On August 17, 2015 the IRS disclosed that a flaw on their website affected far more Americans than first reported in the spring. The story originally broke in March 2015 when KrebsOnSecurity warned readers about a feature that identity thieves had abused to file fraudulent tax refund requests. In May the IRS finally admitted that about 100,000 people may have been affected. On August 17 that number was increased to more than 330,000 taxpayer accounts potentially affected and more than 600,000 account breaches attempted.
That means there was about 220,000 additional households “where there were instances of possible or potential access” to prior-year return data, the IRS said in a statement. It also talked about about 170,000 additional instances of “suspected attempts that failed to clear the authentication processes.”
In a prior article we discussed the IRS website feature that was used to file tax returns prior to the victim plus steal info from prior tax returns. The breaches occurred via an online application called “Get Transcript.” It allowed taxpayers to obtain prior-year return information. The system was shut down when the problems came to light.
Besides name, current address and Social Security number, people who wanted to access prior-year return information via the app needed to know authentication information or knowledge-based answers (KNA). Questions might be: where did you go to high school, what was your last prior address, the person’s birth date, and filing status (married, single).
Clearly this is not only information easily found in social media such as Twitter and Facebook but also in the databases from healthcare providers, employers, and governmental agencies. All of these industries have been plagued by massive breaches in the last few years making this information readily available for sale on the dark web marketplace.
In 2014 Brian Krebs demonstrated how easy it was to find the name, address, Social Security number, previous address and phone number on all current members of the U.S. Senate Commerce Committee. “This information is no longer secret (nor are the answers to KBA-based questions), and we are all made vulnerable to identity theft as long as institutions continue to rely on static information as authenticators. Unfortunately, the IRS is not the only government agency whose reliance on static identifiers actually makes them complicit in facilitating identity theft against Americans.”
For years security experts have advised that these static answers are too easily accessible to hackers. Jay Foley of ID Theft Info Source provided some better solutions. ”By substituting these simple authentication questions with passwords, PINS or other types of code for personal verification, people would most definitely better protect sensitive information. A two-step verification process similar to the ones being used by businesses and government agencies for accessing computer systems would be even better.
“It is clear that we have moved into a new age of cyber crime,” Foley added. “Hackers are far more sophisticated and willing to put in the time to aggregate vast amounts of personal data to execute these complex cyber crimes. We must put in the work needed to upgrade our systems to meet this threat. If we don’t learn from this hacking and OPM then we are doomed to be hit again and again.”
The IRS believes some of this information may have been gathered for potentially filing fraudulent tax returns during the upcoming 2016 filing season. They will be mailing out notices to those affected. If you get a letter take the recommended steps to protect yourself by taking advantage of the free credit monitoring and IP PIN which can be used to verify the authenticity of next year’s tax return. You should also consider adding a security freeze to your credit reports which is free for victims of attempted identity theft.