Tech Tuesday: The 2015 IRS Hack Is Worse Than Reported

IRS Headquarters Sign in Washington, D.C.

hacker-access_v2.png 

Back in May of last year, the Internal Revenue Service was hacked. On the surface, it would be easy to say something snarky like “Couldn’t happen to nicer people!” (which really isn’t fair because I know people who work at the IRS and they are really nice people!) but before taking on the mantle of Citizen X against Big Government, think about that for a moment: Hackers infiltrated the IRS. This is not good. For anybody. When you think of all the sensitive data the IRS has about individuals, their finances, and their bank accounts, this is terrible. It was something akin to a well-planned heist, the hacking attack beginning sometime in February. The malicious hackers gained access by using information acquired from taxpayers through third-party sources. This data correctly answer verification questions in the IRS’ “Get Transcript” application, granting them access to approximately 100,000 tax accounts which yielded Social Security information, date of birth and street addresses. The hackers got greedy and attempted access to another 100,000 accounts, but were not successful. When you consider the millions of people who file taxes every year, 100,000 accounts compromised does not seem so bad…unless, of course, if you were one of those compromised. Still, it could have been a lot worse, right?

Well…

From Wired Magazine, the IRS may have underestimated the amount of compromised accounts. Vastly underestimated. Originally, the number of hacked accounts numbered to 100,000, but then after preliminary investigation, the number bumped up to 334,000 hacked accounts. Wired reports that the IRS now believes the number of stolen records is well over 700,000. That’s a huge deviation from their original “drop in the bucket” number, and so to protect the victims of the data breach, the IRS is providing an identity protection PIN. As long as they kept their PIN secret, they should be safe from fraud.

But therein lies a caveat—provided they keep their PIN secret.

It was huge mistake for himIdentity theft happens in a number of ways. Spear Phishing is, perhaps, the most popular method in getting hold of your sensitive data. It is essential that you check with severe scrutiny any of those emails reaching out to tell you “There is a problem with your account…” or “Congratulations! You have won…” as these are the easiest ways for hackers to dupe people into surrendering their personal data. This was the personal data hackers most likely used to launch this 2015 hack on the IRS in the first place. Another common trick is something called social engineering which is similar to phishing but instead is done either in person or over the phone. Slightly more aggressive and definitely riskier than phishing, the hackers are engaged with you directly, winning over your trust and gaining access to sensitive information. You see this happen often in spy thrillers where the good guys call the villain’s front and trick their way through security. While you may not think of yourself as a “James Bond-worthy” target, anytime you are approached unsolicited by representatives from your bank, your credit card company, or your H.O.A., maybe you should get their name, hang up, and then call back on a number you regularly use, and talk to a representative that way. User Error remains one of the easiest ways to open yourself up for identity theft. Remember to remain vigilant as you are your best line of defense.

As for the IRS, the agency is still having trouble with keeping data locked down. At least one PIN issued to one of the 700,000+ victims has already been compromised. South Dakota accountant Becky Whitrock had been assigned a PIN back in 2014 after she was a victim of fraud, albeit a different one from the 2015 hack. When she filed her tax return this year she found that the IRS-secured PIN had already been used, the crooks had requested a refund, and already received it. How did this happen? Becky and the media, once she shared her story, discovered that when you lose your IRS PIN, you retrieve it by logging into a service on the IRS, answer security questions, and you gain access when you answer the questions correctly. This knowledge-based authentication, it turned out, was the same system that was hacked the year before. So the protected PINs issued by the IRS in case of fraud are protected by the same system that was hacked initially.

Good luck this tax season.

 


 

shurtz.jpgA research physicist who has become an entrepreneur and educational leader, and an expert on competency-based education, critical thinking in the classroom, curriculum development, and education management, Dr. Richard Shurtz is the president and chief executive officer of Stratfdord University. He has published over 30 technical publications, holds 15 patents, and is host of the weekly radio show, Tech Talk. A noted expert on competency-based education, Dr. Shurtz has conducted numerous workshops and seminars for educators in Jamaica, Egypt, India, and China, and has established academic partnerships in China, India, Sri Lanka, Kurdistan, Malaysia, and Canada.

Leave a Reply

Your email address will not be published. Required fields are marked *