Many news outlets seem to be carrying this story:
Sophisticated criminals used an online service run by the IRS to access personal tax information from more than 100,000 taxpayers, part of an elaborate scheme to steal identities and claim fraudulent tax refunds, the IRS said Tuesday.
The thieves accessed a system called "Get Transcript," where taxpayers can get tax returns and other filings from previous years. In order to access the information, the thieves cleared a security screen that required knowledge about the taxpayer, including Social Security number, date of birth, tax filing status and street address, the IRS said.
The Get Transcript site requires certain knowledge about past returns, most of which is guessable, such as a social security number, and other fairly accessible information. Complete records of prior year are returned via Email if the thieves succeed in providing enough screening items correctly.
Old tax records enable the thieves to go after refunds, not only for the current year, but future refunds as well. Having tax returns from prior years provide a wealth of information for future identify theft.
About 200,000 attempts were made, and about half of them succeeded. The system is currently shut down, and Congress is making stern sounds. But as yet the IRS does not know if these thefts were carried out by domestic or foreign thieves.
[Editor's Comment: Original Submission]
Related Stories
The U.S. Internal Revenue Service has increased its estimate of the amount of taxpayers affected by a security flaw to about 334,000:
The IRS says more taxpayers than it originally believed had their data stolen by hackers. The agency now says the total is now more than 300,000.
In May, when it first revealed the breach, the IRS reported some 114,000 taxpayers had their data stolen. But in what the IRS is calling a "deeper analysis" of the breach, it identified an additional 220,000 cases where hackers got access to taxpayer records. The agency says hackers tried, but failed to access the data of some 280,000 more taxpayers.
The hackers got into the accounts by clicking a link on the IRS website called Get Transcripts. The link allowed taxpayers to get copies of their own back tax returns to use, for example, in applying for loans.
The hackers, who the IRS believes may have been part of an organized crime syndicate possibly based in Russia, were sophisticated.
Previously: IRS Coughs up 100,000 Tax Returns to Thieves
(Score: 2, Insightful) by Anonymous Coward on Wednesday May 27 2015, @09:56PM
Identifying information should not be used for authentication or in short IDs are not passwords.
Too bad for us peons, the data borkers have turned their databases of public information into authentication products [experian.com] they sell to banks and other companies. It is a house of cards just one data-breach away from crashing down.
(Score: 1) by Placenta on Wednesday May 27 2015, @10:01PM
So you've identified a problem.
Now what's your solution?
You must remember that users want near-instant online access. They won't be happy when they need to access the site and its information today, because of a strict deadline that's coming up tomorrow, yet in order to access the data online they'll need to wait a week for the IRS to mail them their password or access code.
(Score: 1, Interesting) by Anonymous Coward on Wednesday May 27 2015, @10:07PM
Then the morons can go fuck themselves, because these are the same idiots who whine and cry when their bank account is emptied by a thief thanks to insecure practices.
(Score: 0, Troll) by Placenta on Wednesday May 27 2015, @10:12PM
Let me see if I understand your solution to this problem. So let us suppose that John Smith needs to access his past tax returns and filings. In order to do this securely, he will need to get his penis to an erect state, he will then need to pull it between his legs, and bend it up so that he can insert it directly into his own anus? This will then improve his online security? Won't this break the area where his penis attaches to his abdomen?
(Score: 1) by KGIII on Thursday May 28 2015, @12:51AM
You have obviously not been to Cam4...
"So long and thanks for all the fish."
(Score: 0) by Anonymous Coward on Wednesday May 27 2015, @10:26PM
Just because no solution is suggested doesn't mean that the argument is wrong.
Maybe the users desiring near-instant online access *are* wrong... for now. Gimme an afternoon to actually think about solutions. Step one is always to identify that upon which could be improved. We've completed that step, now let's take the next one.
(Score: 2, Insightful) by Anonymous Coward on Wednesday May 27 2015, @10:51PM
So you've identified a problem.
Now what's your solution?
I don't have one.
But, as the saying goes, you don't have to be a baker to know when the bread is stale.
(Score: 3, Insightful) by tftp on Wednesday May 27 2015, @11:11PM
You must remember that users want near-instant online access.
The users also want a pony. So what? They aren't getting one.
(Score: 0) by Anonymous Coward on Wednesday May 27 2015, @11:34PM
Neigh you say?
(Score: 2) by SecurityGuy on Thursday May 28 2015, @04:21PM
So? We're not talking about Netflix, here, we're talking about the IRS. It's not like they can just go pay taxes to someone else. I'm all for being responsive to the needs of the end user--unless there's a good reason not to give them what they're demanding. If user X demands immediate access to their past tax returns, and the cost is making EVERYONE'S data insecure, then there's only one rational answer: No.
For that matter, there's an IRS office 5 miles from my house. I can go there, present actual ID, and get copies of my records. Online would be nice, sure, but not at any cost.
(Score: 0) by Anonymous Coward on Thursday May 28 2015, @08:15PM
Is this alternative universe where asymmetric cryptography was never invented?
(Score: 2) by darkfeline on Thursday May 28 2015, @10:58PM
I'd like to extend your comment a bit. Authentication and identification are not the same thing!
An ID is something that uniquely identifies you. Good things for IDs are biometrics, usernames, email addresses, physical addresses, and Social Security numbers. Your name is NOT a good ID, something conveniently ignored by the people who manage no-fly lists.
An authentication key is something only you have access to. ONLY YOU. If anyone else has access to it, it is not a good authentication key. Therefore, the following are NOT good authentication keys: biometrics, social security numbers, your birthday, your address, your dog's name.
I personally think we should all switch to public key pairs for authentication. Have the server send a challenge encrypted with your registered public key, and you decrypt it with your private key and send it back. Instantly protected against replay attacks and improper password storage by the server (I don't need to remind you about the regular password leaks major websites suffer, do I?). If your private key is compromised, no need to change your key everywhere, just send out your revocation certificate.
Join the SDF Public Access UNIX System today!
(Score: 2, Funny) by Anonymous Coward on Wednesday May 27 2015, @10:14PM
Just heard that Santorum announced candidacy for US President, and he said the #1 step in "Taking back the country" (yes, president is still black!) is to get rid of the tax code and the IRS!!! Yeah!! But I hear as well that Santorum still has his emails printed out so he can read them, so probably not.
(Score: 1, Touché) by Anonymous Coward on Wednesday May 27 2015, @10:39PM
He can read?
(Score: 3, Insightful) by isostatic on Wednesday May 27 2015, @10:57PM
What has ass dribbling got to do with ass dribble got to do with anything?
(Score: 1, Funny) by Anonymous Coward on Wednesday May 27 2015, @11:26PM
Santorum runs.
(Score: 3, Informative) by isostatic on Wednesday May 27 2015, @10:59PM
Was something taken with the attempt to deprive? Or did the criminals merely copy the data?
(Score: 2) by DeathMonkey on Thursday May 28 2015, @02:48AM
Both.
(Score: 3, Informative) by rst on Wednesday May 27 2015, @11:18PM
The Canadian equivalent involves having a password snail mailed to the address they have on file. The delay is frustrating, but now I wonder if it might be worth it. Still, something in the middle would be nice. Mind you, I'm not sure how to do that.
(Score: 4, Interesting) by edIII on Thursday May 28 2015, @01:16AM
That's about the only, and smartest thing, you could do under the circumstances. Regardless of system, the IRS must verify the person against data they have. Unfortunately, they're pure morons and chose those data points extremely poorly with choices that can be easily inferred from data external to the IRS. Probably worse, they concluded that a large amount of those worthless questions gave rise to greater security. Authentication ideally occurs against secrets maintained by both the user and server. They essentially used Secret-Questions exclusively as a form of identification, when Secret-Questions themselves were conceived by morons who knew nothing about security. I think after a few years of using them the industry is figuring out how easy they are to figure out, bypass, or perform social engineering with. I myself utilize them as additional password fields with randomly generated passphrases associated with their questions. Choose the possible questions in order regardless of what they are, enter the passphrase broken up into 3 pieces combined differently, into each of the fields. What you end up with is basically a 33% chance to answer the question correctly with no memory of the nature of the questions. With my recently created account at some place using Secret-Questions aggressively, I succeeded twice at two different physical locations on the first try.
If the IRS were an updated and modern corporation, they could interface with the DMV system, perform a search against a DL#, and then send a passphrase via snail mail to establish control over the address. It's not that nobody could figure out the address, it's the difficulty involved in physically occupying the address and controlling the flow of information through it. This is not much different than authentication and verification protocols used by SSL certificate providers, and other trust providers.
Just as trust providers use WhoIs information to establish control over a domain (helps prove domain ownership), the IRS could be using the DMV, passports, and the financial services industry to help with authentication. Regardless of what they do, at some point, it always travels back up the line to an organization that can both establish control over an identity, and has physically interacted with the person using the identity at least once. Hence, the DMV is the answer. At least with my experience in Nevada, the DMV seems to be much better at determining identity and restricting information, or at least don't act like complete newbs on the first day of IT. Unlike the IRS's masterful Security-Questions, the DMV requires a biometric thumbprint *every* time you walk into their offices to speak with you.
Failing all that, the IRS simply has no choice but to establish other methods requiring physical registration in their offices, just like the DMV does.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 0) by Anonymous Coward on Thursday May 28 2015, @06:58PM
Something about government overreach, consolidating our information and tracking our lives, and making a list of gun owners to take our guns away.