The IRS again revised upwards its estimate of the number of individuals whose information was accessed in the attack on the IRS’s “Get Transcript” application, raising the number to more than 720,000 affected taxpayers. Earlier the IRS on May 26, 2015 announced in a statement published on the agency’s web page that criminals had obtained access to information about 100,000 taxpayers via unauthorized use of the IRS’s “Get Transcript” application. In a similar number of cases the perpetrators had attempted to gain access but failed to do so. The information accessed included Social Security information, date of birth and street address.
Later, on August 17, 2015 the IRS announced the problem was larger than initially revealed, indicating that further research had found that the number of taxpayers who had information accessed was now found to be 330,000—and, a similarly larger number of taxpayer accounts had unsuccessful attempts to access the data. Now the number has been revised upwards again.
The IRS has shut down the “Get Transcript” application pending a determination by the IRS about what modifications to the program should be made in order to strengthen security for the program.
The IRS announcement indicated that the criminals had obtained access to the information that was needed to clear the IRS original authentication process from “non-IRS” sources, though those sources are not identified. As the IRS described in its release, the information needed would include:
- Social Security information
- Date of birth
- Tax filing status
- Street address
- Questions related to additional items that should be known only by the taxpayers (generally the IRS has used information obtained from credit reports)
The original release noted that there were 200,000 total attempts—so that about half of the attempts failed, while the other half successfully gained access to the transcript system. The IRS found questionable activity that it believes relates to attempts to gain unauthorized access from mid-February until May. The August statement indicated that, as noted above, the attempts began earlier and, again, a similar “success/failure” ratio applied to the new activity found.
Although the notice doesn’t give details in this area, more sophisticated frauds that use information obtained from one source (perhaps via a true hack of a site) to then be able to simply gain access to another site (and its information) by simply being able to either log in or create an account.
Brian Krebs, a long time writer on the topic of computer security, on his website KrebsonSecurity published an article that discussed the matter on the day the IRS posted the announcement. Mr. Krebs had published an article in March that detailed the issues one taxpayer ran into when a third party created an account that blocked him from obtaining a transcript online when he was victimized by tax return fraud. Following the August release, Brian published yet another article dealing with this issue, and he continued with another article when the number expanded yet again in February 2016..
It would appear that the gentleman in Mr. Krebs’ original March article was likely one of those now identified by the IRS as part of a much wider criminal fraud.
The IRS will be notifying all taxpayers that had an attempt made to access their data (whether or not the attempt was successful) and offering credit monitoring to the 330,000+ individuals whose accounts were actually accessed.
The Breach’s Broader Impact
Advisers may get phone calls from clients who are on one or the other list. While it may seem “better” to be on the “failed” class, advisers should caution clients that right now we don’t have much information on why these particular accounts were targeted. But it seems likely those who targeted the accounts had a relatively large trove of information on these individuals to make them believe they had a reasonable chance (50% or so) of success.
If that is the case, such individuals should be aware that it’s likely someone unauthorized has a substantial amount of what they’d consider personal and private information about them and that this information could be leveraged to allow those individuals to pose as the client. Thus the individuals should consider doing their own credit report monitoring for the foreseeable future and be on the lookout for any sort of unauthorized access to their accounts.
That information may lead to other problems—many sites and organizations have “password recovery” options for users who claim to have misplaced both their username and password, often “verifying” the user by asking for personal information of some sort. If the criminal has that information it’s trivial to “hijack” an account and make nefarious use of it while locking out the legitimate customer.
Also, as Brian Krebs points out in his August and February article, a number of other sites (including government agencies and banks) make use of the same “out of wallet” information to verify identities that the IRS’s transcript site did. That includes, interestingly enough, the IRS’s own IP-PIN recovery site where victims of ID theft who lose their IP-PIN can recover it online. Again, while that is convenient, it is also less secure than having taxpayers go through the more time consuming steps of having a new IP-PIN issued via paper means. Hopefully, now that the matter has been surfaced, the IRS will plug this hole before ID theft victims become victimized a second time as a party steals their IP-PIN.
Even more interesting, the IRS standards applied to preparers for accepting electronic signature requires confirmation of the taxpayer’s identity using the very same sources that the agency uses for the “out of wallet” questions method. As found in the “Electronic Signature Guidance for Form 8878 and 8879”:
Electronic Signature Via Remote Transaction
A remote transaction for electronic signature is one in which the taxpayer is electronically signing the form and the ERO is not physically present with the taxpayer. For remote transactions, the ERO must record the name, social security number, address and date of birth. Verify that the name, social security number, address, date of birth and other personal information on record are consistent with the information provided through record checks with the applicable agency or institution or through credit bureaus or similar databases.
Some other major sites that make use of this “out of wallet” technique include government sites like that of the Social Security Administration and the annualcreditreport.com site where people can obtain their free credit report once a year. Again, this makes it convenient to set up the account (since you can do it from the comfort of your home at any time) but far less secure (since it can be done from anywhere by someone who has access to enough information).
As well, many sites will make use of similar types of information if a user claims to have forgotten his/her password. Resetting a password allows the person accessing the account to both gain access to whatever is available via that login and lock the legitimate user out of the account.
Steps Individuals Should Take to Protect Themselves
This issue is not unique and it’s not limited to tax related information or the IRS. And, as the ability to infiltrate the IRS site shows, the criminals are figuring out how to work around techniques that are “easy” for people to understand and/or convenient (so I can get my information now). Whether we like it or not, individuals need to take more responsibility for protecting themselves.
Advisers may want to educate clients on the use of “two-factor” authentication for sites that offer the option. In such cases the site normally requires, in addition to the username and password, that the user give the site a unique one time code that is sent to the user as an SMS or generated by an application (like Google Authenticator) that runs on the user’s phone. Use of second factor authentication greatly complicates any attempt by a criminal to make use of username/password combinations.
Adviser also should strongly caution clients about the risks of “reusing” passwords on multiple sites. While there may be little concern about a third party gaining access to a client’s account on a blog devoted to rugby, if that same username password combination is also used to access the client’s bank’s site, a criminal who gains access to the rugby site’s list of usernames and passwords can make use of that to access the bank account. And, quite often, there simply won’t be strong protections for the password database on sites like the rugby blog, often because the blog is simply a site being run by a rugby (or needlepoint, etc.) enthusiast in his/her spare time.
In particular advisers who maintain portals that allow clients to access information (like tax returns) should be sure to advise clients to not use a password for your firm’s site that is used anywhere else. Because, unfortunately, if the client’s data is accessed by a third party making use of the password from the rugby site the news story will be, like the one for the IRS, that clients of your firm had data accessed by unauthorized third parties.
Similarly, clients should also be aware of the risks of using “poor” or short passwords that can be either easily guessed (password is a bad password—and simply changing the letter o to a zero doesn’t really improve things).