Isn't it nice?

The IRS has suspended an online tool used to retrieve Identity Protection PINs -- a six-digit number needed by victims of tax refund fraud to file their taxes electronically -- after reports that the system suffered the same security weakness that allowed fraudsters to trick another agency tool into giving up taxpayer information last year. "The IRS is conducting a further review of the application that allows taxpayers to retrieve their IP PINs online and is looking at further strengthening the security features on the tool," the IRS said in a statement Monday. Concerns about the tool were thrust into the spotlight last week after journalist Brian Krebs wrote about a South Dakota woman, Becky Wittrock, who said fraudulent tax returns were filed in her name two years in a row -- and that the phony filing this year included her stolen IP PIN. That PIN was meant to add a layer of security to prevent this exact type of problem. Wittrock was an apparent victim of a type of identity theft known as tax refund fraud, a scam where criminals file phony, often inflated, tax returns in an attempt to steal other people's refunds. The IRS said in the statement that it had mailed out 2.7 million IP PINS to taxpayers this year and that only about 130,000 of them used the "Get an IP PIN" tool on the agency's website to access a lost or forgotten PIN. The online IP PIN retrieval tool required information such as a taxpayer's name, date of birth, Social Security number, last filing status and the mailing address from their last tax return. It also asked a handful of "knowledge-based authentication" questions drawn from a person's credit history. Unfortunately, answers to those questions can often be figured out by consulting public online sources such as social media networks or real estate tracking sites like Zillow -- or even by guessing. And the other personal information could have fallen into fraudsters' hands through past breaches, including an incident involving the IRS's "Get Transcript" tool last year. The "Get Transcript" tool also relied on "knowledge based authentication" to prove a taxpayer's identity and may have allowed criminals to access the tax information of more than 700,000 people, according to the IRS's latest update on the scale of that breach. The agency took the "Get Transcript" system offline after the problems last year, but it left the "Get an IP PIN" tool up.