Financial Info On 100,000 Taxpayers Now In The Hands Of Criminals, Thanks To The IRS's Weak Authentication Processes
from the time-for-everyone-to-start-lying-about-their-first-pet's-name dept
The government that wants so badly to be the world's leading cyberwarfare force still seems largely unable to fence in its own backyard. In Yet Another Breach™, the sensitive financial information of thousands of Americans is now in the hands of criminals.
The IRS announced today that criminals used taxpayer-specific data acquired from non-IRS sources to gain unauthorized access to information on approximately 100,000 tax accounts through IRS’ “Get Transcript” application. This data included Social Security information, date of birth and street address.So, not actually "hacking," per se, as much as the gaming of system just begging to be gamed. The information criminals needed to obtain this data may have been "specific" to each registered taxpayer, but it was also information that rarely, if ever, changed.
These third parties gained sufficient information from an outside source before trying to access the IRS site, which allowed them to clear a multi-step authentication process, including several personal verification questions that typically are only known by the taxpayer.
This sort of authentication, called knowledge-based authentication, is highly vulnerable to fraud. It's based on information that never changes, and such data is widely available to anyone willing to pay for it from stolen financial information marketplaces. The transcripts that were fraudulently downloaded were likely made accessible due to leaked Social Security numbers and other personal data from any one of the many recent data breaches, including those at health insurers Anthem and CareFirst. In fact, security reporter Brian Krebs reported on the risks inherent in the IRS' transcript request system way back in March. He warned taxpayers to sign up for accounts on IRS.gov if only to prevent someone from creating a fraudulent account for their records first.The IRS is reassuring Americans that its "core systems" remain secure, something of little comfort to the 100,000 taxpayers who will be receiving mea culpa letters (and free credit monitoring) from the agency over the next few weeks. What the IRS considers to be adequate protection is apparently not nearly adequate enough. Once the data is out there, verification information can be used to gain access to credit cards, bank accounts or anywhere else the same sort of canned questions are presented during the signup process. The 50% success rate suggests unique personally-identifiable information isn't necessarily all that unique.
In all, about 200,000 attempts were made from questionable email domains, with more than 100,000 of those attempts successfully clearing authentication hurdles.The IRS is quick to add that 23 million records were "safely" downloaded during this same time period, which isn't really the comforting statement it means it to be. All this means is that millions of downloads weren't linked to "questionable" email domains. That's not the same thing as 23 million downloads going to the actual owners of that information.
The IRS is vowing to "strengthen its protocols" going forward. This is the only response it can offer, unfortunately. Stronger processes are needed, but additional steps and more obscure verification questions will manifest themselves as hurdles a certain percentage of taxpayers won't be willing to leap for online IRS access. Going paperless won't seem nearly as advantageous, not when a motherlode of financial information can be pulled out of the ether by cybercrooks armed with the fruits of years of financial breaches, both public and private.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: data breach, irs, leaks, privacy, private info, security
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in thread ]
Re:
I know this to be true for myself, even if I didn't provide the information. And it's certainly true for both of my kids. And one of them doesn't have a Facebook account (yet).
It's not a coincidence that for years now, when someone's webmail account is "hacked", the mechanism is almost always the password recovery feature. This is becoming less the case as Google, Yahoo, MS, etc catch on, but it still happens with depressing frequency.
[ link to this | view in thread ]
Credit Monitoring....
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
(More seriously, it's because they simply don't care what happens to the public, as long as they can continue to do whatever they want to.)
[ link to this | view in thread ]
Re: Re:
The sad thing is, while I was trying to be sarcastic, I can see the government making roughly the same statement in full seriousness...
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
We're from the govt, and we're here to help you
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
So
I'm impressed!
[ link to this | view in thread ]
[ link to this | view in thread ]
More seriously, they should also go ahead and publish all the leaked transcripts on a blacklist so that financial institutions can Be On the Look Out for anyone opening an account as one of the leaked identities. Really, anyone whose SSN gets leaked at all should be automatically issued a preemptive credit freeze (as in, do not even wait for the mea culpa letters to go out!) until they affirm to the credit bureaus that they would prefer to be vulnerable to further fraud. The current system of buying a short time of credit monitoring and then just walking away is a pathetic cop-out that would not stand if there was a halfway effective lobbying group for such victims.
[ link to this | view in thread ]
Who cares? The real point is that the security used by the IRS had glaring flaws that made it weak. A barely talented teenager could have done this by themselves, and that's the problem.
[ link to this | view in thread ]
Re:
Because if the American public ever figures out that the technical capability to pull off hacks like this one, Sony, etc, is often easily within the reach of a bunch of random teenagers with Live CD's, things are going to get bad for the country, and fast, as people lose trust in the banking system, healthcare systems, etc.
[ link to this | view in thread ]
Identity theft may cause abandonment of the Internet
[ link to this | view in thread ]
Re: Identity theft may cause abandonment of the Internet
Citation Needed!
[ link to this | view in thread ]
Re: Identity theft may cause abandonment of the Internet
Tell that to my sister, who had this exact thing happen.
[ link to this | view in thread ]
Re: Re:
Consumers should let companies know that good computer security policies (even when it fails) are important to the bottom line because of the trust it engenders.
Citizens should let the government know that good computer security policies (even when it fails) are more important than their own desire to compromise it for the sake of power, because it shows their commitment to Constitutional values.
[ link to this | view in thread ]
Random answers to Invasive Personal Questions
The method has its issues, but if no two websites can agree on your details, a putative hacker is going to have to hack into each password recovery system one at a time, and generally fail several times before getting in.
Finally, I have to ask how the IRS knows this was a hack and not one or more crooked employees. Remember just how much data fits on a jump drive these days, and remember the NSA still has no idea exactly what data Ed Snowden took with him.
[ link to this | view in thread ]
Re: Random answers to Invasive Personal Questions
[ link to this | view in thread ]
Re: Re: Random answers to Invasive Personal Questions
https://xkpasswd.net/s/
[ link to this | view in thread ]
[ link to this | view in thread ]