Financial Info On 100,000 Taxpayers Now In The Hands Of Criminals, Thanks To The IRS's Weak Authentication Processes

from the time-for-everyone-to-start-lying-about-their-first-pet's-name dept

The government that wants so badly to be the world's leading cyberwarfare force still seems largely unable to fence in its own backyard. In Yet Another Breach™, the sensitive financial information of thousands of Americans is now in the hands of criminals.

The IRS announced today that criminals used taxpayer-specific data acquired from non-IRS sources to gain unauthorized access to information on approximately 100,000 tax accounts through IRS’ “Get Transcript” application. This data included Social Security information, date of birth and street address.



These third parties gained sufficient information from an outside source before trying to access the IRS site, which allowed them to clear a multi-step authentication process, including several personal verification questions that typically are only known by the taxpayer.

This sort of authentication, called knowledge-based authentication, is highly vulnerable to fraud. It's based on information that never changes, and such data is widely available to anyone willing to pay for it from stolen financial information marketplaces. The transcripts that were fraudulently downloaded were likely made accessible due to leaked Social Security numbers and other personal data from any one of the many recent data breaches, including those at health insurers Anthem and CareFirst. In fact, security reporter Brian Krebs reported on the risks inherent in the IRS' transcript request system way back in March. He warned taxpayers to sign up for accounts on IRS.gov if only to prevent someone from creating a fraudulent account for their records first.

In all, about 200,000 attempts were made from questionable email domains, with more than 100,000 of those attempts successfully clearing authentication hurdles.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community. Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis. While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

So, not actually "hacking," per se, as much as the gaming of system just begging to be gamed. The information criminals needed to obtain this data may have been "specific" to each registered taxpayer, but it was also information that rarely, if ever, changed The IRS is reassuring Americans that its "core systems" remain secure, something of little comfort to the 100,000 taxpayers who will be receiving mea culpa letters (and free credit monitoring) from the agency over the next few weeks. What the IRS considers to be adequate protection is apparently not nearly adequate enough. Once the data is out there, verification information can be used to gain access to credit cards, bank accounts or anywhere else the same sort of canned questions are presented during the signup process. The 50% success rate suggests unique personally-identifiable information isn't necessarily all that unique.The IRS is quick to add that 23 million records were "safely" downloaded during this same time period, which isn't really the comforting statement it means it to be. All this means is that millions of downloads weren't linked to "questionable" email domains. That's not the same thing as 23 million downloads going to the actual owners of that information.The IRS is vowing to "strengthen its protocols" going forward. This is the only response it can offer, unfortunately. Stronger processes are needed, but additional steps and more obscure verification questions will manifest themselves as hurdles a certain percentage of taxpayers won't be willing to leap for online IRS access. Going paperless won't seem nearly as advantageous, not when a motherlode of financial information can be pulled out of the ether by cybercrooks armed with the fruits of years of financial breaches, both public and private.

Filed Under: data breach, irs, leaks, privacy, private info, security