Financial Info On 100,000 Taxpayers Now In The Hands Of Criminals, Thanks To The IRS's Weak Authentication Processes

from the time-for-everyone-to-start-lying-about-their-first-pet's-name dept

The government that wants so badly to be the world's leading cyberwarfare force still seems largely unable to fence in its own backyard. In Yet Another Breach™, the sensitive financial information of thousands of Americans is now in the hands of criminals.

The IRS announced today that criminals used taxpayer-specific data acquired from non-IRS sources to gain unauthorized access to information on approximately 100,000 tax accounts through IRS’ “Get Transcript” application. This data included Social Security information, date of birth and street address.

These third parties gained sufficient information from an outside source before trying to access the IRS site, which allowed them to clear a multi-step authentication process, including several personal verification questions that typically are only known by the taxpayer.
So, not actually "hacking," per se, as much as the gaming of system just begging to be gamed. The information criminals needed to obtain this data may have been "specific" to each registered taxpayer, but it was also information that rarely, if ever, changed.
This sort of authentication, called knowledge-based authentication, is highly vulnerable to fraud. It's based on information that never changes, and such data is widely available to anyone willing to pay for it from stolen financial information marketplaces. The transcripts that were fraudulently downloaded were likely made accessible due to leaked Social Security numbers and other personal data from any one of the many recent data breaches, including those at health insurers Anthem and CareFirst. In fact, security reporter Brian Krebs reported on the risks inherent in the IRS' transcript request system way back in March. He warned taxpayers to sign up for accounts on IRS.gov if only to prevent someone from creating a fraudulent account for their records first.
The IRS is reassuring Americans that its "core systems" remain secure, something of little comfort to the 100,000 taxpayers who will be receiving mea culpa letters (and free credit monitoring) from the agency over the next few weeks. What the IRS considers to be adequate protection is apparently not nearly adequate enough. Once the data is out there, verification information can be used to gain access to credit cards, bank accounts or anywhere else the same sort of canned questions are presented during the signup process. The 50% success rate suggests unique personally-identifiable information isn't necessarily all that unique.
In all, about 200,000 attempts were made from questionable email domains, with more than 100,000 of those attempts successfully clearing authentication hurdles.
The IRS is quick to add that 23 million records were "safely" downloaded during this same time period, which isn't really the comforting statement it means it to be. All this means is that millions of downloads weren't linked to "questionable" email domains. That's not the same thing as 23 million downloads going to the actual owners of that information.

The IRS is vowing to "strengthen its protocols" going forward. This is the only response it can offer, unfortunately. Stronger processes are needed, but additional steps and more obscure verification questions will manifest themselves as hurdles a certain percentage of taxpayers won't be willing to leap for online IRS access. Going paperless won't seem nearly as advantageous, not when a motherlode of financial information can be pulled out of the ether by cybercrooks armed with the fruits of years of financial breaches, both public and private.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    OldGeezer (profile), 26 May 2015 @ 4:50pm

    I have always wondered why so many financial institutions still use mother's maiden name as a security question. This information is very easily obtained for just about anyone. Even if that wasn't pretty much public record already, what if a relative wants to rip you off? I grew up in the 60's so it wouldn't be a stretch to guess the Beatles are my favorite band and a few people might remember my first pet's name but mother's maiden name is about a secure as using 123456 or password as a password.

    reply to this | link to this | view in chronology ]

    • icon
      sigalrm (profile), 26 May 2015 @ 5:17pm

      Re:

      The younger the individual, the higher the odds that the answers to most "common" security questions - Mothers Maiden Name, What street did you live on a a child, First/favorite pet, first boyfriend/girlfriend are readily available on Facebook.

      I know this to be true for myself, even if I didn't provide the information. And it's certainly true for both of my kids. And one of them doesn't have a Facebook account (yet).

      It's not a coincidence that for years now, when someone's webmail account is "hacked", the mechanism is almost always the password recovery feature. This is becoming less the case as Google, Yahoo, MS, etc catch on, but it still happens with depressing frequency.

      reply to this | link to this | view in chronology ]

      • icon
        OldGeezer (profile), 26 May 2015 @ 5:59pm

        Re: Re:

        I recently opened Facebook while I was on a VPN and they locked me out. I had a much tougher time than any forgot password recovery. I had to make several attempts to identify friends photos that in many cases were their pets, kids, ancestors, friends of friends, schoolmates I hadn't seen in 40 years. After each failed attempt I was prevented from trying again for an hour. I finally lucked out and enough the photos were of the actual person I had seen in the last 10 years and got my account back. All this because Facebook saw me logging in from Dallas instead of my usual IP. Yet someone can get enough info on me to file a fake tax return.

        reply to this | link to this | view in chronology ]

  • icon
    sigalrm (profile), 26 May 2015 @ 5:20pm

    Credit Monitoring....

    I have to wonder...Are there any adults in the US who don't have a decades worth of accrued "credit monitoring" available to them at this point?

    reply to this | link to this | view in chronology ]

  • identicon
    avideogameplayer, 26 May 2015 @ 5:37pm

    And the government still wants back door access because?

    reply to this | link to this | view in chronology ]

    • icon
      That One Guy (profile), 26 May 2015 @ 5:39pm

      Re:

      Because this time, this time they'll get it right!

      (More seriously, it's because they simply don't care what happens to the public, as long as they can continue to do whatever they want to.)

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 26 May 2015 @ 5:55pm

        Re: Re:

        "See? The IRS had authentication, and look what happened! If you guys had no encryption, terrorists couldn't break it! I demand backdoors, now!"

        The sad thing is, while I was trying to be sarcastic, I can see the government making roughly the same statement in full seriousness...

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 26 May 2015 @ 5:57pm

    Just goes to show you that increasing the funding of and the snooping by the NSA is a necessity. As for the Infernal Revenue Service, they are doing the best they can with the tools they have at their disposal ;).

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 26 May 2015 @ 6:02pm

    We're from the govt, and we're here to help you

    with your security.

    reply to this | link to this | view in chronology ]

  • identicon
    Call it reason call it love or call it treason.., 26 May 2015 @ 11:25pm

    So

    80? times better than target?

    I'm impressed!

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 27 May 2015 @ 5:42am

    please remember these are the same guys who want to backdoor fu├čing everything...

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 27 May 2015 @ 7:06am

    The IRS is vowing to "strengthen its protocols" going forward. This is the only response it can offer, unfortunately.
    They can offer new SSNs, new street addresses, and maybe even a new identity. Given the negligence the IRS demonstrated with their current system, they owe the victims at least that much.

    More seriously, they should also go ahead and publish all the leaked transcripts on a blacklist so that financial institutions can Be On the Look Out for anyone opening an account as one of the leaked identities. Really, anyone whose SSN gets leaked at all should be automatically issued a preemptive credit freeze (as in, do not even wait for the mea culpa letters to go out!) until they affirm to the credit bureaus that they would prefer to be vulnerable to further fraud. The current system of buying a short time of credit monitoring and then just walking away is a pathetic cop-out that would not stand if there was a halfway effective lobbying group for such victims.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 27 May 2015 @ 7:17am

    What I find interesting is how the IRS goes out of their way to note that the data thieves were organized, "not amateurs".

    Who cares? The real point is that the security used by the IRS had glaring flaws that made it weak. A barely talented teenager could have done this by themselves, and that's the problem.

    reply to this | link to this | view in chronology ]

    • icon
      sigalrm (profile), 27 May 2015 @ 7:55am

      Re:

      Who cares that it took highly skilled and organized techno-ninjas? The Government cares. Deeply.

      Because if the American public ever figures out that the technical capability to pull off hacks like this one, Sony, etc, is often easily within the reach of a bunch of random teenagers with Live CD's, things are going to get bad for the country, and fast, as people lose trust in the banking system, healthcare systems, etc.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 27 May 2015 @ 8:38am

        Re: Re:

        I think you have a definite point to the issue of the loss of trust, but my hope would be a better response than just simply pulling out of the online world.

        Consumers should let companies know that good computer security policies (even when it fails) are important to the bottom line because of the trust it engenders.

        Citizens should let the government know that good computer security policies (even when it fails) are more important than their own desire to compromise it for the sake of power, because it shows their commitment to Constitutional values.

        reply to this | link to this | view in chronology ]

  • icon
    A. Nnoyed (profile), 27 May 2015 @ 7:58am

    Identity theft may cause abandonment of the Internet

    The internet is becoming a dangerous place like those neighborhoods where if you enter you leave in a coffin. I have done business with several companies that have reported being hacked. I have already had several different credit cards replaced because the issuer or a vendor detected someone trying to place a fraudulent charge on the account. At least with snail mail identity thieves cannot steal your personal information. As a result broadband users may be forced to stop using the internet for any purpose that involves money since the financial risks will be to great.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 27 May 2015 @ 8:05am

      Re: Identity theft may cause abandonment of the Internet

      At least with snail mail identity thieves cannot steal your personal information.

      Citation Needed!

      reply to this | link to this | view in chronology ]

    • icon
      John Fenderson (profile), 27 May 2015 @ 8:15am

      Re: Identity theft may cause abandonment of the Internet

      "At least with snail mail identity thieves cannot steal your personal information"

      Tell that to my sister, who had this exact thing happen.

      reply to this | link to this | view in chronology ]

  • identicon
    Christenson, 27 May 2015 @ 9:42am

    Random answers to Invasive Personal Questions

    When Apple started asking me answers to all kinds of personal questions in order to get free software from their App Store, my privacy started feeling very invaded. I decided I would be safer giving long random strings or complete nonsense answers and writing them down in my little black book instead of giving them partial keys to my bank account and every other internet account I had.

    The method has its issues, but if no two websites can agree on your details, a putative hacker is going to have to hack into each password recovery system one at a time, and generally fail several times before getting in.

    Finally, I have to ask how the IRS knows this was a hack and not one or more crooked employees. Remember just how much data fits on a jump drive these days, and remember the NSA still has no idea exactly what data Ed Snowden took with him.

    reply to this | link to this | view in chronology ]

    • icon
      John Fenderson (profile), 27 May 2015 @ 9:51am

      Re: Random answers to Invasive Personal Questions

      Yes, this is a practice that computer security folks have been recommending for years now. When you see those questions, ignore the meaning of the question and treat them like additional password fields. Answer them with different strong passwords.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 6 Jun 2015 @ 7:29pm

    This is all info freely handed over. There is no expectation of privacy.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Show Now: Takedown
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.