Federal student aid site offers one-stop shopping for ID thieves

  News
image_pdfimage_print
Enlarge / Former First Lady Michelle Obama delivers remarks during a FAFSA workshop in 2014. Identity theft was not the kind of “getting schooled” the First Lady had in mind.

The arrival of the holidays heralds another season soon to arrive: the tax season and, with it, the tax-return fraud season. And while the Internal Revenue Service has made some moves toward stanching the flow of fraudulent tax returns filed by cyber-criminals, another government agency is offering up fresh fuel to fraudsters’ efforts: the US Department of Education.

On November 24, security reporter Brian Krebs revealed how the agency’s site for the Free Application for Federal Student Aid (FAFSA) not only allows students to apply for financial assistance, but it also allows anyone with a student’s name, Social Security number, and date of birth to access all of the information they’ve entered in their application—and even some they may not have. And that data includes tax data that could be used to submit fraudulent electronic tax returns, including adjusted gross income (AGI) from the previous tax cycle.

Back in March, the Education Department and the IRS shut down a system called the Data Retrieval Tool that allowed FAFSA applicants to automatically populate fields in their applications from their IRS tax records. The reason: more than 100,000 taxpayers may have had their information fraudulently retrieved through the FAFSA application system. A similar concern arose two years ago over a federal student loan application system that also tapped into IRS data and over an IRS PIN tool meant to allow taxpayers to protect their electronic filing.

But while the tool has been shut down, that same information is required to complete aid applications—so while it can no longer be used to harvest information without students applying for aid, it can still be used to target students who have applications in the system. More than 20 million students applied for financial aid during the 2015-2016 school year.

While the FAFSA website prompts for an “FSA ID” (a user-created username and password), site users can also log in with first and last name, date of birth, and SSN—regardless of whether an FSA ID has been set up or not. That provides access to all of the information within the FAFSA application—more than 200 fields of information, which include more detail than a credit report on many personal pieces of information for both students and their parents. Those fields include permanent address, driver’s license number, marital status, immigration data, whether the student has a drug conviction, income tax paid, net worth, child support payments, and veteran status, among many others.

Krebs recommends that anyone who has applied for financial aid get a free copy of their credit report and consider a security freeze on their credit reports as a defense against identity fraud.