IRS’ knowledge-based authentication hacked
Data from previous breaches likely used to pilfer $50 million
27 May, 2015
category: Corporate, Digital ID, Government
Last October President Obama signed an executive order that was going to require federal agencies that deal with personal information from citizens to deploy multi-factor authentication.
A plan to roll out this system should have been presented to the president in January with deployment of these systems completed by March 2016. These systems will do some good when rolled out but it’s too little too late for some 100,000 citizens who had their information stolen through the Internal Revenue Service’s “Get Transcript” feature.
This was a sophisticated attack where the hackers had a lot of information about taxpayers. The fraudsters cleared a multi-step authentication process that required prior personal knowledge, including Social Security information, date of birth, filing status and street address before accessing IRS systems. The process also requires an additional step, where applicants must correctly answer several knowledge-based authentication questions that typically are only known by the taxpayer.
The IRS believes that fewer than 15,000 fraudulent returns were processed as a result of the breach, likely resulting in refunds of less than $50 million, according to a Reuters report.
In my mind there are two takeaways from this breach that makes it different from previous ones. First, hackers used data stolen from other breaches to get more information on individuals. With millions of records available online this is hardly surprising but it shows that individuals are doing more with the information that is floating around on the dark web.
Filing fake tax returns is just one thing that can be done but fraudsters can also use these returns to apply for mortgages and other loans. Having the tax returns opens up a whole new dimension to the fraud possibilities.
The second takeaway is that this shows that there are weaknesses with knowledge-based authentication. Hackers attempted to access 200,000 records and were successful 50% of the time.
Much has been written about the weakness of these static identifiers and this highlights that these systems aren’t foolproof. Still, knowledge-based authentication certainly prevented the remaining 100,000 from being breached. And who knows, if knowledge-based authentication wasn’t in place we could be looking at a breach in the millions. Hackers most likely started with millions of records but then couldn’t obtain the personal information for some of those users and didn’t even attempt to breach those accounts.
More needs to be done, including better options for identifying individuals upon account creation. Is there a technology that would have protected individuals who didn’t have an IRS account previously set up?
Also, an update on what the federal government is going to do in the wake of the president’s cybersecurity executive order from last fall would be welcome. A report was due in January but nothing has been produced, sources say.
Is this the first salvo from hackers who reportedly have millions of records? What’s next and how do individuals lock down their identities to prevent more information from being breached? While last year was a busy year when it comes to breaches we might just be at the start of a busy 2015 unless something is done.
SS8 Blog » OPM Data Breach & The White House Security Sprint
Jun 25, 2015, 1:40 pm
[…] to impersonate an identity. The aforementioned Anthem breach, similarly lost PII and the recent IRS attack, where around $50 million fraudulent tax claims were paid out, may have been a secondary […]