In only the latest high profile data breach, the Internal Revenue Service disclosed yesterday that criminals had accessed approximately 100,000 tax accounts through a vulnerable part of the agency’s website.
Breaching the Get Transcript service — which as of this posting remains offline — would allow thieves access to your past tax returns, which, of course, include loads of personally identifiable information.
On the breach
Although news outlets are referring to the incident as a “hack,” this term may be a bit too generous. The heist involved none of the code-breaking one might expect to be necessary to obtain data this sensitive. Rather, the cyber-criminals walked right through the front door of the IRS’s public website.
The Get Transcript service uses knowledge-based authentication to verify that users are who they say they are. To access the data, any taxpayer — or a criminal pretending to be that taxpayer — would simply need to enter personal information then answer challenge questions which are usually related to current or past addresses.
Put differently, this section of the IRS website worked exactly as it was designed to.
And so as I see it, the two real problems are:
- The authentication methods are too simple in an age of powerful search engines readily available to the public like Google and Trulia
- Because criminals still needed a Social Security Number, filing status, and date of birth to even get to the challenge questions, we should be extra concerned that even this much of our identifying information is floating around out there — perhaps thanks to the Anthem, Target, or Home Depot breaches
The potential ill effects
Besides the increased general risk of having more of your personal information out there, a criminal who can pretend to be you to the IRS can leave your finances in shambles.
Now, you might be thinking this couldn’t possibly hurt you because you always owe money when you file your taxes and if a crook wants to be so kind as to pay off some of that tax bill, then that’s fine by you.
Well think again.
Faking your identity could give criminals the ability to fraudulently file your taxes next year, while rearranging your numbers to receive a big refund sent straight to their criminal hands. Shortly afterward, you might end up in the uncomfortable position of being audited by the IRS due to your info being stolen — from the IRS.
For now, the IRS is doing their best to pick up the pieces and will be notifying those who they suspect of having their data compromised.
Why you might be safe
Luckily, I posted about this very vulnerability a month ago and suggested that you create a password-protected account before criminals had the chance to. Thanks to this preventative step, when criminals tried to breach your IRS data, they were instead prompted for your password.
At least I hope that’s what happened.
Best of luck to all of us in this increasingly risky world.