May 2, 2025 • 26 mins
Questions we answer in this episode
What is the website, ID.me used for?
What are the two PIN numbers used in filing your taxes?
How can I get an identity protection (IP) PIN?
What does it mean (in online security) to plant your flag?
Episode summaryWhen filing your taxes, there are 2 different PINs you might use. The first is called your self-select PIN. It's 5 digits long, and pointless.
The second is called an Identity Protection (IP) PIN. It's 6 digits long, and awesome. It is a strong layer of protection against a hacker stealing your tax refund.
Call to actionClick here to get your Identity Protection PIN.
LinksGet an Identity Protection PIN
Information about the IRS self-select PIN
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:00):
Welcome to Super Simple Security Principles. I'm Nick Jackson, and I want to love computers.
(00:07):
They don't love me back. I'm learning how to stay safe online from my good buddy
and master guardian, Makani Mason. He wrote his first computer program at the age of six,
sealing his fate as a computer geek. That's it. He knows his stuff, folks. Now he spends his time
(00:34):
teaching people like me and you how to stay ahead of the digital threats we face and those bad guys.
He keeps it simple, and we love it. Learn along with me each week. I'll ask the questions
and make sure he keeps it super relevant and super simple for us. If I can do it, you can do it too.
(01:00):
This is episode 61, How to Stop Hackers from Stealing Your Tax Refund. Yeah, I want to keep
mine. Here are the questions we'll be answering in today's episode. Okay, you ready for this?
What is the website id.me used for? Given our title to this week's episode, I'm going to say
(01:25):
tax something or another. You know, something to do with that. What are two PIN numbers used in
filing your taxes? Not sure, actually. I'm not sure. I didn't even know there was two numbers
used in filing my taxes. How can I get identity protection PIN? This sounds important.
(01:53):
What does it mean in online security to plant your flag? Dude, I'm really hoping this is like a war
fight. This is like, we're going to war. That's kind of what I'm hoping for.
Anyways, dude, this is going to be a good episode. I'm kind of pumped. I don't want to
(02:21):
lose my tax refund. Not only that, there are some years I don't end up with a refund.
Yeah. I don't want anybody to have any information on my tax filings, period.
So this is just an important area to keep safe, to safeguard it sounds like.
(02:44):
Yeah. Well, and it's, for me, one of the fun things about it is this is something
very new for me. I discovered just as I was doing my taxes this year,
that I knew about one PIN, but that I found out about this second PIN.
Okay. The one I've known about for years, it's pretty pointless as far as security
(03:07):
goes, but we're going to talk about that just so there's no confusion between the two.
But this new one is called the Identity Protection PIN, which they often will shorten to IP PIN,
which for me, as a computer geek, I was a little confused because IP
normally stands for Internet Protocol. Right, right. That's exactly what I was thinking of.
(03:31):
Your Internet Protocol connection, or address, excuse me.
Exactly. Your IP address, right? That's what you normally see. But this is not
computer. This is identity protection.
Leave it to our government to take something simple and complicated.
Well, I mean, I don't really blame them. We've got so many acronyms these days.
(03:53):
Everything is an acronym. There's going to be some overlap, you know?
Right. So, but anyway, so this PIN and the website that you need in order to create that PIN
is going to be our main focus for today. Okay.
So, but I do want to start out, like I said, talking briefly about,
(04:17):
well, so what does it look like for somebody to steal your tax refund?
And just so we're 100% clear what we're talking about, what we're protecting against,
because you look like you have something you want to say.
Well, I was going to say, are you asking me that question? Like,
what does it look like to actually have somebody steal our tax refund?
(04:40):
Are you looking for an answer? Or just...
Oh, yeah. Well, no, I wasn't particularly, but I mean, maybe it's an obvious enough question
that you know. I wasn't sure, honestly. I just, that's why I would say I want to make sure it's
clear. So, if it's clear to you already, feel free to explain, because there's not a lot to it
in my mind. Let's totally mess with our master guardian, folks.
(05:06):
That's right. Okay. So, as I envision
what it means to steal somebody's refund, given how we file our taxes online and everything,
I would imagine there is a step or something they could do to bypass and reroute where that refund
is sent, or something to that manner and actually literally take your refund.
(05:31):
Yeah, because, right, the thing is, when you file your taxes, you're doing it mostly around
your social security number, your name, things like that, right? But your bank account isn't
intrinsically tied to any of those things for the government, right? So, normally you can pick a
(05:51):
bank account. I don't know if they do it that way, because that might be traceable. I don't
know if they just ask for a check to be mailed. I'm not sure, actually, how that works as far
as that goes. But they're using your social security number and your personal information.
Okay. Right. Then they just have the tax refund. They do everything in your name,
(06:14):
but then have the tax refund sent to them. Gotcha. That makes sense.
And it's not the most common of attacks, like phishing, for example. But
it, looking at the stats, because I haven't had this happen to me, though, from what I understand
in talking to an accountant, he says it usually takes six months of basically fighting with the
(06:39):
government to get the situation fixed, sometimes as long as two years. That sucks. Yeah, that would
not be fun. And especially these days, I think this is pretty well known now, and we talked about
it in an earlier podcast, but that national public data breach, and a lot of others,
(07:02):
but that was a big one. An estimated, the number I found was like 87% of Americans have their social
security numbers known, and at least some of their personal information tied to that. Yeah.
So it's, you know, this attack, even though it's still small, it's just, it's easier than it's ever
(07:22):
been. So I figured when I learned about that this year, this identity protection pin,
you know, and it's super easy. So to me, it's one of those no-brainer steps for everybody to do.
Okay. Okay. Enough said. Enough said. Let's get to it, man. Let's dive in.
(07:43):
Like, you got me ready. Like, no need to convince me I'm in. Okay, good. Well, we always got to
start there, you know, the why, right? What's the value proposition? So the next thing, though,
is I want to talk about the old useless pin that I already knew about, because when I first heard
(08:03):
this, I was like, what about that pin? Like, I was confused at first. Is this the same thing,
and we're using it differently, or what? Because it didn't seem... Anyway, so what they, the IRS
name for the pin that they have had, and I've been using, is the self-select pin.
Self-select pin is the worthless pin. Yeah, exactly. And it's five digits. So this is one
(08:26):
of the important things, is it's five digits, whereas the identity protection pin is six digits.
So you can use that to, you know, distinguish. And tax return software, like I have used many years,
TurboTax or Tax Act, sometimes they will call it, they have their own kind of name for it,
like they'll call it a signature ID. Okay. The IRS name was the self-select pin, but the
(08:52):
tax software likes to call it signature ID. So you get to choose what your pin is,
and it can be, there's no restrictions on it, except my understanding is you can't put all zeros.
And by default, it stays the same from year to year. The first year, like you ever file taxes,
(09:14):
you don't need one. But then the years after that, they use it like as a basic identity verification,
supposedly, for future years. Okay. Right, so it sounds like security, right? Almost. Right.
Except that if you don't know it, you can just provide your date of birth and the adjusted gross
income from your previous tax return year, and then you don't need the self-select pin.
(09:43):
Gotcha. So I don't know, I'm honestly not sure what the original envisioning and point was it,
because, I mean, clearly they agree with me that there's no security value in it, because they
added this other one. So I honestly don't know, but yeah, so that's all. I just want to make
sure we're clear on what that is. So now looking at the identity protection pin, like I said,
(10:09):
it's six digits. And when it first came into existence, it was given to victims of identity
theft to prevent future problems, like from them getting victimized again. Okay.
Now, as of 2021, however, you can go request one. It's available to anyone. You don't have
(10:32):
to be a victim of identity theft, which is great, in my opinion, because I'd much rather,
right? I'm sure you're on the same page. Let's do it before we have the problem the first time.
Yep. Yep. Right? Yeah. So, and you just create an online account with the IRS and request one.
(10:53):
Okay. And so now let's run through the differences. We're going to talk about a
few characteristics of it and compare them to the self-select pin. So the first thing is,
and most importantly, is not everyone has one by default. Okay. And if you're not sure you do,
then you don't. Right. Yet. Okay. As I mentioned, the identity protection pin is six digits, not
(11:23):
five. It doesn't really matter too much, except just to know if you see one and you're confused
about which pin this is, which I'm trying to provide. The self-select pin, again, is five
digits. The identity protection pin is six digits. Yeah. The next thing is you don't get to choose
your identity protection pin. The IRS assigns it to you. Okay. So, which hopefully is a good thing
(11:50):
because people tend to pick pins statistically that aren't necessarily random or secure,
but we're going to give the IRS the benefit of the doubt that it's a good, you know, just
randomly generated. Mine certainly appeared to me, I couldn't, no obvious pattern for the one that
they chose for me. That's good. So hopefully, hopefully they're all pretty good random ones.
(12:15):
Yeah. Also, every, they will choose a new one for you every January. Unlike, again,
the self-select pin, it just stays the same forever unless you decide to change it. Okay.
And then the last part, and this is absolutely the most important, is it can't just be replaced
(12:38):
with other information like the self-select pin. And what that means is, like, if you,
if you, you know, go and create and request an identity protection pin and then you forget it,
you don't store it in your password manager, you don't write down whatever, then, and you go to try
to file online and you don't put in the right one or don't put in anything, then your return is going
(13:02):
to be rejected. And you will actually have to file a paper return. Okay. And then they'll go
through some, apparently some, you know, the extra identity verification because it's not there.
And so it'll just delay your return, whatever. I don't know exactly what that looks like. There
wasn't a lot of details, but obviously if you do this, you want to make sure you don't lose your
(13:27):
pin. Right. Right. I mean, the thing is... Would this be something you would recommend, like,
saving, like, in your password vault and keeping it stored there, you know, annually? Yeah. Like,
it sounds like, because they're giving us these pins annually, right? Mm-hmm. Yeah. Okay. That's
what I do. And the thing is, you create an account with the IRS to request this and at any time you
(13:51):
can log into that account and see it, which... Okay. Perfect. Okay. May arguably be not the
best security feature, but in any case, that is the way it works. So, I mean, you don't even have
to actually remember it as long as you keep access to your online IRS account too. Right. And set up
good security features and have good security habits there as well. Yeah. Password manager,
(14:16):
this is going to be one you want to dial up as best you can. Yep. Okay. Yeah. So, but the good
news is, with all this, that according to, you know, the accountant I talked to with his clients
and as far as he's heard in the accounting community and whatever, this IP pin has been...
(14:37):
Like, there's no known cases of anybody who has requested one of these and then had, you know,
their tax refund stolen after they had gotten one. Like, it's been, you know, it's been
sufficient enough deterrent, been hard enough for them to get to or whatever. Obviously,
if somebody was able to hack your online IRS account and get in, they still could get that
(14:59):
and bypass it. But, so it's not perfect, but for whatever reason, so far it's been good enough.
So, it's a good layer of protection. Nice. Nice. So, now let's talk about how you get one.
(15:20):
Yeah. And this is where we talk, you know, you were right about the id.me website.
So, it's not, id.me is not a tax website. It's not even a government website.
It's a non-government. Yeah, I know. It's kind of, so it's slightly strange, but it is a familiar
(15:41):
concept. So, you know how when you go to a new website and sometimes instead of creating a new
account with them, they offer to let you log in with your Google account or your Facebook account,
right? Yeah, absolutely. So, that's the same kind of idea here. id.me is, you know, and we've had a
(16:01):
lot of these over the years, but this is one of the latest ones where they're trying to create
this like universal account that you can log in all over the place with just your one login
and they want to be the source of that. Okay. And they convinced, you know, the IRS that they
were a good solution. And I'm not saying they're bad. I don't know a ton about them. I didn't like,
(16:24):
because we don't have a choice. So, I didn't dive into that yet. That's something I'll be looking
into more later, but they did at least have support for pass keys and two-factor authentication
and everything. So, that was good. That's good. Yeah. But anyway, so it lets you log in to
not only the IRS, but the Social Security Administration, some other government
(16:48):
websites. I'm guessing it'll spread. I don't know. But also some non-government websites,
none that I really recognize that I cared about. But anyway, it's not tied to government. It's just
it's the identity. It's the login of choice for the IRS. So, they don't have their own
account that you create with them directly, if that makes sense. Perfect sense. Okay.
(17:15):
So, you know, there'll be a link in the show notes to go, you know, to do that. Perfect.
So, the last thing I want to talk about today is your answer to this question. It made me laugh. I
love it. Was about planting your flag. Yeah. Yeah. So, I mean, you know, war cry might be,
(17:41):
I don't know. I like it. So, here's the idea. You know, it's back in the day. I think even,
I mean, I've seen, you know, movies where like there's the settlers who, you know,
in America are coming across West and they're picking a land. There's even race. There were
races sometimes where you'd go up and, you know, you plant your flag in the piece of land that you
want before anybody else gets there. Right. You've seen things like that. Yeah. The old
(18:05):
Oklahoma Sooner races. Yeah. Yeah, exactly. That kind of idea. And so, that's the same principle
here. And it's something I haven't, it wasn't a phrase that I had in our security lingo before
this in mind. I've seen, like, I didn't get this myself. Got this from some other security people
that I was listening to online. Like, really like this as a good concept, good principle to teach
(18:28):
for our listeners. But, and the idea is that you want to make sure that you go create your accounts,
you know, before the bad guys go do it. Right. So, like before somebody tries to impersonate you,
give them, make it harder. Like, already create your account. You have the login and password,
(18:49):
you know. So, because when you go to id.me, yeah, go ahead. I was going to say,
this reminds me of, like, a fight. Like, this is, this kind of reminds me, this is why. Yeah.
We're not standing waiting to get punched in the face here. We're not waiting for the bad guys to
(19:12):
bring the fight to us. We're taking it to them. Like, we're, we're, we're that step ahead, right?
Like, yeah. You know, do it, you know, like, do your preparations for this war, for this fight
beforehand so that it's an easier battle to win. Yeah, exactly. Because, you know, especially these
(19:34):
days with all the amount of information out there, when you go to id.me, of course, this is for a
government thing and stuff. They're going to go through a lot of steps. They're going to ask you
about your old cars and old addresses and the family members, all that nonsense when they're
trying to verify your identity, right? Right. And, of course, they even do, like, a driver's license
(19:54):
and a video. I mean, it's, it's extensive these days. So, be prepared for that. But, so, that's
going to be hard to bypass anyway. But, anyway, anytime you can create an account ahead of time
is, is a good idea. And so, this is the first place we've been talking about this phrase of
planting your flag, but we talked about this same idea before. I forgot to note the episode, but
(20:19):
create an account with all the credit bureaus. Yeah, right. Same kind of idea. I mean, there it
was explicitly, just like here, it's to create an identity protection pin with the credit bureaus.
Not only do you want to, you want to plant your flag with those credit bureaus, but you want to,
you know, freeze your credit and add the fraud alerts, but it's, it's a lot of the same concept.
(20:42):
And so, this, this plant your flag, you're going to hear, you're going to be, continue hearing about
it from me. It's going to be one of our core, you know, principles. And there, because there's
these two places that we've talked about just now, but then there's a few other places. And one,
yeah, anyway, some interesting other places where you can plant your flag to
(21:04):
be prepared and beat the bad guys to kind of grabbing a hold of a piece of your identity,
so to speak, online. Nice. I like it. Yeah, I really like the, this, yeah, phrases like that.
It's just easy to latch onto concept and just really applicable in a number of places in online
(21:24):
security. So yeah, remember that phrase. I will, man. I'm kind of pumped. I might always associate
it with that war cry, you know, that well, yeah, I will. I'd write, thank you. I was going to get
back to that. Right. Because I mean, you know, think if you were racing and you were, and you
did go claim that land, you know, I'm, you're going to be rejoicing, you know, I mean, you know,
(21:47):
it made me feel like a warrior against the other people or whatever, hopefully not quite that
hostile, but yeah, you know, but of course, you know, if in a military thing, if you're planting
your flag could be very much a war cry too, you know? Yeah. So it's applicable in a lot of areas.
So yeah. Yeah. Yeah. Of course. Awesome. That's all I got for day. That's it. So we've already
(22:16):
reached that point in time. What's our call to action? That went fast. It seemed like it went
fast today for me, man. It did. It flew by. That was a quick one. Yeah. So yeah, basically just go
click on the link in the show notes and go get your identity protection pin set up. As always,
(22:36):
if you have troubles, let me know in the forum. And this one, the primary troubles
that you'll run into, like I said, is just in sometimes, you know, it's like, if you don't
remember your information, your past addresses or whatever, you might have to stumble a little
bit. I mean, I haven't had a problem. I keep extensive notes about that stuff. But yeah.
(23:00):
And just be prepared. I mean, they're going to, you know, they ask for a license, then you have
to do like a little selfie video. Although I think you can call instead. Anyway, there's,
it's an extensive identity verification. So you do want to set aside a few minutes for it,
because it's not just a, like most accounting goes set up in like three minutes or whatever,
(23:21):
right? This one, I'd say, you know, give yourself 15 minutes to do it. Okay.
So. So this is going to be one that you're going to want to take some time to set up.
Yeah. It's, you know, there's nothing complicated, just annoying. Yeah. Just steps,
(23:41):
just steps. There's going to be steps. Hoops. Yeah. Yeah, exactly. Right. You just got to
jump through all the hoops to prove that you are, prove your identity. So. Awesome. Awesome.
Okay. Do I get a teaser? Do I get a teaser about next week's episode? Yeah. Oh yeah. Okay. Look,
(24:02):
next week's going to be super fun. I know. I'm pumped for it. I am super pumped. Sometimes
even the experts get caught by something as well understood as a phishing attack.
I'm kind of excited because phishing is still a huge, huge problem. It is still a huge problem.
So in the next week episode, we're going to actually tell the story of Troy Hunt
(24:27):
and the operator of the website, haveibeenpawned.com. Yikes. This is the expert who got
gamed. It sounds like. Yeah. Haveibeenpawned.com. It's a weird. Oh, sorry. My bad. No, I know. And
I should have explained to you that it's weird. It's one of those weird geek speak things. You
(24:50):
know, they replaced the O with a P, you know, it's like, yeah. Well, we're going to walk through
his story. Like this is an expert that might've got gamed and we're going to talk you through
what we can learn from his story. And yeah, I'm super, super pumped. This is going to be
(25:14):
a little more of a lighthearted episode. So we look forward to you tuning in and learning how
even an expert can get gamed occasionally. Yeah. I mean, he goes around teaching security
conferences and he was cool enough though. Yeah. I mean, like he, not only does he have that website,
which I know is going to mean much to most people, but we talked about it once on the podcast
(25:38):
ages ago, but anyway, he teaches people this stuff and he's very good. But anyway,
it was just a moment of tiredness. And so anyway, but he was, he was, I mean,
he did great documentation and it's long. So we're just going to pick out a few highlights
of things. Cause he, you know, he has a lot of technical detail in some cases,
(25:58):
but we're just going to pull out a few highlights of lessons that I think will be very relevant for
our listeners. Awesome. Awesome. Okay. We'll make sure you tune in next week. That was a good
episode, man. Are you ready to take action and wondering where to start? Get my Bulletproof
(26:19):
My Identity Starter Kit for free. The seven most vital layers of protection everyone needs.
I'll send you one step at a time and help you. If you get stuck, just go to bulletproofmyid.com
and enter your name and email, and I will send you the first step again. That's bulletproofmyid.com.
Welcome to Super Simple Security Principles. I'm Nick Jackson, and I want to love computers.
(00:07):
They don't love me back. I'm learning how to stay safe online from my good buddy
and master guardian, Makani Mason. He wrote his first computer program at the age of six,
sealing his fate as a computer geek. That's it. He knows his stuff, folks. Now he spends his time
(00:34):
teaching people like me and you how to stay ahead of the digital threats we face and those bad guys.
He keeps it simple, and we love it. Learn along with me each week. I'll ask the questions
and make sure he keeps it super relevant and super simple for us. If I can do it, you can do it too.
(01:00):
This is episode 61, How to Stop Hackers from Stealing Your Tax Refund. Yeah, I want to keep
mine. Here are the questions we'll be answering in today's episode. Okay, you ready for this?
What is the website id.me used for? Given our title to this week's episode, I'm going to say
(01:25):
tax something or another. You know, something to do with that. What are two PIN numbers used in
filing your taxes? Not sure, actually. I'm not sure. I didn't even know there was two numbers
used in filing my taxes. How can I get identity protection PIN? This sounds important.
(01:53):
What does it mean in online security to plant your flag? Dude, I'm really hoping this is like a war
fight. This is like, we're going to war. That's kind of what I'm hoping for.
Anyways, dude, this is going to be a good episode. I'm kind of pumped. I don't want to
(02:21):
lose my tax refund. Not only that, there are some years I don't end up with a refund.
Yeah. I don't want anybody to have any information on my tax filings, period.
So this is just an important area to keep safe, to safeguard it sounds like.
(02:44):
Yeah. Well, and it's, for me, one of the fun things about it is this is something
very new for me. I discovered just as I was doing my taxes this year,
that I knew about one PIN, but that I found out about this second PIN.
Okay. The one I've known about for years, it's pretty pointless as far as security
(03:07):
goes, but we're going to talk about that just so there's no confusion between the two.
But this new one is called the Identity Protection PIN, which they often will shorten to IP PIN,
which for me, as a computer geek, I was a little confused because IP
normally stands for Internet Protocol. Right, right. That's exactly what I was thinking of.
(03:31):
Your Internet Protocol connection, or address, excuse me.
Exactly. Your IP address, right? That's what you normally see. But this is not
computer. This is identity protection.
Leave it to our government to take something simple and complicated.
Well, I mean, I don't really blame them. We've got so many acronyms these days.
(03:53):
Everything is an acronym. There's going to be some overlap, you know?
Right. So, but anyway, so this PIN and the website that you need in order to create that PIN
is going to be our main focus for today. Okay.
So, but I do want to start out, like I said, talking briefly about,
(04:17):
well, so what does it look like for somebody to steal your tax refund?
And just so we're 100% clear what we're talking about, what we're protecting against,
because you look like you have something you want to say.
Well, I was going to say, are you asking me that question? Like,
what does it look like to actually have somebody steal our tax refund?
(04:40):
Are you looking for an answer? Or just...
Oh, yeah. Well, no, I wasn't particularly, but I mean, maybe it's an obvious enough question
that you know. I wasn't sure, honestly. I just, that's why I would say I want to make sure it's
clear. So, if it's clear to you already, feel free to explain, because there's not a lot to it
in my mind. Let's totally mess with our master guardian, folks.
(05:06):
That's right. Okay. So, as I envision
what it means to steal somebody's refund, given how we file our taxes online and everything,
I would imagine there is a step or something they could do to bypass and reroute where that refund
is sent, or something to that manner and actually literally take your refund.
(05:31):
Yeah, because, right, the thing is, when you file your taxes, you're doing it mostly around
your social security number, your name, things like that, right? But your bank account isn't
intrinsically tied to any of those things for the government, right? So, normally you can pick a
(05:51):
bank account. I don't know if they do it that way, because that might be traceable. I don't
know if they just ask for a check to be mailed. I'm not sure, actually, how that works as far
as that goes. But they're using your social security number and your personal information.
Okay. Right. Then they just have the tax refund. They do everything in your name,
(06:14):
but then have the tax refund sent to them. Gotcha. That makes sense.
And it's not the most common of attacks, like phishing, for example. But
it, looking at the stats, because I haven't had this happen to me, though, from what I understand
in talking to an accountant, he says it usually takes six months of basically fighting with the
(06:39):
government to get the situation fixed, sometimes as long as two years. That sucks. Yeah, that would
not be fun. And especially these days, I think this is pretty well known now, and we talked about
it in an earlier podcast, but that national public data breach, and a lot of others,
(07:02):
but that was a big one. An estimated, the number I found was like 87% of Americans have their social
security numbers known, and at least some of their personal information tied to that. Yeah.
So it's, you know, this attack, even though it's still small, it's just, it's easier than it's ever
(07:22):
been. So I figured when I learned about that this year, this identity protection pin,
you know, and it's super easy. So to me, it's one of those no-brainer steps for everybody to do.
Okay. Okay. Enough said. Enough said. Let's get to it, man. Let's dive in.
(07:43):
Like, you got me ready. Like, no need to convince me I'm in. Okay, good. Well, we always got to
start there, you know, the why, right? What's the value proposition? So the next thing, though,
is I want to talk about the old useless pin that I already knew about, because when I first heard
(08:03):
this, I was like, what about that pin? Like, I was confused at first. Is this the same thing,
and we're using it differently, or what? Because it didn't seem... Anyway, so what they, the IRS
name for the pin that they have had, and I've been using, is the self-select pin.
Self-select pin is the worthless pin. Yeah, exactly. And it's five digits. So this is one
(08:26):
of the important things, is it's five digits, whereas the identity protection pin is six digits.
So you can use that to, you know, distinguish. And tax return software, like I have used many years,
TurboTax or Tax Act, sometimes they will call it, they have their own kind of name for it,
like they'll call it a signature ID. Okay. The IRS name was the self-select pin, but the
(08:52):
tax software likes to call it signature ID. So you get to choose what your pin is,
and it can be, there's no restrictions on it, except my understanding is you can't put all zeros.
And by default, it stays the same from year to year. The first year, like you ever file taxes,
(09:14):
you don't need one. But then the years after that, they use it like as a basic identity verification,
supposedly, for future years. Okay. Right, so it sounds like security, right? Almost. Right.
Except that if you don't know it, you can just provide your date of birth and the adjusted gross
income from your previous tax return year, and then you don't need the self-select pin.
(09:43):
Gotcha. So I don't know, I'm honestly not sure what the original envisioning and point was it,
because, I mean, clearly they agree with me that there's no security value in it, because they
added this other one. So I honestly don't know, but yeah, so that's all. I just want to make
sure we're clear on what that is. So now looking at the identity protection pin, like I said,
(10:09):
it's six digits. And when it first came into existence, it was given to victims of identity
theft to prevent future problems, like from them getting victimized again. Okay.
Now, as of 2021, however, you can go request one. It's available to anyone. You don't have
(10:32):
to be a victim of identity theft, which is great, in my opinion, because I'd much rather,
right? I'm sure you're on the same page. Let's do it before we have the problem the first time.
Yep. Yep. Right? Yeah. So, and you just create an online account with the IRS and request one.
(10:53):
Okay. And so now let's run through the differences. We're going to talk about a
few characteristics of it and compare them to the self-select pin. So the first thing is,
and most importantly, is not everyone has one by default. Okay. And if you're not sure you do,
then you don't. Right. Yet. Okay. As I mentioned, the identity protection pin is six digits, not
(11:23):
five. It doesn't really matter too much, except just to know if you see one and you're confused
about which pin this is, which I'm trying to provide. The self-select pin, again, is five
digits. The identity protection pin is six digits. Yeah. The next thing is you don't get to choose
your identity protection pin. The IRS assigns it to you. Okay. So, which hopefully is a good thing
(11:50):
because people tend to pick pins statistically that aren't necessarily random or secure,
but we're going to give the IRS the benefit of the doubt that it's a good, you know, just
randomly generated. Mine certainly appeared to me, I couldn't, no obvious pattern for the one that
they chose for me. That's good. So hopefully, hopefully they're all pretty good random ones.
(12:15):
Yeah. Also, every, they will choose a new one for you every January. Unlike, again,
the self-select pin, it just stays the same forever unless you decide to change it. Okay.
And then the last part, and this is absolutely the most important, is it can't just be replaced
(12:38):
with other information like the self-select pin. And what that means is, like, if you,
if you, you know, go and create and request an identity protection pin and then you forget it,
you don't store it in your password manager, you don't write down whatever, then, and you go to try
to file online and you don't put in the right one or don't put in anything, then your return is going
(13:02):
to be rejected. And you will actually have to file a paper return. Okay. And then they'll go
through some, apparently some, you know, the extra identity verification because it's not there.
And so it'll just delay your return, whatever. I don't know exactly what that looks like. There
wasn't a lot of details, but obviously if you do this, you want to make sure you don't lose your
(13:27):
pin. Right. Right. I mean, the thing is... Would this be something you would recommend, like,
saving, like, in your password vault and keeping it stored there, you know, annually? Yeah. Like,
it sounds like, because they're giving us these pins annually, right? Mm-hmm. Yeah. Okay. That's
what I do. And the thing is, you create an account with the IRS to request this and at any time you
(13:51):
can log into that account and see it, which... Okay. Perfect. Okay. May arguably be not the
best security feature, but in any case, that is the way it works. So, I mean, you don't even have
to actually remember it as long as you keep access to your online IRS account too. Right. And set up
good security features and have good security habits there as well. Yeah. Password manager,
(14:16):
this is going to be one you want to dial up as best you can. Yep. Okay. Yeah. So, but the good
news is, with all this, that according to, you know, the accountant I talked to with his clients
and as far as he's heard in the accounting community and whatever, this IP pin has been...
(14:37):
Like, there's no known cases of anybody who has requested one of these and then had, you know,
their tax refund stolen after they had gotten one. Like, it's been, you know, it's been
sufficient enough deterrent, been hard enough for them to get to or whatever. Obviously,
if somebody was able to hack your online IRS account and get in, they still could get that
(14:59):
and bypass it. But, so it's not perfect, but for whatever reason, so far it's been good enough.
So, it's a good layer of protection. Nice. Nice. So, now let's talk about how you get one.
(15:20):
Yeah. And this is where we talk, you know, you were right about the id.me website.
So, it's not, id.me is not a tax website. It's not even a government website.
It's a non-government. Yeah, I know. It's kind of, so it's slightly strange, but it is a familiar
(15:41):
concept. So, you know how when you go to a new website and sometimes instead of creating a new
account with them, they offer to let you log in with your Google account or your Facebook account,
right? Yeah, absolutely. So, that's the same kind of idea here. id.me is, you know, and we've had a
(16:01):
lot of these over the years, but this is one of the latest ones where they're trying to create
this like universal account that you can log in all over the place with just your one login
and they want to be the source of that. Okay. And they convinced, you know, the IRS that they
were a good solution. And I'm not saying they're bad. I don't know a ton about them. I didn't like,
(16:24):
because we don't have a choice. So, I didn't dive into that yet. That's something I'll be looking
into more later, but they did at least have support for pass keys and two-factor authentication
and everything. So, that was good. That's good. Yeah. But anyway, so it lets you log in to
not only the IRS, but the Social Security Administration, some other government
(16:48):
websites. I'm guessing it'll spread. I don't know. But also some non-government websites,
none that I really recognize that I cared about. But anyway, it's not tied to government. It's just
it's the identity. It's the login of choice for the IRS. So, they don't have their own
account that you create with them directly, if that makes sense. Perfect sense. Okay.
(17:15):
So, you know, there'll be a link in the show notes to go, you know, to do that. Perfect.
So, the last thing I want to talk about today is your answer to this question. It made me laugh. I
love it. Was about planting your flag. Yeah. Yeah. So, I mean, you know, war cry might be,
(17:41):
I don't know. I like it. So, here's the idea. You know, it's back in the day. I think even,
I mean, I've seen, you know, movies where like there's the settlers who, you know,
in America are coming across West and they're picking a land. There's even race. There were
races sometimes where you'd go up and, you know, you plant your flag in the piece of land that you
want before anybody else gets there. Right. You've seen things like that. Yeah. The old
(18:05):
Oklahoma Sooner races. Yeah. Yeah, exactly. That kind of idea. And so, that's the same principle
here. And it's something I haven't, it wasn't a phrase that I had in our security lingo before
this in mind. I've seen, like, I didn't get this myself. Got this from some other security people
that I was listening to online. Like, really like this as a good concept, good principle to teach
(18:28):
for our listeners. But, and the idea is that you want to make sure that you go create your accounts,
you know, before the bad guys go do it. Right. So, like before somebody tries to impersonate you,
give them, make it harder. Like, already create your account. You have the login and password,
(18:49):
you know. So, because when you go to id.me, yeah, go ahead. I was going to say,
this reminds me of, like, a fight. Like, this is, this kind of reminds me, this is why. Yeah.
We're not standing waiting to get punched in the face here. We're not waiting for the bad guys to
(19:12):
bring the fight to us. We're taking it to them. Like, we're, we're, we're that step ahead, right?
Like, yeah. You know, do it, you know, like, do your preparations for this war, for this fight
beforehand so that it's an easier battle to win. Yeah, exactly. Because, you know, especially these
(19:34):
days with all the amount of information out there, when you go to id.me, of course, this is for a
government thing and stuff. They're going to go through a lot of steps. They're going to ask you
about your old cars and old addresses and the family members, all that nonsense when they're
trying to verify your identity, right? Right. And, of course, they even do, like, a driver's license
(19:54):
and a video. I mean, it's, it's extensive these days. So, be prepared for that. But, so, that's
going to be hard to bypass anyway. But, anyway, anytime you can create an account ahead of time
is, is a good idea. And so, this is the first place we've been talking about this phrase of
planting your flag, but we talked about this same idea before. I forgot to note the episode, but
(20:19):
create an account with all the credit bureaus. Yeah, right. Same kind of idea. I mean, there it
was explicitly, just like here, it's to create an identity protection pin with the credit bureaus.
Not only do you want to, you want to plant your flag with those credit bureaus, but you want to,
you know, freeze your credit and add the fraud alerts, but it's, it's a lot of the same concept.
(20:42):
And so, this, this plant your flag, you're going to hear, you're going to be, continue hearing about
it from me. It's going to be one of our core, you know, principles. And there, because there's
these two places that we've talked about just now, but then there's a few other places. And one,
yeah, anyway, some interesting other places where you can plant your flag to
(21:04):
be prepared and beat the bad guys to kind of grabbing a hold of a piece of your identity,
so to speak, online. Nice. I like it. Yeah, I really like the, this, yeah, phrases like that.
It's just easy to latch onto concept and just really applicable in a number of places in online
(21:24):
security. So yeah, remember that phrase. I will, man. I'm kind of pumped. I might always associate
it with that war cry, you know, that well, yeah, I will. I'd write, thank you. I was going to get
back to that. Right. Because I mean, you know, think if you were racing and you were, and you
did go claim that land, you know, I'm, you're going to be rejoicing, you know, I mean, you know,
(21:47):
it made me feel like a warrior against the other people or whatever, hopefully not quite that
hostile, but yeah, you know, but of course, you know, if in a military thing, if you're planting
your flag could be very much a war cry too, you know? Yeah. So it's applicable in a lot of areas.
So yeah. Yeah. Yeah. Of course. Awesome. That's all I got for day. That's it. So we've already
(22:16):
reached that point in time. What's our call to action? That went fast. It seemed like it went
fast today for me, man. It did. It flew by. That was a quick one. Yeah. So yeah, basically just go
click on the link in the show notes and go get your identity protection pin set up. As always,
(22:36):
if you have troubles, let me know in the forum. And this one, the primary troubles
that you'll run into, like I said, is just in sometimes, you know, it's like, if you don't
remember your information, your past addresses or whatever, you might have to stumble a little
bit. I mean, I haven't had a problem. I keep extensive notes about that stuff. But yeah.
(23:00):
And just be prepared. I mean, they're going to, you know, they ask for a license, then you have
to do like a little selfie video. Although I think you can call instead. Anyway, there's,
it's an extensive identity verification. So you do want to set aside a few minutes for it,
because it's not just a, like most accounting goes set up in like three minutes or whatever,
(23:21):
right? This one, I'd say, you know, give yourself 15 minutes to do it. Okay.
So. So this is going to be one that you're going to want to take some time to set up.
Yeah. It's, you know, there's nothing complicated, just annoying. Yeah. Just steps,
(23:41):
just steps. There's going to be steps. Hoops. Yeah. Yeah, exactly. Right. You just got to
jump through all the hoops to prove that you are, prove your identity. So. Awesome. Awesome.
Okay. Do I get a teaser? Do I get a teaser about next week's episode? Yeah. Oh yeah. Okay. Look,
(24:02):
next week's going to be super fun. I know. I'm pumped for it. I am super pumped. Sometimes
even the experts get caught by something as well understood as a phishing attack.
I'm kind of excited because phishing is still a huge, huge problem. It is still a huge problem.
So in the next week episode, we're going to actually tell the story of Troy Hunt
(24:27):
and the operator of the website, haveibeenpawned.com. Yikes. This is the expert who got
gamed. It sounds like. Yeah. Haveibeenpawned.com. It's a weird. Oh, sorry. My bad. No, I know. And
I should have explained to you that it's weird. It's one of those weird geek speak things. You
(24:50):
know, they replaced the O with a P, you know, it's like, yeah. Well, we're going to walk through
his story. Like this is an expert that might've got gamed and we're going to talk you through
what we can learn from his story. And yeah, I'm super, super pumped. This is going to be
(25:14):
a little more of a lighthearted episode. So we look forward to you tuning in and learning how
even an expert can get gamed occasionally. Yeah. I mean, he goes around teaching security
conferences and he was cool enough though. Yeah. I mean, like he, not only does he have that website,
which I know is going to mean much to most people, but we talked about it once on the podcast
(25:38):
ages ago, but anyway, he teaches people this stuff and he's very good. But anyway,
it was just a moment of tiredness. And so anyway, but he was, he was, I mean,
he did great documentation and it's long. So we're just going to pick out a few highlights
of things. Cause he, you know, he has a lot of technical detail in some cases,
(25:58):
but we're just going to pull out a few highlights of lessons that I think will be very relevant for
our listeners. Awesome. Awesome. Okay. We'll make sure you tune in next week. That was a good
episode, man. Are you ready to take action and wondering where to start? Get my Bulletproof
(26:19):
My Identity Starter Kit for free. The seven most vital layers of protection everyone needs.
I'll send you one step at a time and help you. If you get stuck, just go to bulletproofmyid.com
and enter your name and email, and I will send you the first step again. That's bulletproofmyid.com.
Popular Podcasts
United States of Kennedy
United States of Kennedy is a podcast about our cultural fascination with the Kennedy dynasty. Every week, hosts Lyra Smith and George Civeris go into one aspect of the Kennedy story.
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com