SoylentNews is people
SoylentNews
Many news outlets seem to be carrying this story:
Sophisticated criminals used an online service run by the IRS to access personal tax information from more than 100,000 taxpayers, part of an elaborate scheme to steal identities and claim fraudulent tax refunds, the IRS said Tuesday.
The thieves accessed a system called "Get Transcript," where taxpayers can get tax returns and other filings from previous years. In order to access the information, the thieves cleared a security screen that required knowledge about the taxpayer, including Social Security number, date of birth, tax filing status and street address, the IRS said.
The Get Transcript site requires certain knowledge about past returns, most of which is guessable, such as a social security number, and other fairly accessible information. Complete records of prior year are returned via Email if the thieves succeed in providing enough screening items correctly.
Old tax records enable the thieves to go after refunds, not only for the current year, but future refunds as well. Having tax returns from prior years provide a wealth of information for future identify theft.
About 200,000 attempts were made, and about half of them succeeded. The system is currently shut down, and Congress is making stern sounds. But as yet the IRS does not know if these thefts were carried out by domestic or foreign thieves.
[Editor's Comment: Original Submission]
(Score: 2, Insightful) by Anonymous Coward on Wednesday May 27 2015, @09:56PM
Identifying information should not be used for authentication or in short IDs are not passwords.
Too bad for us peons, the data borkers have turned their databases of public information into authentication products [experian.com] they sell to banks and other companies. It is a house of cards just one data-breach away from crashing down.
(Score: 1) by Placenta on Wednesday May 27 2015, @10:01PM
So you've identified a problem.
Now what's your solution?
You must remember that users want near-instant online access. They won't be happy when they need to access the site and its information today, because of a strict deadline that's coming up tomorrow, yet in order to access the data online they'll need to wait a week for the IRS to mail them their password or access code.
(Score: 1, Interesting) by Anonymous Coward on Wednesday May 27 2015, @10:07PM
Then the morons can go fuck themselves, because these are the same idiots who whine and cry when their bank account is emptied by a thief thanks to insecure practices.
(Score: 0, Troll) by Placenta on Wednesday May 27 2015, @10:12PM
Let me see if I understand your solution to this problem. So let us suppose that John Smith needs to access his past tax returns and filings. In order to do this securely, he will need to get his penis to an erect state, he will then need to pull it between his legs, and bend it up so that he can insert it directly into his own anus? This will then improve his online security? Won't this break the area where his penis attaches to his abdomen?
(Score: 1) by KGIII on Thursday May 28 2015, @12:51AM
You have obviously not been to Cam4...
"So long and thanks for all the fish."
(Score: 0) by Anonymous Coward on Wednesday May 27 2015, @10:26PM
Just because no solution is suggested doesn't mean that the argument is wrong.
Maybe the users desiring near-instant online access *are* wrong... for now. Gimme an afternoon to actually think about solutions. Step one is always to identify that upon which could be improved. We've completed that step, now let's take the next one.
(Score: 2, Insightful) by Anonymous Coward on Wednesday May 27 2015, @10:51PM
So you've identified a problem.
Now what's your solution?
I don't have one.
But, as the saying goes, you don't have to be a baker to know when the bread is stale.
(Score: 3, Insightful) by tftp on Wednesday May 27 2015, @11:11PM
You must remember that users want near-instant online access.
The users also want a pony. So what? They aren't getting one.
(Score: 0) by Anonymous Coward on Wednesday May 27 2015, @11:34PM
Neigh you say?
(Score: 2) by SecurityGuy on Thursday May 28 2015, @04:21PM
So? We're not talking about Netflix, here, we're talking about the IRS. It's not like they can just go pay taxes to someone else. I'm all for being responsive to the needs of the end user--unless there's a good reason not to give them what they're demanding. If user X demands immediate access to their past tax returns, and the cost is making EVERYONE'S data insecure, then there's only one rational answer: No.
For that matter, there's an IRS office 5 miles from my house. I can go there, present actual ID, and get copies of my records. Online would be nice, sure, but not at any cost.
(Score: 0) by Anonymous Coward on Thursday May 28 2015, @08:15PM
Is this alternative universe where asymmetric cryptography was never invented?
(Score: 2) by darkfeline on Thursday May 28 2015, @10:58PM
I'd like to extend your comment a bit. Authentication and identification are not the same thing!
An ID is something that uniquely identifies you. Good things for IDs are biometrics, usernames, email addresses, physical addresses, and Social Security numbers. Your name is NOT a good ID, something conveniently ignored by the people who manage no-fly lists.
An authentication key is something only you have access to. ONLY YOU. If anyone else has access to it, it is not a good authentication key. Therefore, the following are NOT good authentication keys: biometrics, social security numbers, your birthday, your address, your dog's name.
I personally think we should all switch to public key pairs for authentication. Have the server send a challenge encrypted with your registered public key, and you decrypt it with your private key and send it back. Instantly protected against replay attacks and improper password storage by the server (I don't need to remind you about the regular password leaks major websites suffer, do I?). If your private key is compromised, no need to change your key everywhere, just send out your revocation certificate.
Join the SDF Public Access UNIX System today!