Yesterday, the Internal Revenue Service reported that since February, hackers have been able to gain access to more than 100,000 taxpayer records after taking advantage of authentication protocols used by an IRS web app. That now-disabled service, called Get Transcript, allowed taxpayers to download tax-return and payment data, provided they could enter their social security numbers and confirm certain pieces of information about themselves. In all, hackers tried to access more than 200,000 accounts but only succeeded getting into half that number. When they did get access, the hackers filed fraudulent tax returns on behalf of the people they’d impersonated in an attempt to hijack their tax-return payments. From Ars Technica’s explanation of how the hackers figured it all out, it’s pretty clear the IRS was asking for trouble:
To obtain a transcript online [using the service], all that was needed to start the process was a Social Security number and an active e-mail address. Once the e-mail address was confirmed as legitimate, the system would then ask a number of questions about personal, financial, and tax information — including date of birth, tax filing status, and address — before providing the transcript for download.
This sort of authentication, called knowledge-based authentication, is highly vulnerable to fraud. It’s based on information that never changes, and such data is widely available to anyone willing to pay for it from stolen financial information marketplaces. The transcripts that were fraudulently downloaded were likely made accessible due to leaked Social Security numbers and other personal data from any one of the many recent data breaches, including those at health insurers Anthem and CareFirst. In fact, security reporter Brian Krebs reported on the risks inherent in the IRS’ transcript request system way back in March. He warned taxpayers to sign up for accounts on IRS.gov if only to prevent someone from creating a fraudulent account for their records first.
IRS commissioner John Koskinen told the Associated Press that the perpetrators were clearly not amateurs but rather “sophisticated criminals with access to a tremendous amount of data,” and who were part of “organized crime syndicates that not only we but everybody in the financial industry are dealing with.” In response, the IRS will be notifying everyone whose accounts were targeted by the hacks, as well as offering identity-theft monitoring to those whose accounts were ultimately compromised.