Krebs reported that the IRS suspended online lookup of your six digit IPPIN. I agree that was the least secure part of the process and earlier in the month wrote:
Next, I had to answer four questions to confirm my identity. Two had an answer of “n/a” just like the annual credit report system. I don’t think this is overly difficult for the bad guys to get past nor does Krebbs. In fact, the best way to protect yourself against this is to sign up so your identity already has an account and nobody else can sign up for you.
This problem was avoidable though. The IRS should have required people to register for an online account or at least supplying an email when signing up for the mailed PIN in the first place. That way they know who the account is supposed to belong to.
After all, someone would get a message that the account was already created if someone tried to steal my IPPIN. (Don’t bother, I’ve already submitted my taxes.)
The IRS said they will be using a different system next year. Curious to see what they do given you can’t opt out of IPPIN!