The IRS Breach – Where Convenience Trumps Security

May 27, 2015 mitch tanenbaum Leave a comment

The NY Times is reporting that the IRS finally admitted that their tax transcript service is great for identity thieves and shut it down. In 2013, thieves used it and other techniques to get over $5 billion in bogus tax refunds – costing the U.S. government (AKA you and me) a lot of money and costing taxpayers time and delayed refunds (see article).

The AP is calling this a breach and, I guess after looking up the definition in the dictionary (an act of breaking or failing to observe a law), it is technically, but it is not what we usually consider a breach.

Hackers did not break into the IRS’ computers and steal your data. The IRS left it out on the front doorstep, so to speak, for hackers to come pick up at their convenience.

So what is the story? Citizens on occasion need to get a copy of an old tax return. The IRS, in attempting to be customer focused, created a service that allowed you to request that copy. The problem comes from two things – how do you identify someone on the Internet and customer convenience.

It used to be that if you wanted a tax transcript, you had to fill out an IRS form (Form 4506) and mail it in to the IRS, wait a few weeks and they would mail the transcript back to you. Not terribly secure, but more secure than today. And if you got a hundred requests to be mailed to the same address for different taxpayers, you could get suspicious.

Today (or more accurately last week since they shut the service down) you go to the IRS web site, enter anyone’s social security number, their date of birth, tax filing status and street address. The user then was asked some questions from one of the credit bureau’s public information services like “what was your high school mascot?”.

The problem is that in the day of the Internet, information is available and in trying to be customer focused, the identity verification is pretty weak. Could someone find out where I went to high school and then Google my high school mascot. Probably. Like in maybe 15 seconds. That is not secure. But it is convenient.

And, if people are honest, then this is probably secure enough.

But, we are talking about money – billions of dollars in 2013. The IRS CLAIMS that they have mostly shut down the business of bogus tax returns, but I am less than convinced. Here’s how this works.

The hacker obtains copies of your old tax returns, courtesy of the IRS’ convenient tax transcript service and uses that data to create bogus W2s for the current year. They then file a current year tax return saying that they are owed a refund, but have it mailed to the hacker’s address, or, better yet, sent to a hard to trace debit card. The IRS, being customer focused, pays the refund – even though these bogus W2s don’t match a real W2 sent in by an employer (remember, the IRS is trying to be taxpayer friendly). To add insult to injury, when you file your real tax return to get your real refund (or pay taxes), the IRS says sorry, we already have a tax return from you, go away.

Then you have to go through a process of trying to convince the IRS that THEY were scammed (you can probably imagine that this is not a quick or simple thing to do) in order for you to get your refund or pay your taxes. Expect this process to take 9-12 months, on average.

And, in reality, there is not a lot you can do (see one of Brian Krebs’ stories on the subject here). Supposedly you can sign up for an account at IRS.Gov, you I don’t think that is really terribly effective (call me a skeptic).

The IRS tax transcript service and filing of false tax refund requests have been used by the fraud community for many, many years. It is just that now with the Internet, it is much easier to scale up.

The problem comes from two facts that I started with before, plus one more.

1. How do I REALLY know who you are on the Internet – and don’t tell me by your userid and password?

2. Convenience trumps security – almost everywhere. Not so much in the Department of Defense or the Intelligence Community, but even in one of the supposedly most secure place in the world, the NSA, Edward Snowden walked off with millions of highly classified documents.

3. All these data breaches that some people laugh off as irrelevant give the hackers more data about you than you have, so answering the questions becomes a query into the hacker’s information – they don’t even have to reach out to Google.

Oh, yeah, now that IRS has gotten SOME control over this, the hackers have moved on to the 50 states + U.S. Possessions. The only ones that don’t have to worry about that are the states that don’t have an income tax. The hacker community is sharing among themselves which states are easy to con and which ones are not. SIGH!

Unfortunately, this is not likely to change any time soon, so you just need to be a vigilant as you can and hang on for the ride.

Also remember, the IRS just happens to be this week’s poster child – they are not alone – just one of many.

Sorry to be a Debbie Downer.