The IRS announced that it was adding “a more rigorous e-authentication process for taxpayers that will significantly increase protection against identity thieves impersonating taxpayers to access tax return information through the IRS Get Transcript online service.
In 2015 hackers compromised the tax records of 700,000 citizens. This was some brute force attack of a network, it was sophisticated and the hackers had a lot of information about the taxpayers.
The fraudsters cleared a multi-step authentication process that required prior personal knowledge, including Social Security information, date of birth, filing status and street address before accessing IRS systems. The process also required an additional step, where applicants must correctly answer several knowledge-based authentication questions that typically are only known by the taxpayer.
With the new systems, taxpayers must have an email address, a text-enabled mobile phone and specific financial account information, such as a credit card number or certain loan numbers. Taxpayers who registered using the older process will need to re-register and strengthen their authentication in order to access the site.
As part of the new multi-factor process, the IRS will send verification, activation or security codes via email and text. The IRS texts and emails will only contain one-time codes.
Hooray! Multi-factor authentication, that should stop hackers cold in their tracks, right?
Well, sort of, but not completely, though it may slow them down. Increasingly, hackers have found ways to get past over the air text message passcodes. Man-in-the-middle attacks on mobile devices and mobile phone account takeovers are on the rise. They have become so vulnerable that the National Institute of Standard and Technology is suggesting that they be deprecated for use as a second factor to online accounts.
I understand the security problems with text-based passcodes but the alternatives are problematic from a user perspective. App-based passcodes are more secure but if you’re not a frequent user of them they’re not great. I use Google Authenticator almost daily but if I didn’t have multiple apps that required it I would be hesitant to download it just for the IRS, something I may use once or twice a year. It’s significantly easier to get the passcode sent as a text message.
There is no easy solution. It was estimated that hackers stole as much as $50 million in the 2015 IRS breach. With that much on the line the fraudsters are going to do everything they can to find their way around these systems.
The usability of these authentication systems need to be considered as much as the security. Because if they’re not easy to use people won’t use the services or they will find workarounds and we’re back where we started.