IRS Gets Hacked Again, Forced To Scrap Their Entire PIN System - Slashdot

Slashdot

●Stories

●Firehose

●All

●Popular

●Polls

●Software

●Thought Leadership

Submit

Search Slashdot

● Login

●or

● Sign up

●Topics:

●Devices

●Build

●Entertainment

●Technology

●Open Source

●Science

●YRO

●Follow us:

●RSS

●Facebook

●LinkedIn

●Twitter

● Youtube

● Mastodon

●Bluesky

Please create an account to participate in the Slashdot moderation system

Nickname:

Password:

Public Terminal

Forgot your password?
Close

This discussion has been archived. No new comments can be posted.

IRS Gets Hacked Again, Forced To Scrap Their Entire PIN System More Login

IRS Gets Hacked Again, Forced To Scrap Their Entire PIN System

Load All Comments

Full Abbreviated Hidden

/Sea

Score:

5

4

3

2

1

0

-1

More Login

Nickname:

Password:

Public Terminal

Forgot your password?
Close

Close

Search 104 Comments Log In/Create an Account

Comments Filter:

● All

● Insightful

● Informative

● Interesting

● Funny

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Crazy question (Score:1)

byAnonymous Coward writes:

Wouldn't filing dozens/hundreds of fraudulent returns with the wrong PIN be pretty easy to spot? While attackers may be able to mask their location/identity through various means they can't mask which account they're trying to penetrate, just lock down an account if too many wrong PINS are used with a decent amount of other information that is correct (SSN, name, etc). This should prevent fraudulent access while limiting the ability of attackers to try to lock-down the entire system by spamming it.

The Broken MS Windows fallacy. Try 250 accounts. (Score:5, Insightful)

byraymorris ( 2726007 ) writes:

> Just lock down an account if too many wrong PINS are used
The bad guys don't care which account they access. Suppose you limit it to four tries at a PIN. The bad guys try 250 accounts with four PINs each, not one account with a thousand PINs.
Locking out the account rather than the attacker is just DOSing yourself. I like to call this the Broken MS Windows fallacy, because Windows does it.

Re: (Score:0)

byAnonymous Coward writes:

"is just DOSing yourself"
That's why I noted the other criteria (SSN, Name, etc). While an individual fraudster might have detailed information on a few dozen/hundred accounts they probably don't have it for thousands plus accounts (or at least hopefully). If the attempt is missing confidential information that would cause it to fail authentication anyways the PIN attempt wouldn't count towards the account lockout. For those returns that have been compromised to that degree they should probably necessitat

Re:The Broken MS Windows fallacy. Try 250 accounts (Score:2)

byDarkTempes ( 822722 ) writes: on Monday June 27, 2016 @01:37AM (#52396885)

There have been so many major database leaks at this point that I feel it's a given that your name, address, SSN, etc are probably in the hands of nefarious people.
Remember when Slashdot reported multiple databases holding detailed information on millions of U.S. voters were publicly available online?
One had 154 million voters with names, addresses, social networking accounts, etc.
If you google database leaks you'll see leaks involving hundreds of thousands of records that include social security numbers.

Parent Share
twitter facebook

●

1 reply beneath your current threshold.

There may be more comments in this discussion. Without JavaScript enabled, you might want to turn on Classic Discussion System in your preferences instead.

Slashdot

Moderate Moderator Help Delete

● Get more comments

● Submit Story

It is much harder to find a job than to keep one.

●FAQ

●Story Archive

●Hall of Fame

●Advertising

●Terms

●Privacy Statement

●About

●Feedback

●Mobile View

●Blog

Icon

Do Not Sell or Share My Personal Information

Copyright © 2026 Slashdot Media. All Rights Reserved.

×

Close

Close

Slashdot

Working...