Just spoke with PPS and the lady I spoke with asked for my SSN then date of birth, before asking for my name and CAF. Apparently, this started today and she said it is because CAF numbers have been compromised. I have no idea how true that is. I have spoken with NAEA and they were unaware. Has anyone else been asked for SSN and DoB this morning?

Same thing happened to me.

So now CAF numbers have (apparently) been compromised. It seems to me this is important information that the IRS should share with practitioners. As more and more practitioner data is out there, the more vulnerable we are. And that makes our clients more vulnerable too.

I am feeling less and less confident about the IRS's ability to keep indentifying data secure. This extends to E Services. Yes, there are new authentification procedures. But there is also a new phone app that practitioners can use to authenticate their identity. Just how secure is that app? It seems to me that could be a weak link. Think how often phones are stolen or lost.

I have not updated my E Services account (I rarely if ever need to get a transcript for a client). I am seriously thinking of sitting this one out.

So now CAF numbers have (apparently) been compromised. It seems to me this is important information that the IRS should share with practitioners. As more and more practitioner data is out there, the more vulnerable we are. And that makes our clients more vulnerable too.

I am feeling less and less confident about the IRS's ability to keep indentifying data secure. This extends to E Services. Yes, there are new authentification procedures. But there is also a new phone app that practitioners can use to authenticate their identity. Just how secure is that app? It seems to me that could be a weak link. Think how often phones are stolen or lost.

I have not updated my E Services account (I rarely if ever need to get a transcript for a client). I am seriously thinking of sitting this one out.

Excellent, Excellent comment. I previously had an E Services account (which I too have rarely used). I thought to update the account late yesterday. Not at all comfortable with the overly intrusive personal information required; entry of DOB, last 4 of SSN, verification step allowing access to credit file or mortgage account, cell phone number; way, way too much information required! I went through all of the steps and came to the point of entering a new password. Arriving at this section of the process I noticed a red triangle at the top of the page stating words to the effect that my email address has been previously associated with my account. Duh! I guess so, it is the email address that I originally used when I registered with E services in the first place years ago. It is the same email address that I just used in an earlier verification stage of the update procedure! I entered a password, selected a phrase, and an image to associate with my account - nothing happens; the final step of the process doesn't occur. I repeat all of the required steps two more times, and still nothing happens except the red triangle at top of page indicating that I previously used the same email address shows again. I think that I will not take any further steps in attempting to update my E Services account. I wish I never gave consent to access my credit file or cell number for use in the verification process! The more efforts taken to "secure data" only makes you more subject to compromise.

Aside from the security of my personal information, what scares me is the potential liability here. If my E Services account gets accessed and is used to access a client account----and they suffer harm as a result----am I liable? Opening an E Services account, is not a requirement; its something a tax practitioner chooses to do. For that reason, I am not certain that all of the liabiilty burden fallls on the IRS, especially if it is not clear how the bad guys got access to my E Services account.

The CAF issue is part of this. With my CAF number, data available publicly about me and my firm (like my EIN, address etc.),it gets a lot easier to create a fake POA in my name, perhaps using client data from one of the many data breaches. And then if the bad guys had access to my E Services accunt (which they could use to file the POA), a lot of damage could be done.

My concern is that, by setting an E Services account, we are creating a door that some bad actor can walk through. And since we "voluntarily" created that door, we might not be entirely clear of liablity.

With my CAF number, data available publicly about me and my firm (like my EIN, address etc.),it gets a lot easier to create a fake POA in my name, perhaps using client data from one of the many data breaches. And then if the bad guys had access to my E Services accunt (which they could use to file the POA), a lot of damage could be done.

Could you elaborate on on this? I don't understand what you're referring to. One can't file a POA via e-Services, and I don't think your EIN is publicly available. What damage could be done? The ability for the bad tax professionals to efile fraudulent returns claiming refunds has been getting more difficult over the past year or two, for a variety of reasons.

The whole point is to protect access to your e-Services account. If you don't have one or don't want to use it, then by all means shut it down. But I think you still need some type of online account with IRS to manage your EFIN.

Well, after almost a week of calling the IRS pretty much every day without issues, I have been asked for SSN and DoB again. The reason given was, again, compromise of CAF numbers. I called NAEA last week. They noted what I had reported but I have not heard from them since then. If CAF has been compromised, shouldn't the IRS at least admit it so that we can all work together? If CAF has been compromised, is there really any point in asking me to divulge more private information to them?

I am so close to filing returns on paper this year.

Supposedly the Internal Revenue Manual was updated effective January 3, which puts these new procedures in place. There is a short article Journal of Accountancy put out regarding this.

I received an email today from the IRS stating a policy change regarding calls to PPS. Soc Sec # & DOB will be asked for prior to any information being given over the phone. Below is a portion of the email I received.

The IRS continues to review its procedures to better protect sensitive taxpayer data. As part of this effort, the IRS will request additional information from tax professionals who contact us through the Practitioner Priority Service or any toll-free IRS telephone number.

This procedural change will require tax practitioners to provide personal information so that our customer service representatives may confirm their identities. This additional information may include data such as your Social Security number and your date of birth. This personal information, in addition to the CAF number, is necessary to verify the identities of the person to whom we are releasing taxpayer information.

We’ve also made an update to Form 2848, Power of Attorney, and Form 8821, Tax Information Authorization, that will require you to inform your client if you are using an Intermediate Service Provider to access client transcripts via the Transcript Delivery System. A box must be checked if you are using a third party. We define Intermediate Service Providers as privately owned companies that offer subscriptions to their software and/or services that the taxpayer’s authorized representative can use to retrieve, store, and display tax return data (personal or business) instead of obtaining tax information directly from the IRS. The IRS must know who is using our tools; and taxpayers must know when a party other than their authorized representative is involved in accessing their sensitive data.

We realize there have been a number of changes for tax professionals in recent weeks. But each change is intended to enhance protections for you and your clients. Unfortunately, business as usual is no longer an option. Cybercriminals are well-funded, persistent and adept at stealing data from outside the IRS and using it to eventually file fraudulent tax returns. As cybercriminals evolve, so must we.

As part of our efforts, we also have strengthened protections for IRS e-Services. If you are an e-Services account holder, we urge you to immediately upgrade your account through our new two-factor identity verification process. Some of you may need to complete this process by mail which could add 10 days or more to the process. Please, do not wait until the start of filing season or until you have an urgent need for one of the e-Services tools before updating your account.

In the future, we will be asking each e-Service user to sign a new user agreement intended to ensure that all tax professionals understand their security obligations. We will share this information with you in advance.

Protecting you and your clients from identity theft is a paramount issue for us. But we can’t do it alone. We need your help and your understanding as we continue to review and enhance our procedures.

I got that email from NAEA today. Seaside, I am curious to know when Journal of Accountancy published their article. Is it a failure of the IRS or a failure of the NAEA? My NAEA subs are due at the end of March and I am keen to know....

Some further thoughts after a good night's rest. They are going to be asking us about information contained on our own tax returns. Isn't that the same information used to validate an e-services session? Why is that a good security measure? Why is it not an atrociously bad one?

Here is the Journal of Accountancy piece.
https://www.journalofaccountancy.com/ne ... =10Jan2018

They are going to be asking us about information contained on our own tax returns. Isn't that the same information used to validate an e-services session? Why is that a good security measure? Why is it not an atrociously bad one?

This thread is bouncing back and forth between PPS and e-services, which obviously are two different things, with different security measures.

E-services is implementing modern two-factor authentication for online access, based on information and devices (cell phone) extending far beyond the tax return info. PPS can't easily use this approach, and in the past I believe has basically relied on knowledge of the taxpayer's info to authenticate. With more avenues being shut off to the fraudulent tax preparers due to successful Security Summit actions, perhaps they are now using PPS to try to glean info? I don't know. However, the questions PPS is now asking don't seem any more intrusive than the questions your bank, utility, or Internet service provider might ask at the beginning of a phone support call. I mean, I guess they could ask you for your postal ZIP code, like the gas pump does for my credit card. Probably they should have a rotating set of questions, so you would not know ahead of time exactly what they were going to ask.

"Why is that a good security measure? " - because it is better than no security regarding the identity of the tax pro. Again, it seems to match industry standards for banks, etc.

" Why is it not an atrociously bad one?" - Why do you think it might be atrociously bad? It certainly isn't causing any harm, is it? And while DOB may not be any more confidential than SSN, it is not normally contained on any taxpayer copy of the 1040 tax return (although CA does print it on the front page of the 540 form, not sure if they are finally discontinuing this, although my software now allows me to mask it).

Makbo, consider this. You have an ATM card and access to online banking. You need to speak with your bank and telephone their customer service line. The agent asks for your online account password and your ATM card PIN. Would you comply?

It seems to me that the IRS is asking us to give their employees information that could be used to impersonate a tax professional via e-services. Why does that make sense?

The banks don't ask for passwords. Good passwords are known only to the user, they are encrypted at the other end, so even if you told them your password, they couldn't validate it short of logging in under your name. PINs are another matter, they are essentially very weak passwords and often are not encrypted, but they still can operate as a shared secret (since you need the physical card in addition to the PIN to actually withdraw money). Since I called them, at a known good customer service number, I probably would share the PIN if I really needed to continue with the call. The PIN without my card is not very useful to anyone, and certainly not to the bank employee.

"It seems to me that the IRS is asking us to give their employees information that could be used to impersonate a tax professional via e-services. Why does that make sense?"

Again, I think you are drawing a connection between PPS and e-services that doesn't exist. Let's take your statement in two parts.

" used to impersonate a tax professional via e-services" That is nowadays a fairly high barrier. First, the impersonator would need your password, which must be changed regularly and which meets industry standard complexity rules, and they would also need real-time access to texts sent to your cell phone. Not impossible to hack a cell phone, but beyond the reach of most, certainly not the path of least resistance (and the bad guys don't want any extra work, they always switch to something easier). Or, if not yet registered, the would-be impersonator would need access to your credit report info, your physical U.S. mailbox, and/or your cell phone. Look, even some legitimate users are complaining about how hard it is to authenticate under the new system, so it's not going to be easy for the bad tax preparers to do so.

"asking us to give their employees information that could be used" Guess what, the employees already have the information. They are simply using it as a "shared secret", such as your Form 1040 AGI for a given year, to authenticate you. You know that you initiated the PPS call to the IRS (you are not talking to a scammer), so how do you see giving them something they already know as a security risk? I would say the only problem is that the SSN and DOB are too weak to use as a shared secret, they should use AGI, or some other stronger shared secret. (At least they aren't using mother's maiden name!) But that would be less convenient, wouldn't it? And security is inversely proportional to convenience.

My point is, in no way are the PPS questions making anything any worse, or increasing your risk, they are only possibly increasing the authentication of your phone call. If you still disagree, please give a specific example of how a bad guy could use the information you spoke over the phone to a known IRS employee to his own advantage, starting with how he would get access to the audio of the conversation in the first place, and then how would he use your SSN and DOB information?

The banks don't ask for passwords. Good passwords are known only to the user, they are encrypted at the other end, so even if you told them your password, they couldn't validate it short of logging in under your name. PINs are another matter, they are essentially very weak passwords and often are not encrypted, but they still can operate as a shared secret (since you need the physical card in addition to the PIN to actually withdraw money). Since I called them, at a known good customer service number, I probably would share the PIN if I really needed to continue with the call. The PIN without my card is not very useful to anyone, and certainly not to the bank employee.

"It seems to me that the IRS is asking us to give their employees information that could be used to impersonate a tax professional via e-services. Why does that make sense?"

Again, I think you are drawing a connection between PPS and e-services that doesn't exist. Let's take your statement in two parts.

" used to impersonate a tax professional via e-services" That is nowadays a fairly high barrier. First, the impersonator would need your password, which must be changed regularly and which meets industry standard complexity rules, and they would also need real-time access to texts sent to your cell phone. Not impossible to hack a cell phone, but beyond the reach of most, certainly not the path of least resistance (and the bad guys don't want any extra work, they always switch to something easier). Or, if not yet registered, the would-be impersonator would need access to your credit report info, your physical U.S. mailbox, and/or your cell phone. Look, even some legitimate users are complaining about how hard it is to authenticate under the new system, so it's not going to be easy for the bad tax preparers to do so.

"asking us to give their employees information that could be used" Guess what, the employees already have the information. They are simply using it as a "shared secret", such as your Form 1040 AGI for a given year, to authenticate you. You know that you initiated the PPS call to the IRS (you are not talking to a scammer), so how do you see giving them something they already know as a security risk? I would say the only problem is that the SSN and DOB are too weak to use as a shared secret, they should use AGI, or some other stronger shared secret. (At least they aren't using mother's maiden name!) But that would be less convenient, wouldn't it? And security is inversely proportional to convenience.

My point is, in no way are the PPS questions making anything any worse, or increasing your risk, they are only possibly increasing the authentication of your phone call. If you still disagree, please give a specific example of how a bad guy could use the information you spoke over the phone to a known IRS employee to his own advantage, starting with how he would get access to the audio of the conversation in the first place, and then how would he use your SSN and DOB information?

As a retired computer programmer, I agree with most of your points but it is entirely possible to hack into and decrypt passwords. Most of my companies that I worked for used the same vendor package for financial/payroll applications and this package was a specialty of mine. It's proprietary software was it's own language for the online portion. The database included the security tables, code behind the online portion, and the application data. During a meeting with our team and security, I was trying to make a case to separate the security tables and code into separate, more secure backups because the data could easily be browsed. My arrogant security dude replied that the passwords were encrypted. I stared at him and startled him when I said that I could break the encryption in five minutes (at my previous employer I had to do just that to automate a process for that security team). Needless to say, the team agreed to my suggestion and since security had been asking for a hardcopy report of the passwords, they got that.

OK makbo, I'll boil it down to something fundamental. It is a long-standing practice that civil servants must only have access to information on a need-to-know basis. Do you agree with that view? If not, I would be interested to hear why not. Why should a human being at the IRS have ready access to my tax return information, when my return is not the one at issue? (As an aside, I am pretty sure I never consented to such information being readily available to an employee, other than on a need-to-know basis.)

My wife also wants to know why her information is of any relevance in me doing my job.

A wee thought for you. The crest of the Chartered Institute of Taxation in the UK includes two owls at equal height. The owls, of course represent wisdom and the equal height represents equality of tax professionals in public accounting and tax professionals in HM Revenue & Customs. Do you think we have equality with the professionals in the IRS? Do you think we should have equality with them? You have mentioned before that you have a libertarian streak. I do not see any signs of that in your opinions in this matter.

Sumwun, I wasn't really thinking of the issue regarding IRS employees themselves, but I see your point. I was only considering the security issue of authenticating you vs. a bad guy tax preparer, not the possibility that the IRS employee was an opportunist looking for ways to either steal from or harass you. I guess the same concern would apply vis-a-vis your tax clients and your own staff employees, if any.

As a practical matter, I don't think we have much choice in today's world but to assume that the people who answer the support phones we call (as opposed to the people who initiate calls to us) are vetted as employees by the bank or the IRS. You may say that somehow my call to the bank is voluntary, while my call to the IRS is not, however there are ways to work with the IRS that don't involve having a third party (representative) call IRS on the phone, so that too is a voluntary choice.

As for using tax return info to authenticate you, you're right, that is probably not a good source of shared secrets. However I don't see SSN and DOB as "tax return info". The SSN was never intended to be secret, it is only lazy and ignorant bureaucrats, especially those outside of government, who created the problem with SSN confidentiality. And your DOB is on your birth certificate, your passport, your driver's license, and so on, it's hardly something you can consider confidential. Some people, I hear, even use their real birthdate when they sign up for Facebook!

One fix would be two-factor authentication (2FA) for phone calls. For example, you call in, identify yourself, and then the support person calls you back at a known good phone number associated with you. Or, they send a temp code to your email, which you then have to read back to the person on the phone. Then you would not have to provide any PIA over the phone, just like you don't have to provide PIA simply to log in to e-services (different from the PIA you provide to register).

Just yesterday, I had to call my credit union about a typo on some final loan paperwork, and the phone support person, in order to authenticate me, asked me for my CU account number, my DOB, and my phone number. Since I was calling an 800-type number, I'm pretty sure my phone number was actually displayed on the other end, but I gave it anyway. I often suspect, but can't confirm, that the real purpose of these questions is to get a recording of my voice providing answers, as a CYA for bank or other institution. (These calls always include notification that they will be recorded "for quality purposes"). Maybe someday they will use technology to try to detect stress levels in my voice to see if I am lying.

For years, we have been asked/required to obtain a whole host of IRS related numbers: EIN, EFIN, CAF, and PTIN. In order to obtain those numbers, we had to go through vetting processes and submit all kinds of info (in some cases, even fingerprints). Even so, when you call PPS, you are asked to provide your SSN and DOB. This is like a throwback to the 60's. The IRS appears to be using the SSN/DIOB as a de facto password. This from the agency that has told us for years to restrict the use of our SSN.

After the Equifax data breech, with so much info out there, it isn't even a very good password.

Like SumwunLost, I am concerned about putting our personal information needelessly info in the hands of IRS employees. Just recently, there was a case in which a taxpayer call to an IRS employee was "inadvertentley" broadcast live----by the IRS rep---on the Howard Stern show.

https://www.washingtonpost.com/news/mor ... 258edfc19a

That may not say much for the IRS employee sreening process.

I disagree that PPS and E Services are unrelated. They are both part of the IRS tool set, and we are being asked to submit personal information for both. It is not unrealistic think that the same overall security strategy applies to both. How long before we will be asked to input our SSN every time we sign on to E Services? It's a slipperly slope.

Yes, there are alternatives to using both PPS and E Services. I think that is what some of us are grappling with here. Are there other ways to serve our clients that don't involve divulging our personal info? Are the benefits worth the risk? We have a responsibiltiy to ourselves and our clients to ask those questions and not just "go along with the program:.

irc162, thank you for putting my thoughts into more temperate language. I have been seething about this since NAEA sent out the statement from the IRS.

What I heard from the IRS agents I spoke with is that the CAF system had been compromised. Look closely at the IRS statement and the one at https://www.irs.gov/newsroom/security-s ... approaches - nowhere does it specifically link this to FATPs' lax practices being responsible for this. For those interested, here is a link to a Scottish political website, but it applies here too: https://wingsoverscotland.com/the-headl ... ays-a-lie/. We need answers to this. Has CAF really been compromised? If so, when may we expect the IRS to admit this and do something about it?

I would also really, really like the IRS to explain what my wife has to do with the practice of my profession. My wife has been a psychiatric nurse, who has taken care of some very dangerous people who were too ill to be charged with capital murder. She's very level-headed, yet this has bothered her since I told her about it. That worries me on more than one level.