Stories
Slash Boxes
Comments

SoylentNews is people

IRS Coughs up 100,000 Tax Returns to Thieves

posted by CoolHand on Wednesday May 27 2015, @09:51PM   Printer-friendly
from the stealin-for-a-livin dept.

frojack writes:

Many news outlets seem to be carrying this story:

Sophisticated criminals used an online service run by the IRS to access personal tax information from more than 100,000 taxpayers, part of an elaborate scheme to steal identities and claim fraudulent tax refunds, the IRS said Tuesday.

The thieves accessed a system called "Get Transcript," where taxpayers can get tax returns and other filings from previous years. In order to access the information, the thieves cleared a security screen that required knowledge about the taxpayer, including Social Security number, date of birth, tax filing status and street address, the IRS said.

The Get Transcript site requires certain knowledge about past returns, most of which is guessable, such as a social security number, and other fairly accessible information. Complete records of prior year are returned via Email if the thieves succeed in providing enough screening items correctly.

Old tax records enable the thieves to go after refunds, not only for the current year, but future refunds as well. Having tax returns from prior years provide a wealth of information for future identify theft.

About 200,000 attempts were made, and about half of them succeeded. The system is currently shut down, and Congress is making stern sounds. But as yet the IRS does not know if these thefts were carried out by domestic or foreign thieves.

[Editor's Comment: Original Submission]

 
This discussion has been archived. No new comments can be posted.
IRS Coughs up 100,000 Tax Returns to Thieves | Log In/Create an Account | Top | 21 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by darkfeline on Thursday May 28 2015, @10:58PM

    by darkfeline (1030) on Thursday May 28 2015, @10:58PM (#189380) Homepage

    I'd like to extend your comment a bit. Authentication and identification are not the same thing!

    An ID is something that uniquely identifies you. Good things for IDs are biometrics, usernames, email addresses, physical addresses, and Social Security numbers. Your name is NOT a good ID, something conveniently ignored by the people who manage no-fly lists.

    An authentication key is something only you have access to. ONLY YOU. If anyone else has access to it, it is not a good authentication key. Therefore, the following are NOT good authentication keys: biometrics, social security numbers, your birthday, your address, your dog's name.

    I personally think we should all switch to public key pairs for authentication. Have the server send a challenge encrypted with your registered public key, and you decrypt it with your private key and send it back. Instantly protected against replay attacks and improper password storage by the server (I don't need to remind you about the regular password leaks major websites suffer, do I?). If your private key is compromised, no need to change your key everywhere, just send out your revocation certificate.

    --
    Join the SDF Public Access UNIX System today!
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2