Another day, another database of significance compromised. Indeed, if it was not the U.S. Internal Revenue Service (IRS) that was hacked, setting media outlets and the Internet abuzz, we might not have noticed. The reason is unfortunately we have reached the point where the compromising of personal information at retailers, healthcare providers, financial institutions and government agencies have become so commonplace as to barely make them newsworthy.
The IRS Statement on the “Get Transcript” application breach
Rather than go to “reliable sources” it is useful to go straight to the horse’s mouth on this one. The IRS on May 26 published its IRS Statement on the "Get Transcript" Application revealing the data breach. Here is what you need to know:
The IRS announced today it will be notifying taxpayers after third parties gained unauthorized access to information on about 100,000 accounts through the “Get Transcript” online application.
The IRS determined late last week that unusual activity had taken place on the application, which indicates that unauthorized third parties had access to some accounts on the transcript application. Following an initial review, it appears that access was gained to more than 100,000 accounts through the Get Transcript application.
In this sophisticated effort, third parties succeeded in clearing a multi-step authentication process that required prior personal knowledge about the taxpayer, including Social Security information, date of birth, tax filing status and street address before accessing IRS systems. The multi-layer process also requires an additional step, where applicants must correctly answer several personal identity verification questions that typically are only known by the taxpayer.
In reaction to the above, the IRS temporarily shut down the Get Transcript application last week after it was detected. It noted the attacks appear to have started in February and ran through mid-May and that about 200,000 attempts were made from questionable email domains, with 100,000 being successful.
They say, as a result, the application will remain disabled until its security can be assured. Plus, it is sending out a letter to those who may have been impacted and is offering free credit monitoring to those whom it appears to be able to confirm were victimized.
The statement concludes with what probably is meant as a calming note by saying: “The IRS emphasizes this incident involves one application involving transcripts — it does not involve other IRS systems, such as our core taxpayer accounts or other applications, such as Where’s My Refund.” This hardly seems reassuring, especially since the intent of the bad guys appears to be using their ill-gotten info as a database of their own for identity theft activities.
A few chosen words from the IT security professionals
As is my custom when bad guys strike, I have selected a few choice quotes on the matter from my bulging inbox of comments from security experts. The ones that resonated should serve as cautionary for us all.
John Gunn, VP at VASCO Data Security commented:
“This attack has remarkable similarities to the Apple (News - Alert) hack of last summer where there were a large number of successful compromises of an unsound security infrastructure that resulted in breach-like consequences.
This highlights the change that has occurred in the market for stolen data. Social Security Numbers are becoming the primary high-value target of hackers because they are worth ten times as much as credit cards and they are protected by a fraction of the security of banking assets. This will obviously have to change or we will see an increasing number of victims.
It begs the question – why does the IRS offer enhanced security only to those who have had their information stolen; why not use a simple one-time-password (OTP) solution to keep everyone else from joining the growing ranks of identity theft victims? OTP security has been proven very effective by large global banks.”
Richard Blech, CEO and Co-Founder of Secure Channels stated:
"The IRS notes this issue does not involve its main computer system that handles tax filing submission; that system remains secure," I would not consider this to be an accomplishment considering what was stolen was 100,000+ taxpayers' SSN’s and personal sensitive data - a virtual treasure trove to steal identities. To get this sensitive data from the “Get Transcript,” the hackers tried over 200,000 times. So apparently the IRS is lacking security alert systems for being breached, proper authentication using biometric-multi-factors and deep encryption for all customer sensitive data. Had the breached taxpayers’ sensitive information been encrypted, even if the hackers somehow bypassed a strong multi-factor authentication requirement, this would be a non-news event as the hackers would have left with completely useless, non-decryptable data. As long as the IRS treats security as an afterthought and takes comfort that only the taxpayers were affected, this problem will continue and they will continue to be a target.”
Brad Taylor, President and CEO of Proficio noted:
"The underlying weakness in the IRS and other government website portals is they rely on knowledge-based authentication (KBA). The answers to questions like what is your address and SSN# can be purchased from cyber crime sites or just researched on the Internet. The IRS needs to add more context to their challenge questions and monitor attempted access for suspicious behavior like multiple sign-ups from the same IP address."
While we know what they did and how they did it, the identification of the bad actors remains problematic given the sophistication of the attack. That said, the questions raised by the security pros are to say the least, disconcerting. Here is a short list of things to ponder on the technology and preparedness side of things:
On the personal front, it appears that social security numbers have become the favored tool for those with malicious intent, which should give all of us pause as to when we give it out. I am relatively confident that since I did not use the Get Transcript Application that I will not be amongst the unlikely 100,000. However, it appears that the ship on protecting our social security numbers sailed a long time ago. Whether it is the IRS or others, we all need to be on our guard constantly to changes in all of our “personal critical” accounts and other digital assets.
I feel almost bad about saying this but it includes, paying the annual cost of a monitoring service. Having had my identity stolen a few years ago, I’d rather know I have some kind of protection and can be alerted rather than wait for the next breach when I am offered “free” monitoring. After all, we all know there is nothing free about undoing the mess when our personal information has been compromised.