Identity thieves who specialize in tax refund fraud had big help this past tax year from Equifax, one of the nation’s largest consumer data brokers and credit bureaus. The trouble stems from TALX, an Equifax subsidiary that provides online payroll, HR and tax services. Equifax says crooks were able to reset the 4-digit PIN given to customer employees as a password and then steal W-2 tax data after successfully answering personal questions about those employees.

In a boilerplate text sent to several affected customers, Equifax said the unauthorized access to customers’ employee tax records happened between April 17, 2016 and March 29, 2017.

Beyond that, the extent of the fraud perpetrated with the help of hacked TALX accounts is unclear, and Equifax refused requests to say how many consumers or payroll service customers may have been impacted by the authentication weaknesses.

Thanks to data breach notification laws in nearly all U.S. states now, we know that so far at least five organizations have received letters from Equifax about a series of incidents over the past year, including defense contractor giant Northrop Grumman; staffing firm Allegis Group; Saint-Gobain Corp.; Erickson Living; and the University of Louisville.

A snippet from TALX’s letter to the New Hampshire attorney general (PDF) offers some insight into the level of security offered by this wholly-owned subsidiary of Equifax. In it, lawyers for TALX downplay the scope of the breach even as they admit the company wasn’t able to tell exactly how much unauthorized access to tax records may have occurred.

“TALX believes that the unauthorized third-party(ies) gained access to the accounts primarily by successfully answering personal questions about the affected employees in order to reset the employees’ pins (the password to the online account portal),” wrote Nicholas A. Oldham, an attorney representing TALX. “Because the accesses generally appear legitimate (e.g., successful use of login credentials), TALX cannot confirm forensically exactly which accounts were, in fact, accessed without authorization, although TALX believes that only a small percentage of these potentially affected accounts were actually affected.”

ANALYSIS

Generally. Forensically. Exactly. Potentially. Actually. Lots of hand-waving from the TALX/Equifax suits. But Equifax should have known better than to rely on a simple PIN for a password, says Avivah Litan, a fraud analyst with Gartner Inc.

“That’s so 1990s,” Litan said. “It’s pretty unbelievable that a company like Equifax would only protect such sensitive data with just a PIN.”

Litan said TALX should have required customers to use stronger two-factor authentication options, such as one-time tokens sent to an email address or mobile device (as Equifax now says TALX is doing — at least with those we know were notified about possible employee account abuse).

The big consumer credit bureaus like Equifax, Experian, Innovis and Trans Union are all regulated by the Fair Credit Reporting Act (FCRA), which strives to promote accuracy, fairness and privacy for data used by consumer reporting agencies. But Litan said there are no federal requirements that credit bureaus use stronger authentication for access to consumer data — such as two-factor authentication.

“There’s about 500 percent more protection for credit card data right now than there is for identity data,” Litan said. “And yet I don’t know of one document from the federal government that spells out how these credit bureaus and other companies have to protect PII (personally identifiable information).”

Then there is the small matter of the questions that ID thieves were able to successfully answer about their victims via TALX’s online portal. Security experts have been warning for years about the waning effectiveness of using so-called “knowledge-based authentication questions” (KBA) — such as details about the consumer’s historic location and financial activity — for online authentication.

The problem with relying on KBA questions to authenticate consumers online is that so much of the information needed to successfully guess the answers to those multiple-choice questions is now indexed or exposed by search engines, social networks and third-party services online — both criminal and commercial.

What’s more, many of the companies that provide and resell these types of KBA challenge/response questions have been hacked in the past by criminals that run their own identity theft services.

“Whenever I’m faced with KBA-type questions I find that database tools like Spokeo, Zillow, etc are my friend because they are more likely to know the answers for me than I am,” said Nicholas Weaver, a senior researcher in networking and security for the International Computer Science Institute (ICSI).

In short: The crooks broadly have access to the data needed to reliably answer KBA questions on most consumers.

Litan said the key is reducing reliance on static data – much of which is PII data that has been compromised by the crooks – and increasing reliance on dynamic data, like reputation, behavior and relationships between non-PII data elements.

Identity thieves prize the W-2 and payroll data held by companies like TALX because they can use it to file fraudulent tax refund requests with the IRS and the states on behalf of victim consumers. According to the Internal Revenue Service, some 787,000 Americans reported being victimized by tax refund fraud last year.

Extra security and screening precautions by the states and the IRS brought last year’s victim numbers down 50 percent from 2015. But even the IRS has struggled with its own tax fraud-related security foibles tied to weak consumer authentication. In 2015, it issued more than $490 million in fraudulent refunds requested on behalf of hundreds of thousands of Americans who were victimized by data stolen directly from the “Get Transcript” feature of the IRS’s own Web site.

It’s worth noting that – as with the TALX incidents — the IRS’s Get Transcript fiasco also failed because it relied primarily on KBA questions asked by Equifax.

Tax-related identity theft occurs when someone uses a Social Security number (SSN) — either a client’s, a spouse’s, or dependent’s — to file a tax return claiming a fraudulent refund. Thieves may also use a stolen Employer Identification Number (EIN) from a business client to create false Forms W-2 to support refund fraud schemes. Increasingly, fraudsters are simply phishing W-2 data in large quantities from human resource professionals at a variety of organizations.

Victims usually first learn of the crime after having their returns rejected because scammers beat them to it. Even those who are not required to file a return can be victims of refund fraud, as can those who are not actually due a refund from the IRS.

“If the federal government is smart, they will consider suing Equifax for false returns filed using W2 information stolen from TALX customers, since this is exactly the sort of mass scale attack that even the most basic SMS-based 2-factor would block,” the ICSI’s Weaver said.

It’s high time for consumers to come face-to-face with the reality that the basic data needed to open new lines of credit on them or file taxes in their name is broadly available for sale in the cybercrime underground. What little consumer data that cannot be found in the bowels of the Dark Web can be coaxed out of countless poorly-secured and automated services like TALX that hold extremely sensitive consumer data and yet safeguard it with antiquated and insufficient authentication measures.

In light of the above, the sobering reality is that we have no business using these static identifiers (SSN, DOB, address, previous address, income, mother’s maiden name) for authentication, and yet this practice remains rampant across vast sectors of the American economy today, including consumer banking, higher education and government services.

Predictably, Equifax is offering identity theft detection services (for two years) to employees of TALX customers. Loyal readers here know where I come down on these credit monitoring services, because nobody should confuse these services with a reliable method to block identity theft. The most consumers can hope for out of a credit monitoring service is that it alerts you when ID thieves hijack your data; these services generally don’t prevent ID theft. Also, they can be useful for helping to clean up after a confirmed ID theft incident.

The consumer’s best weapon against new account fraud and other forms of identity theft is the security freeze, also known as a credit freeze. I explain more about the benefits of the freeze as well as other options in multiple posts on this blog. I should note, however, that a security freeze will do nothing to stop fraudsters from filing phony tax refunds in your name with the IRS. For tips on avoiding tax refund fraud, check out this post.

Tags: avivah litan, Equifax, Gartner Inc., ICSI, identity theft, International Computer Science Institute, knowledge-based authentication, Nicholas A. Oldham, Nicholas Weaver, TALX, tax refund fraud, two-factor authentication