Stories
Slash Boxes
Comments

SoylentNews is people

posted by CoolHand on Wednesday May 27 2015, @09:51PM   Printer-friendly
from the stealin-for-a-livin dept.

Many news outlets seem to be carrying this story:

Sophisticated criminals used an online service run by the IRS to access personal tax information from more than 100,000 taxpayers, part of an elaborate scheme to steal identities and claim fraudulent tax refunds, the IRS said Tuesday.

The thieves accessed a system called "Get Transcript," where taxpayers can get tax returns and other filings from previous years. In order to access the information, the thieves cleared a security screen that required knowledge about the taxpayer, including Social Security number, date of birth, tax filing status and street address, the IRS said.

The Get Transcript site requires certain knowledge about past returns, most of which is guessable, such as a social security number, and other fairly accessible information. Complete records of prior year are returned via Email if the thieves succeed in providing enough screening items correctly.

Old tax records enable the thieves to go after refunds, not only for the current year, but future refunds as well. Having tax returns from prior years provide a wealth of information for future identify theft.

About 200,000 attempts were made, and about half of them succeeded. The system is currently shut down, and Congress is making stern sounds. But as yet the IRS does not know if these thefts were carried out by domestic or foreign thieves.


[Editor's Comment: Original Submission]

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Informative) by rst on Wednesday May 27 2015, @11:18PM

    by rst (2175) on Wednesday May 27 2015, @11:18PM (#188844)

    The Canadian equivalent involves having a password snail mailed to the address they have on file. The delay is frustrating, but now I wonder if it might be worth it. Still, something in the middle would be nice. Mind you, I'm not sure how to do that.

    Starting Score:    1  point
    Moderation   +2  
       Informative=2, Total=2
    Extra 'Informative' Modifier   0  

    Total Score:   3  
  • (Score: 4, Interesting) by edIII on Thursday May 28 2015, @01:16AM

    by edIII (791) on Thursday May 28 2015, @01:16AM (#188895)

    The Canadian equivalent involves having a password snail mailed to the address they have on file

    That's about the only, and smartest thing, you could do under the circumstances. Regardless of system, the IRS must verify the person against data they have. Unfortunately, they're pure morons and chose those data points extremely poorly with choices that can be easily inferred from data external to the IRS. Probably worse, they concluded that a large amount of those worthless questions gave rise to greater security. Authentication ideally occurs against secrets maintained by both the user and server. They essentially used Secret-Questions exclusively as a form of identification, when Secret-Questions themselves were conceived by morons who knew nothing about security. I think after a few years of using them the industry is figuring out how easy they are to figure out, bypass, or perform social engineering with. I myself utilize them as additional password fields with randomly generated passphrases associated with their questions. Choose the possible questions in order regardless of what they are, enter the passphrase broken up into 3 pieces combined differently, into each of the fields. What you end up with is basically a 33% chance to answer the question correctly with no memory of the nature of the questions. With my recently created account at some place using Secret-Questions aggressively, I succeeded twice at two different physical locations on the first try.

    If the IRS were an updated and modern corporation, they could interface with the DMV system, perform a search against a DL#, and then send a passphrase via snail mail to establish control over the address. It's not that nobody could figure out the address, it's the difficulty involved in physically occupying the address and controlling the flow of information through it. This is not much different than authentication and verification protocols used by SSL certificate providers, and other trust providers.

    Just as trust providers use WhoIs information to establish control over a domain (helps prove domain ownership), the IRS could be using the DMV, passports, and the financial services industry to help with authentication. Regardless of what they do, at some point, it always travels back up the line to an organization that can both establish control over an identity, and has physically interacted with the person using the identity at least once. Hence, the DMV is the answer. At least with my experience in Nevada, the DMV seems to be much better at determining identity and restricting information, or at least don't act like complete newbs on the first day of IT. Unlike the IRS's masterful Security-Questions, the DMV requires a biometric thumbprint *every* time you walk into their offices to speak with you.

    Failing all that, the IRS simply has no choice but to establish other methods requiring physical registration in their offices, just like the DMV does.

    --
    Technically, lunchtime is at any moment. It's just a wave function.
    • (Score: 0) by Anonymous Coward on Thursday May 28 2015, @06:58PM

      by Anonymous Coward on Thursday May 28 2015, @06:58PM (#189259)

      the IRS could be using the DMV, passports, and the financial services industry to help with authentication.

      Something about government overreach, consolidating our information and tracking our lives, and making a list of gun owners to take our guns away.