minutes. Here’s the thing; gangster rappers sometimes boast

00:28:58.460 --> 00:29:02.600
about the crimes they commit right in the lyrics. They talk about shooting people, stealing

00:29:02.600 --> 00:29:04.630
stuff, and drug dealing. But listen to this song.

00:29:04.630 --> 00:29:14.600
J-CREEK: [MUSIC] Yours truly, J-Creek, Tom Creek, n–. Tax season again. I need a drop

00:29:14.600 --> 00:29:17.679
hoe bitch. I wanna be your boyfriend. I want a drop hoe. I need a drop hoe.

00:29:17.679 --> 00:29:22.309
JACK: What? This song called Drop Hoe is a ballad about a guy trying to find a girlfriend

00:29:22.309 --> 00:29:27.279
who makes a living off of identity theft tax fraud. It practically goes through step-by-step

00:29:27.279 --> 00:29:29.370
on how to do it. Here’s some more lyrics.

00:29:29.370 --> 00:29:36.140
J-CREEK: [MUSIC] Said her home girl came with a few names, told me all a n– need is a

00:29:36.140 --> 00:29:37.140
laptop, and she gonna show me what to do to make a tax drop.

00:29:37.140 --> 00:29:40.750
JACK: Said her home girl came with a few names, told me all a guy needs is a laptop, and she’s

00:29:40.750 --> 00:29:45.970
gonna show me what to do to make a tax drop and Ima steal your information on the W-2.

00:29:45.970 --> 00:29:50.610
Say she needs an address to get more cards. Wanna be a hood rich honey? Ima show you.

00:29:50.610 --> 00:29:54.429
Told me get a date of birth, don’t forget the social. She got them stacks then went

00:29:54.429 --> 00:29:55.429
tax on the turbo.

00:29:55.429 --> 00:29:58.789
J-CREEK: [MUSIC] Trying to find a drop hoe, it ain’t hard. No, you can look for new

00:29:58.789 --> 00:30:02.950
rims and a paint job. [00:30:00] Keep her hair done, nails done, nice clothes…

00:30:02.950 --> 00:30:07.970
JACK: Wow. Just wow. He even said what tools he used, Turbo Tax. I mean, how popular is

00:30:07.970 --> 00:30:13.149
this crime? You have to hand it to the gangster rap community. They don’t hoard their exploits;

00:30:13.149 --> 00:30:16.869
they share them openly on the public stage. It’s kind of like they’re saying hey,

00:30:16.869 --> 00:30:22.480
this is what we do down in Tampa. But seriously, has tax fraud gotten to the point where gangster

00:30:22.480 --> 00:30:27.539
rap is in on it? Yeah, I guess so. It appears especially so in the southeast of the US.

00:30:27.539 --> 00:30:32.619
Alabama, Georgia, Louisiana, and Florida top the charts for the most arrests made for stolen

00:30:32.619 --> 00:30:37.999
identity tax fraud. These states are ridiculously higher than the others. Keep in mind, they’re

00:30:37.999 --> 00:30:41.700
exploiting people from all around the country but for some reason in this region, a skill

00:30:41.700 --> 00:30:44.809
is passed around on the streets and at drop parties.

00:30:44.809 --> 00:30:48.899
At some arrests I’ve read it’s been an elaborate scheme where one member of the crew

00:30:48.899 --> 00:30:53.820
will go work at a company and steal all the W-2s and then another will file the taxes

00:30:53.820 --> 00:30:58.649
and then someone else will work at a cash-checking place and knowingly cash fraudulent checks.

00:30:58.649 --> 00:31:03.980
This kind of stuff is seen over and over in these states. It’s crazy. This is what I

00:31:03.980 --> 00:31:07.760
mean by the story becomes bottomless as I’m trying to figure out who is behind this, because

00:31:07.760 --> 00:31:12.489
there’s just so many of these cases and it’s a gray line between tax fraud and Get

00:31:12.489 --> 00:31:17.340
Transcript and stolen identities. But knowing this we do get a glimpse on who’s using

00:31:17.340 --> 00:31:19.620
your information and how it’s being used against you.

00:31:19.620 --> 00:31:24.179
You may think this isn’t your problem, it’s the IRS’s problem, but if you rely on or

00:31:24.179 --> 00:31:28.389
expect a large tax return and someone else gets it instead of you, it’s your problem

00:31:28.389 --> 00:31:33.389
now. Sure, the IRS may spend six months investigating and pay it back to you but that delay can

00:31:33.389 --> 00:31:38.789
be a nightmare. We need to protect ourselves. The IRS brought back the Get Transcript feature

00:31:38.789 --> 00:31:42.629
on the website and now it requires additional information like you need to know your mortgage

00:31:42.629 --> 00:31:47.519
account number and phone number to get your transcript. But you can see this KBA authentication

00:31:47.519 --> 00:31:52.019
method is starting to show its age and may not be secure anymore because the information

00:31:52.019 --> 00:31:56.869
that only you know is now known by hackers around the world. Who knows what was stolen

00:31:56.869 --> 00:32:01.379
from that EquiFax breach? Maybe the entire KBA database. This could have exposed all

00:32:01.379 --> 00:32:06.590
of our secret information which would have completely nullified the KBA altogether. The

00:32:06.590 --> 00:32:08.509
KBA system is not just used at the IRS.

00:32:08.509 --> 00:32:12.830
You can also see it over at annualcreditreport.com so it’s possible these thieves are targeting

00:32:12.830 --> 00:32:17.539
your credit records, too. Maybe they already have and nobody noticed or disclosed of this

00:32:17.539 --> 00:32:21.509
breach. It’s also possible that with enough information about you, someone can open a

00:32:21.509 --> 00:32:25.710
credit card in your name and take loans out in your name. Not only does a breach with

00:32:25.710 --> 00:32:30.090
your data impact your tax refunds but it can now put you in a serious debt that you didn’t

00:32:30.090 --> 00:32:34.789
actually spend. The IRS faces thousands and thousands of people trying to conduct tax

00:32:34.789 --> 00:32:39.149
fraud every year. They’re successful at stopping most of it and even putting thousands

00:32:39.149 --> 00:32:44.820
of fraudsters in jail but the security they put in place today may not work next year.

00:32:44.820 --> 00:32:48.690
The IRS doesn’t have traditional security problems that take traditional security solutions.

00:32:48.690 --> 00:32:53.760
They’re developing extremely advanced filters and algorithms to detect fraud and have done

00:32:53.760 --> 00:32:57.779
an amazing job at mitigating it. But it’s one of those things that will never get down

00:32:57.779 --> 00:33:02.239
to zero because fraudsters will continuously be looking for loopholes or weak security

00:33:02.239 --> 00:33:06.741
measures and exploit them whenever they can. I can’t imagine the nightmare of trying

00:33:06.741 --> 00:33:11.769
to secure the IRS. Because it collects over three trillion dollars in tax revenue a year,

00:33:11.769 --> 00:33:17.899
it’s a red hot target. The IRS sees an endless amount of attacks, scams, frauds, and thieves,

00:33:17.899 --> 00:33:23.190
especially during tax season when criminals can try to hide in the mass amounts of tax

00:33:23.190 --> 00:33:26.840
returns being sent. One of the biggest problems with the IRS’s website is that it has to

00:33:26.840 --> 00:33:32.040
be easy enough for the elderly to use but actually secure at the same time. I’m not

00:33:32.040 --> 00:33:36.119
sure if forcing everyone to register with an e-mail or two-factor authentication is

00:33:36.119 --> 00:33:37.119
even doable.

00:33:37.119 --> 00:33:40.350
It’s such a complex issue that it actually gave me a headache trying to figure out a

00:33:40.350 --> 00:33:43.970
solution to this problem. This is the new threat landscape that governments have to

00:33:43.970 --> 00:33:48.990
face though, and these attacks are getting bigger and more sophisticated. In 2016 we

00:33:48.990 --> 00:33:54.539
saw a rash of companies getting breached and what was stolen was simply their W-2 tax statements.

00:33:54.539 --> 00:33:58.919
Past and present employees from CGATE and Snapchat had their W-2s stolen which was enough

00:33:58.919 --> 00:34:03.460
information for those street gangs to file returns and open credit cards up in your name.

00:34:03.460 --> 00:34:07.340
I’ll leave you with some recommendations on how to keep yourself safe with the IRS.

00:34:07.340 --> 00:34:13.500
First, go to irs.gov and register at the site. Link your identity to your e-mail address.

00:34:13.500 --> 00:34:17.770
This will prevent criminals from registering for you. This is a simple thing to do so there’s

00:34:17.770 --> 00:34:18.770
no excuse not doing it.

00:34:18.770 --> 00:34:22.740
If you want to take it a step further, register for the IP PIN. This is a unique number that

00:34:22.740 --> 00:34:27.470
you must have to complete your taxes but the problem is you can’t opt out of the IP PIN

00:34:27.470 --> 00:34:32.139
and it changes every year. If you take this path, you’re taking it for life. Third,

00:34:32.139 --> 00:34:36.040
freeze your credit at all free credit monitoring agencies. This way, nobody can take loans

00:34:36.040 --> 00:34:40.849
out in your name or open new lines of credit. Lastly, file your taxes early before the bad

00:34:40.849 --> 00:34:43.109
guys can do it for you.

00:34:43.109 --> 00:34:48.099
JACK (OUTRO): [OUTRO MUSIC] You’ve been listening to Darknet Diaries. This show is

00:34:48.099 --> 00:34:52.760
made by me, Mr. Ribbit, Jack Rhysider. When I say it was made by me, I mean everything;

00:34:52.760 --> 00:34:57.079
the research, the writing, the music design, the editing, and the narration. It takes a

00:34:57.079 --> 00:35:00.859
lot of work to make each episode so I would really appreciate it if you showed support

00:35:00.859 --> 00:35:06.190
[00:35:00] by going to patreon.com/darknetdiaries and donate to the show. Donations can only

00:35:06.190 --> 00:35:11.260
bring good things like better audio, better stories, more stories, and less ads. The theme

00:35:11.260 --> 00:35:17.950
music for this show was created by the beat master toe-tapper Breakmaster Cylinder. Peace.