IRS Finds Two Dozen Preparer's Systems Breeched in Latest Attacks

The IRS stated in September of 2016 in News Release IR-2016-119 that the IRS had become aware of approximately two dozen cases of preparer’s systems taken over by identity thieves.  As the IRS described the issue:

Thieves are able to access tax professionals’ computers and use remote technology to take control, accessing client data and completing and e-filing tax returns but directing refunds to criminals’ own accounts.

Victims in the tax community learned of these thefts while reconciling e-file acknowledgements.

The IRS recommends specific steps that advisers should take to deal with this issue, in addition to the standard advice to run security scans and educate staff on phishing scams.

For this attack two specific steps would mitigate or eliminate the problem.  First, tax advisers should use strong, unique passwords to access tax software.  At least in that event a third party who gains access to the computer system will still face problems attempting to use the tax software.  Second, firms should review any and all remote access software used by anyone—and that includes your outside IT consultant in addition to your employees. 

Many advisers have been using remote access software for years to enable the CPA to work outside the office.  But with that convenience comes a responsibility to insure the access is secured. 

If the office is using the built-in remote access in Windows to handle this issue it is extremely important to keep Windows updated, use complex passwords to gain access to the system and have the service run through your router on a port other than the default one of 3389. 

An attacker can scan ports to find Remote Desktop Protocol servers, though the experiences of some who have looked at logs suggest most potential attackers are lazy and simply try only the default port—so using a different port will reduce (but certainly not eliminate) the number of attempted attacks.  A more determined attacker will likely just scan ports on the portion of your network exposed to the internet to find a port that responds to the RDP protocol. 

If the firm is using a VNC based systems, many of the same issues will arise with that protocol as with RDP—and similar protections will apply.

An issue with both of these firm hosted solutions is that they require opening ports on your network to the internet and it will take little time for scanning bots to recognize the fact that your network responds to certain traffic.  At the point your system has to be able to withstand attacks—and if the attacker becomes aware of an unpatched or known only to the attacker vulnerability in your solution, he/she will be able to gain access (thus the key requirement to patch immediately).

The use of third party web based solutions (Citrix GotoMyPC, LogMeIn, Chrome Remote Desktop) would eliminate having an opening into your network, but it provides a single point of access.  For those services the use of strong, unique passwords is crucial. 

As well, the use of two factor authentication (using systems like Google Authenticator) is strongly recommended to block access even if the passwords get loose. Be sure to look at how you can “recover access” if you claim to have lost your two factor device—too often organizations provide all too easy backdoor ways to assist customers regain access in those cases.  You want your staff to be unable to access the system and not quickly regain access if they can’t provide the two-factor authentication, so a process that takes days (not minutes) to turn off two factor authentication is to be strongly preferred.

It also makes sense to assume these parties will get to the "front door" (that is, as if sitting in front of your machine) so CPAs should make sure their machines quickly go to a lock screen if a session goes inactive for a period of time and that a password is required to gain access again. As well, the CPA should make a habit of always locking their machine whenever the CPA leaves his/her desk or gets ready to log out of a remote session (the Windows key and L pressed simultaneously by default will lock a Windows machine). 

Finally, remind all members of your staff that the passwords they use to access your systems and tax software should be unique, complex passwords used only for this level of high risk access.  Users are all too apt to use the same password everywhere—so when a high profile site loses control of its password database (LinkedIn and DropBox in 2012, Adobe in 2013) attackers will try that password/email combination on other sites—in fact, there are automated tools attackers can buy to test such lists of usernames passwords automatically on multiple sites.

This news release comes less than a month after the IRS warned of phishing attacks on preparers that posed as critical tax updates from tax software vendors,  In that case CPAs who took the bait and installed the "update" actually installed a key logger on their system, sending all information typed on the keyboard to unknown actors.

These attacks will not be the only types of attacks firms will face and it seems likely the number of attempts to obtain firm information will increase in the future.  The only real way to mitigate this risk is to combine both security software, hardware and policies and to remind staff and vendors of the various attack methods that can be used.  Neither method by itself will be able to stop all attacks—rather, firms need a layered approach to securing client’s data.