Financial Info On 100,000 Taxpayers Now In The Hands Of Criminals, Thanks To The IRS's Weak Authentication Processes

from the time-for-everyone-to-start-lying-about-their-first-pet's-name dept

The government that wants so badly to be the world's leading cyberwarfare force still seems largely unable to fence in its own backyard. In Yet Another Breach™, the sensitive financial information of thousands of Americans is now in the hands of criminals.

The IRS announced today that criminals used taxpayer-specific data acquired from non-IRS sources to gain unauthorized access to information on approximately 100,000 tax accounts through IRS’ “Get Transcript” application. This data included Social Security information, date of birth and street address.

These third parties gained sufficient information from an outside source before trying to access the IRS site, which allowed them to clear a multi-step authentication process, including several personal verification questions that typically are only known by the taxpayer.
So, not actually "hacking," per se, as much as the gaming of system just begging to be gamed. The information criminals needed to obtain this data may have been "specific" to each registered taxpayer, but it was also information that rarely, if ever, changed.
This sort of authentication, called knowledge-based authentication, is highly vulnerable to fraud. It's based on information that never changes, and such data is widely available to anyone willing to pay for it from stolen financial information marketplaces. The transcripts that were fraudulently downloaded were likely made accessible due to leaked Social Security numbers and other personal data from any one of the many recent data breaches, including those at health insurers Anthem and CareFirst. In fact, security reporter Brian Krebs reported on the risks inherent in the IRS' transcript request system way back in March. He warned taxpayers to sign up for accounts on IRS.gov if only to prevent someone from creating a fraudulent account for their records first.
The IRS is reassuring Americans that its "core systems" remain secure, something of little comfort to the 100,000 taxpayers who will be receiving mea culpa letters (and free credit monitoring) from the agency over the next few weeks. What the IRS considers to be adequate protection is apparently not nearly adequate enough. Once the data is out there, verification information can be used to gain access to credit cards, bank accounts or anywhere else the same sort of canned questions are presented during the signup process. The 50% success rate suggests unique personally-identifiable information isn't necessarily all that unique.
In all, about 200,000 attempts were made from questionable email domains, with more than 100,000 of those attempts successfully clearing authentication hurdles.
The IRS is quick to add that 23 million records were "safely" downloaded during this same time period, which isn't really the comforting statement it means it to be. All this means is that millions of downloads weren't linked to "questionable" email domains. That's not the same thing as 23 million downloads going to the actual owners of that information.

The IRS is vowing to "strengthen its protocols" going forward. This is the only response it can offer, unfortunately. Stronger processes are needed, but additional steps and more obscure verification questions will manifest themselves as hurdles a certain percentage of taxpayers won't be willing to leap for online IRS access. Going paperless won't seem nearly as advantageous, not when a motherlode of financial information can be pulled out of the ether by cybercrooks armed with the fruits of years of financial breaches, both public and private.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: data breach, irs, leaks, privacy, private info, security


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. icon
    OldGeezer (profile), 26 May 2015 @ 4:50pm

    I have always wondered why so many financial institutions still use mother's maiden name as a security question. This information is very easily obtained for just about anyone. Even if that wasn't pretty much public record already, what if a relative wants to rip you off? I grew up in the 60's so it wouldn't be a stretch to guess the Beatles are my favorite band and a few people might remember my first pet's name but mother's maiden name is about a secure as using 123456 or password as a password.

    link to this | view in thread ]

  2. icon
    sigalrm (profile), 26 May 2015 @ 5:17pm

    Re:

    The younger the individual, the higher the odds that the answers to most "common" security questions - Mothers Maiden Name, What street did you live on a a child, First/favorite pet, first boyfriend/girlfriend are readily available on Facebook.

    I know this to be true for myself, even if I didn't provide the information. And it's certainly true for both of my kids. And one of them doesn't have a Facebook account (yet).

    It's not a coincidence that for years now, when someone's webmail account is "hacked", the mechanism is almost always the password recovery feature. This is becoming less the case as Google, Yahoo, MS, etc catch on, but it still happens with depressing frequency.

    link to this | view in thread ]

  3. icon
    sigalrm (profile), 26 May 2015 @ 5:20pm

    Credit Monitoring....

    I have to wonder...Are there any adults in the US who don't have a decades worth of accrued "credit monitoring" available to them at this point?

    link to this | view in thread ]

  4. identicon
    avideogameplayer, 26 May 2015 @ 5:37pm

    And the government still wants back door access because?

    link to this | view in thread ]

  5. icon
    That One Guy (profile), 26 May 2015 @ 5:39pm

    Re:

    Because this time, this time they'll get it right!

    (More seriously, it's because they simply don't care what happens to the public, as long as they can continue to do whatever they want to.)

    link to this | view in thread ]

  6. identicon
    Anonymous Coward, 26 May 2015 @ 5:55pm

    Re: Re:

    "See? The IRS had authentication, and look what happened! If you guys had no encryption, terrorists couldn't break it! I demand backdoors, now!"

    The sad thing is, while I was trying to be sarcastic, I can see the government making roughly the same statement in full seriousness...

    link to this | view in thread ]

  7. identicon
    Anonymous Coward, 26 May 2015 @ 5:57pm

    Just goes to show you that increasing the funding of and the snooping by the NSA is a necessity. As for the Infernal Revenue Service, they are doing the best they can with the tools they have at their disposal ;).

    link to this | view in thread ]

  8. icon
    OldGeezer (profile), 26 May 2015 @ 5:59pm

    Re: Re:

    I recently opened Facebook while I was on a VPN and they locked me out. I had a much tougher time than any forgot password recovery. I had to make several attempts to identify friends photos that in many cases were their pets, kids, ancestors, friends of friends, schoolmates I hadn't seen in 40 years. After each failed attempt I was prevented from trying again for an hour. I finally lucked out and enough the photos were of the actual person I had seen in the last 10 years and got my account back. All this because Facebook saw me logging in from Dallas instead of my usual IP. Yet someone can get enough info on me to file a fake tax return.

    link to this | view in thread ]

  9. identicon
    Anonymous Coward, 26 May 2015 @ 6:02pm

    We're from the govt, and we're here to help you

    with your security.

    link to this | view in thread ]

  10. identicon
    Anonymous Coward, 26 May 2015 @ 8:41pm

    Re:

    Poor little IRS.

    link to this | view in thread ]

  11. identicon
    Call it reason call it love or call it treason.., 26 May 2015 @ 11:25pm

    So

    80? times better than target?

    I'm impressed!

    link to this | view in thread ]

  12. identicon
    Anonymous Coward, 27 May 2015 @ 5:42am

    please remember these are the same guys who want to backdoor fußing everything...

    link to this | view in thread ]

  13. identicon
    Anonymous Coward, 27 May 2015 @ 7:06am

    The IRS is vowing to "strengthen its protocols" going forward. This is the only response it can offer, unfortunately.
    They can offer new SSNs, new street addresses, and maybe even a new identity. Given the negligence the IRS demonstrated with their current system, they owe the victims at least that much.

    More seriously, they should also go ahead and publish all the leaked transcripts on a blacklist so that financial institutions can Be On the Look Out for anyone opening an account as one of the leaked identities. Really, anyone whose SSN gets leaked at all should be automatically issued a preemptive credit freeze (as in, do not even wait for the mea culpa letters to go out!) until they affirm to the credit bureaus that they would prefer to be vulnerable to further fraud. The current system of buying a short time of credit monitoring and then just walking away is a pathetic cop-out that would not stand if there was a halfway effective lobbying group for such victims.

    link to this | view in thread ]

  14. identicon
    Anonymous Coward, 27 May 2015 @ 7:17am

    What I find interesting is how the IRS goes out of their way to note that the data thieves were organized, "not amateurs".

    Who cares? The real point is that the security used by the IRS had glaring flaws that made it weak. A barely talented teenager could have done this by themselves, and that's the problem.

    link to this | view in thread ]

  15. icon
    sigalrm (profile), 27 May 2015 @ 7:55am

    Re:

    Who cares that it took highly skilled and organized techno-ninjas? The Government cares. Deeply.

    Because if the American public ever figures out that the technical capability to pull off hacks like this one, Sony, etc, is often easily within the reach of a bunch of random teenagers with Live CD's, things are going to get bad for the country, and fast, as people lose trust in the banking system, healthcare systems, etc.

    link to this | view in thread ]

  16. icon
    A. Nnoyed (profile), 27 May 2015 @ 7:58am

    Identity theft may cause abandonment of the Internet

    The internet is becoming a dangerous place like those neighborhoods where if you enter you leave in a coffin. I have done business with several companies that have reported being hacked. I have already had several different credit cards replaced because the issuer or a vendor detected someone trying to place a fraudulent charge on the account. At least with snail mail identity thieves cannot steal your personal information. As a result broadband users may be forced to stop using the internet for any purpose that involves money since the financial risks will be to great.

    link to this | view in thread ]

  17. identicon
    Anonymous Coward, 27 May 2015 @ 8:05am

    Re: Identity theft may cause abandonment of the Internet

    At least with snail mail identity thieves cannot steal your personal information.

    Citation Needed!

    link to this | view in thread ]

  18. icon
    John Fenderson (profile), 27 May 2015 @ 8:15am

    Re: Identity theft may cause abandonment of the Internet

    "At least with snail mail identity thieves cannot steal your personal information"

    Tell that to my sister, who had this exact thing happen.

    link to this | view in thread ]

  19. identicon
    Anonymous Coward, 27 May 2015 @ 8:38am

    Re: Re:

    I think you have a definite point to the issue of the loss of trust, but my hope would be a better response than just simply pulling out of the online world.

    Consumers should let companies know that good computer security policies (even when it fails) are important to the bottom line because of the trust it engenders.

    Citizens should let the government know that good computer security policies (even when it fails) are more important than their own desire to compromise it for the sake of power, because it shows their commitment to Constitutional values.

    link to this | view in thread ]

  20. identicon
    Christenson, 27 May 2015 @ 9:42am

    Random answers to Invasive Personal Questions

    When Apple started asking me answers to all kinds of personal questions in order to get free software from their App Store, my privacy started feeling very invaded. I decided I would be safer giving long random strings or complete nonsense answers and writing them down in my little black book instead of giving them partial keys to my bank account and every other internet account I had.

    The method has its issues, but if no two websites can agree on your details, a putative hacker is going to have to hack into each password recovery system one at a time, and generally fail several times before getting in.

    Finally, I have to ask how the IRS knows this was a hack and not one or more crooked employees. Remember just how much data fits on a jump drive these days, and remember the NSA still has no idea exactly what data Ed Snowden took with him.

    link to this | view in thread ]

  21. icon
    John Fenderson (profile), 27 May 2015 @ 9:51am

    Re: Random answers to Invasive Personal Questions

    Yes, this is a practice that computer security folks have been recommending for years now. When you see those questions, ignore the meaning of the question and treat them like additional password fields. Answer them with different strong passwords.

    link to this | view in thread ]

  22. identicon
    Random Element, 28 May 2015 @ 2:57pm

    Re: Re: Random answers to Invasive Personal Questions

    Or at least very long, hard to guess passwords.

    https://xkpasswd.net/s/

    link to this | view in thread ]

  23. identicon
    Anonymous Coward, 6 Jun 2015 @ 7:29pm

    This is all info freely handed over. There is no expectation of privacy.

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.