Financial Info On 100,000 Taxpayers Now In The Hands Of Criminals, Thanks To The IRS's Weak Authentication Processes

from the time-for-everyone-to-start-lying-about-their-first-pet's-name dept

The government that wants so badly to be the world’s leading cyberwarfare force still seems largely unable to fence in its own backyard. In Yet Another Breach™, the sensitive financial information of thousands of Americans is now in the hands of criminals.

The IRS announced today that criminals used taxpayer-specific data acquired from non-IRS sources to gain unauthorized access to information on approximately 100,000 tax accounts through IRS’ “Get Transcript” application. This data included Social Security information, date of birth and street address.

These third parties gained sufficient information from an outside source before trying to access the IRS site, which allowed them to clear a multi-step authentication process, including several personal verification questions that typically are only known by the taxpayer.

So, not actually “hacking,” per se, as much as the gaming of system just begging to be gamed. The information criminals needed to obtain this data may have been “specific” to each registered taxpayer, but it was also information that rarely, if ever, changed.

This sort of authentication, called knowledge-based authentication, is highly vulnerable to fraud. It’s based on information that never changes, and such data is widely available to anyone willing to pay for it from stolen financial information marketplaces. The transcripts that were fraudulently downloaded were likely made accessible due to leaked Social Security numbers and other personal data from any one of the many recent data breaches, including those at health insurers Anthem and CareFirst. In fact, security reporter Brian Krebs reported on the risks inherent in the IRS’ transcript request system way back in March. He warned taxpayers to sign up for accounts on IRS.gov if only to prevent someone from creating a fraudulent account for their records first.

The IRS is reassuring Americans that its “core systems” remain secure, something of little comfort to the 100,000 taxpayers who will be receiving mea culpa letters (and free credit monitoring) from the agency over the next few weeks. What the IRS considers to be adequate protection is apparently not nearly adequate enough. Once the data is out there, verification information can be used to gain access to credit cards, bank accounts or anywhere else the same sort of canned questions are presented during the signup process. The 50% success rate suggests unique personally-identifiable information isn’t necessarily all that unique.

In all, about 200,000 attempts were made from questionable email domains, with more than 100,000 of those attempts successfully clearing authentication hurdles.

The IRS is quick to add that 23 million records were “safely” downloaded during this same time period, which isn’t really the comforting statement it means it to be. All this means is that millions of downloads weren’t linked to “questionable” email domains. That’s not the same thing as 23 million downloads going to the actual owners of that information.

The IRS is vowing to “strengthen its protocols” going forward. This is the only response it can offer, unfortunately. Stronger processes are needed, but additional steps and more obscure verification questions will manifest themselves as hurdles a certain percentage of taxpayers won’t be willing to leap for online IRS access. Going paperless won’t seem nearly as advantageous, not when a motherlode of financial information can be pulled out of the ether by cybercrooks armed with the fruits of years of financial breaches, both public and private.

Filed Under: , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Financial Info On 100,000 Taxpayers Now In The Hands Of Criminals, Thanks To The IRS's Weak Authentication Processes”

Subscribe: RSS Leave a comment
23 Comments
OldGeezer (profile) says:

I have always wondered why so many financial institutions still use mother’s maiden name as a security question. This information is very easily obtained for just about anyone. Even if that wasn’t pretty much public record already, what if a relative wants to rip you off? I grew up in the 60’s so it wouldn’t be a stretch to guess the Beatles are my favorite band and a few people might remember my first pet’s name but mother’s maiden name is about a secure as using 123456 or password as a password.

sigalrm (profile) says:

Re: Re:

The younger the individual, the higher the odds that the answers to most “common” security questions – Mothers Maiden Name, What street did you live on a a child, First/favorite pet, first boyfriend/girlfriend are readily available on Facebook.

I know this to be true for myself, even if I didn’t provide the information. And it’s certainly true for both of my kids. And one of them doesn’t have a Facebook account (yet).

It’s not a coincidence that for years now, when someone’s webmail account is “hacked”, the mechanism is almost always the password recovery feature. This is becoming less the case as Google, Yahoo, MS, etc catch on, but it still happens with depressing frequency.

OldGeezer (profile) says:

Re: Re: Re:

I recently opened Facebook while I was on a VPN and they locked me out. I had a much tougher time than any forgot password recovery. I had to make several attempts to identify friends photos that in many cases were their pets, kids, ancestors, friends of friends, schoolmates I hadn’t seen in 40 years. After each failed attempt I was prevented from trying again for an hour. I finally lucked out and enough the photos were of the actual person I had seen in the last 10 years and got my account back. All this because Facebook saw me logging in from Dallas instead of my usual IP. Yet someone can get enough info on me to file a fake tax return.

Anonymous Coward says:

The IRS is vowing to “strengthen its protocols” going forward. This is the only response it can offer, unfortunately.

They can offer new SSNs, new street addresses, and maybe even a new identity. Given the negligence the IRS demonstrated with their current system, they owe the victims at least that much.

More seriously, they should also go ahead and publish all the leaked transcripts on a blacklist so that financial institutions can Be On the Look Out for anyone opening an account as one of the leaked identities. Really, anyone whose SSN gets leaked at all should be automatically issued a preemptive credit freeze (as in, do not even wait for the mea culpa letters to go out!) until they affirm to the credit bureaus that they would prefer to be vulnerable to further fraud. The current system of buying a short time of credit monitoring and then just walking away is a pathetic cop-out that would not stand if there was a halfway effective lobbying group for such victims.

Anonymous Coward says:

What I find interesting is how the IRS goes out of their way to note that the data thieves were organized, “not amateurs”.

Who cares? The real point is that the security used by the IRS had glaring flaws that made it weak. A barely talented teenager could have done this by themselves, and that’s the problem.

sigalrm (profile) says:

Re: Re:

Who cares that it took highly skilled and organized techno-ninjas? The Government cares. Deeply.

Because if the American public ever figures out that the technical capability to pull off hacks like this one, Sony, etc, is often easily within the reach of a bunch of random teenagers with Live CD’s, things are going to get bad for the country, and fast, as people lose trust in the banking system, healthcare systems, etc.

Anonymous Coward says:

Re: Re: Re:

I think you have a definite point to the issue of the loss of trust, but my hope would be a better response than just simply pulling out of the online world.

Consumers should let companies know that good computer security policies (even when it fails) are important to the bottom line because of the trust it engenders.

Citizens should let the government know that good computer security policies (even when it fails) are more important than their own desire to compromise it for the sake of power, because it shows their commitment to Constitutional values.

A. Nnoyed (profile) says:

Identity theft may cause abandonment of the Internet

The internet is becoming a dangerous place like those neighborhoods where if you enter you leave in a coffin. I have done business with several companies that have reported being hacked. I have already had several different credit cards replaced because the issuer or a vendor detected someone trying to place a fraudulent charge on the account. At least with snail mail identity thieves cannot steal your personal information. As a result broadband users may be forced to stop using the internet for any purpose that involves money since the financial risks will be to great.

Christenson says:

Random answers to Invasive Personal Questions

When Apple started asking me answers to all kinds of personal questions in order to get free software from their App Store, my privacy started feeling very invaded. I decided I would be safer giving long random strings or complete nonsense answers and writing them down in my little black book instead of giving them partial keys to my bank account and every other internet account I had.

The method has its issues, but if no two websites can agree on your details, a putative hacker is going to have to hack into each password recovery system one at a time, and generally fail several times before getting in.

Finally, I have to ask how the IRS knows this was a hack and not one or more crooked employees. Remember just how much data fits on a jump drive these days, and remember the NSA still has no idea exactly what data Ed Snowden took with him.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...