FTC Advice On How To Deal With Equifax Hack: Er... Race The Hackers To Filing Your Taxes Before They Do

from the what-the-actual-fuck dept

So, yes, by now you know all about the whole Equifax hack and how really, really terrible it is. Lots of sites have been posting various stories about what you should do about it, when the truth is you really can't do much. A lot of people are likely going to deal with an awful lot of bad stuff almost entirely because of this leak by Equifax. Not surprisingly, the FTC has weighed in with some suggestions, most of which won't actually help very much. Most of them are the standard suggestions everyone's giving -- including checking your credit reports, putting a credit freeze on your files and basically watching very closely to see if you're fucked over by whoever has access to these files.

But the FTC's very last suggestion is the one I wanted to focus on today. It's basically "um, well, maybe try to file your tax returns early next year, so you beat hackers trying to do the same?"

File your taxes early — as soon as you have the tax information you need, before a scammer can. Tax identity theft happens when someone uses your Social Security number to get a tax refund or a job. Respond right away to letters from the IRS.

As someone who has been a victim of someone filing fake tax returns to try to get your refund, it's a really shitty process to go through. The problem here, though, is the whole setup of our tax system, which makes it pretty damn easy for someone to fake your tax returns -- now made even easier thanks to this breach. If the FTC really wanted to help, it should be pushing for a complete overhaul of how tax filing works, such that merely knowing your Social Security Number and address isn't enough to file tax returns in your name. Among the many problems here, it starts with the idiotic idea that we use SSNs as an identity tool -- but there's also the fact that we continue to have the IRS force every American to play a guessing game with their taxes just to keep tax prep companies like Intuit and H&R Block happy.

I recognize that the FTC isn't directly in a position to fix this, but the fact that it's best suggestion is "race the hackers to filing your tax returns and hope you get there first" should highlight just how totally fucked up our income tax system is in the US.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 12 Sep 2017 @ 9:50am

    This whole hack puts a massive spotlight on how shittily implemented and broken some of our most important systems are. I'd honestly be surprised if nothing were changed as a result of this. It may take some lawsuits and quite a few metaphorical black eyes to do though.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 12 Sep 2017 @ 10:18am

      Re:

      I would be surprised if something did change.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 12 Sep 2017 @ 9:54pm

      Re:

      I think a solution could be that everyone should have their own public/private key pair. Only you know your private key (it's on a card or something, like how credit cards have a chip) but everyone knows your public key. They identify you by your public key but prove your identity with your use of your private key via making you sign something. Perhaps they should expire every once in a while so we get a new key issued ... uhm ... there could be a database online where it keeps track of your new public keys. I look up your public key in a database and the database has a list of all your prior public keys, date issued, expiration date, including your current one. Of course the key itself should be presented with a known expiration date and it should be signed by a government agency that signs keys with their own key.

      reply to this | link to this | view in chronology ]

      • icon
        R.H. (profile), 13 Sep 2017 @ 9:36am

        Re: Re:

        This is an excellent idea. However, it gets into the government issued id card area that many people are strongly against. I'm for it but, I don't know if it could be made to happen.

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 12 Sep 2017 @ 9:50am

    Don't forget the laws squashed to prevent this

    Equifax prevented congress from passing laws aimed at preventing this kind of breach. They clearly knew how vulnerable they were and did not want the billions of expenses that would come from exposure of all of that data. Now, their worst nightmare has come true and they aren't even on the hook for the PII related to it...

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 12 Sep 2017 @ 11:01am

      Re: Don't forget the laws squashed to prevent this

      But .. but the market is self regulating

      reply to this | link to this | view in chronology ]

      • identicon
        hegemon13, 12 Sep 2017 @ 12:56pm

        Re: Re: Don't forget the laws squashed to prevent this

        This has nothing to do with the market. This is a system with coerced, involuntary participation. If one could actually choose (short of boycotting credit altogether) which credit agencies they wanted to do business with, there would some market influence. But making a sarcastic comment as if this were some sort of counterpoint to the effectiveness of a healthy, competitive free market is disingen...no, it's just flatly asinine.

        reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 12 Sep 2017 @ 2:30pm

        Re: Re: Don't forget the laws squashed to prevent this

        The market is between Equifax and companies and in that regard the market is valuing them almost the same as before since "the estimated 300-350 millions" they will have to use on showing off for politicians are peanuts and the companies that use them won't use the inferior competitors.

        Equifax is no different than most other big data companies. While their revenue depends on consumer data, the companies that they cooperate with will want deniable plausibility and to get the advantages the big data company provides. The consumers rights can stomp hay.

        As soon as big data and company A sees a benefit in each others services, legal, smeagol and ethics goes out with the baby and the bathwater. Some of the least moral big data companies are funding hackers by buying their data and may even facilitate hackers with vectors to infect and inject.

        reply to this | link to this | view in chronology ]

  • icon
    streetlight (profile), 12 Sep 2017 @ 10:17am

    The IRS needs to be prepared

    I don't know about the FTC, but the IRS is the organization that needs to be prepared. For the situation that the hackers beat an individual in submitting tax forms then upon receiving a later, second tax form based on the SS# of a previous submission the IRS needs a quick, effective notification and appeal process to solve the problem. It shouldn't be too hard to detect the fraud. Folks who owe money probably aren't fraudsters. There should be mailing addresses or checking/savings account numbers available for folks who get refunds and have had refunds in the past to cross check. Of course, people move and change banking. These cross checks might detect fraud requiring follow up by the IRS. Not sure how effective that, or any action, the IRS can take to mitigate the situation. And then there are state taxes to consider.If the fraud involves 10s of millions of tax submissions, things are going to get expensive for the IRS and very time consuming for individuals.

    reply to this | link to this | view in chronology ]

  • icon
    ShadowNinja (profile), 12 Sep 2017 @ 10:51am

    Social Security Numbers

    such that merely knowing your Social Security Number and address isn't enough to file tax returns in your name.

    Equifax and the FTC aren't to blame for this. The IRS and Prosecutors and big businesses are to blame for Social Security Numbers being so vitally important and insecure.

    Social Security Numbers were invented by the IRS to track who was who in their system. The IRS never expected them to be used by anyone but themselves, and never made the numbers all that secure because of that.

    It's actually ILLEGAL for most businesses to ask you for your social security number, and to use it as a unique identifier for you in their databases. Only businesses that need to report your income to the IRS (like the company you work for, and a bank or investment firm) should have a real reason to know what your social security number is. Anything beyond that is scope creep, and is ILLEGAL under the law.

    But, this is where Prosecutors and Big Business screwed things up. Big Businesses thought using Social Security numbers to identify customers in their database was a great idea. And prosecutors didn't enforce the laws against doing that, and so now Social Security numbers have become an insecure national ID in effect.

    reply to this | link to this | view in chronology ]

  • identicon
    Chris Brand, 12 Sep 2017 @ 10:54am

    Is that even possible ?

    "as soon as you have the tax information you need" - but a hacker doesn't have to worry about filing accurate information, do they ? So while you're waiting for the tax forms to arrive, they can go ahead and file something they make up...

    reply to this | link to this | view in chronology ]

    • identicon
      JEDIDIAH, 12 Sep 2017 @ 12:53pm

      Re: Is that even possible ?

      Except your information has already been sent to the IRS.

      They can try to get your tax return (if you are getting one) before you do. Dunno if they can just make up stuff. There are also some people that owe or that have non-trivial income. Not sure they want to spoof those people.

      Fake accounts are probably a bigger problem.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 12 Sep 2017 @ 1:30pm

        Re: Re: Is that even possible ?

        They can try to get your tax return (if you are getting one) before you do.

        A tax return is what you send to the IRS.

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 12 Sep 2017 @ 11:14am

    They're welcome to file my taxes...

    Given I'm always paying the IRS, they are welcome to file mine....

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 12 Sep 2017 @ 11:39am

      Re: They're welcome to file my taxes...

      They will file yours saying you deserve a refund of $10,000. They will collect the refund. Then you will owe the IRS $10,000 plus your taxes, penalties, and interest. Since you are dealing with the government, you are guilty until proven innocent. And then you may still be guilty.

      Funny how that works.

      reply to this | link to this | view in chronology ]

  • identicon
    Andrew D. Todd, 12 Sep 2017 @ 12:41pm

    A Simple Fix

    I think the problem is commingling of identifiers and passwords. Identifiers and passwords have conflicting functions, and the problem arises when one number tries to be both. So, what we do is to face facts, and say that Social Security Numbers and Dates of Birth are identifiers, and it happens that they are now public, and people must immediate cease using them as passwords. All we have to do is explicitly issue passwords in appropriate ways.

    Forms pertaining to tax withholding (W-2's, Form 1099, K-1, etc.) shall be given an additional number, a random number peculiar to that form, that employer, that taxpayer, and that year, in addition to the existing numbers, and this number shall be reported to the taxpayer and the IRS in the usual way, and the tax-payer shall copy it into his tax return. There will need to be fairly minor modifications of the tax schedules to allow inserting the passwords, but there is plenty of time to do that. It's only September.

    The IRS can work with the state Departments of Motor Vehicles. The DMV checks not only paperwork, but also biometrics. It knows things off the birth certificate like the name of the obstetrician. The DMV finally confirms the address of an identity-holder by snail-mailing the card-- with instructions not to forward it.

    When you file a change of address with the Post Office, they sensibly send paper notices-- by snail-mail-- to both the old and new address. I think you can file a change of address on the internet. I filed mine by physically going in to the post office. The IRS can always send out refund checks by snail-mail. This will be rather hard on the tax preparation companies, which make money on Refund Anticipation Loans, at more or less usurious interest. No matter, they will find a way to solve their problem.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 12 Sep 2017 @ 1:02pm

    I hope someone files my tax return. Joke's on them, I owe the IRS money so they apply my refund to the balance. Scammer gets nothing, I get someone else to do my income taxes.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 12 Sep 2017 @ 1:30pm

      Response to: Anonymous Coward on Sep 12th, 2017 @ 1:02pm

      Reminds me of my first cars. They were so beat up when someone tried to steal it they abandoned it 50' away.

      reply to this | link to this | view in chronology ]

  • icon
    That Anonymous Coward (profile), 12 Sep 2017 @ 2:33pm

    If only there were actual laws to protect citizens.
    Far to often we hear the battlecry of to much regulation is making it hard for business!!!

    Ummm, if we had a law demanding a basic level of security from the big black boxes that gather & hold all sorts of details that can allow someone to ruin your life... they might have had 25 cents less in dividends.

    The "response" from them has been laughable, their new url to check looks like a phishing domain, the site has holes that were patched in the code... YEARS AGO. The pins are based on the date & any name & any number combination results in the yep you got hacked response. They moved to sell off stock before the price tanked & consulted legal to add wording to try and deflect any legal attack on them fucking a giant portion of the country.

    No one gives a shit about us, we are just commodities to be exploited. We vote for the right soundbites, our web browsing is collected & sold to sell us more. Our data is for sale (or the taking) to say if we are a good credit risk based on mystical metrics using data not verified in reality, but they become the reality even when they are wrong. They decide you credit score is 300 because someone typoed a name... to fucking bad for you. You have to invest a huge amount of time & effort into doing the job for the data miners.

    But then this is the country thats running ads on TV that NEXT Year they are sending out new Medicare cards... without Social Security numbers on them. But we spend more time fighting over how to build a wall or sneak in legislation to allow politicians to get even more dark untraceable money.

    We have a fucked system, because those with the money own those who are supposed to care about our best interests.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 12 Sep 2017 @ 7:43pm

    Respond right away to letters that look like they might be from the IRS but on closer inspection probably aren't.

    Scammed if you do, scammed if you don't...

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 12 Sep 2017 @ 9:47pm

    I think everyone should watch the following video.

    https://www.youtube.com/watch?v=Erp8IAUouus

    reply to this | link to this | view in chronology ]

  • identicon
    TripMN, 12 Sep 2017 @ 10:05pm

    The Big 3 are going to make money off of this

    The number one advice being given is that you should 'freeze' your credit. This means you have to contact the big 3 credit bureaus and pay them from $5-20+ dollars each depending on your state to process a freeze. There are ways to get it at no cost, but most of those require a police report of an investigation into identity theft... which is going to be tough for the 143 million people currently playing with Shrodinger's Data Leak.

    What would be interesting to see happen is to have the FTC step in and ban them from making money thru exploitation of a situation that the credit bureaus created themselves. I'm not holding my breath.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 13 Sep 2017 @ 11:50am

      Re: The Big 3 are going to make money off of this

      The idea has actually already been aired. But honestly, the larger issues here are data-security and the role of big 3 in society.

      The more you think about it, the more important it seems to be needed to add further consequences for data-leaking and reducing the scope of each leak. Wtih the overall issues of the sector, I wouldn't mind a government regulated market akin to title II/utilities, with a restriction on the size of the stack handled by each cell.

      reply to this | link to this | view in chronology ]

  • identicon
    Russ K, 13 Sep 2017 @ 10:13am

    SSN

    Many years ago, Holiday Inn started their first frequent stay program. I applied fresh out of college at my first multiple week installation when I stayed at a Holiday Inn near Pittsburgh. They used my SSN as the ID and that stayed in use for at least 10 years. I think it was 1986 when they did change over to a unique number (it was still 9 digits long). The only advantage I had was the ease of remembering it (Colleges used the SSN for student IDs all the time so it was imprinted on my brain early in life).

    I really don't know who initiated that change but it may have been with a law that required them to not use SSN. Of course back then there was no Internet, a laptop was 30 lbs. monochrome display and we couldn't see what would happen to our privacy.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: Copying Is Not Theft
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.