Following up on Saturday's post, IRS Says 114,000, 334,000, 724,000 Taxpayer Accounts Were Hacked: Quartz, The IRS Is Using a System That Was Hacked to Protect Victims of a Hack—And It Was Just Hacked:
To protect the victims of the data breach from further harm, the IRS provided them with “Identity Protection PINs.” The PINs are secret codes those taxpayers now have to put on all of their tax returns, or the IRS won’t accept them. As long as they keep their PINs secret, they should be safe from fraud.
For this master plan to work, though, the IRS would also have to keep the PINs secret. Unfortunately, it seems the agency is having some trouble with that.
Security researcher and journalist Brian Krebs reported yesterday (March 1) that at least one of the PINs has been compromised. An accountant in South Dakota, Becky Wittrock, told Krebs she was assigned her PIN in 2014, after she was a victim of fraud. When she filed her tax return this year, she found out the PIN had already been used:
Wittrock said she found out her IP PIN had been compromised by thieves this year after she tried to file her tax return on Feb. 25, 2016. Turns out, the crooks beat her to the punch by more than three weeks, filing a large refund request with the IRS on Feb. 2, 2016.
But how could a secret code meant to stop fraud be used to commit more fraud? Get ready for some terrible/wonderful irony. If someone loses their PIN, they can retrieve it by logging into a service on the IRS website. And that login process is secured by the same technology that hackers broke through in the original data breach.
That technology is called Knowledge-Based Authentication, or KBA, which asks security questions to confirm a user’s identity. You’ve probably seen this before. KBA asks questions about a person’s credit history, like “On which of the following streets have you lived?” or “What is your total scheduled monthly mortgage payment?” and provides multiple-choice answers.
The hackers who stole tax transcripts in the 2015 data breach found a way to correctly answer those questions on the IRS’s “Get Transcript” page, which has since been taken down. The service to retrieve an IP PIN not only stayed up, but was the only barrier between hackers and the secret codes given to the victims of the original breach. It’s been right there this entire time, still using KBA to verify users.
And certainly, the IRS was aware of the weakness. Even before last year’s data breach, the Government Accountability Office tested the IP PIN authentication process, and described the results in a 2015 report (pdf). “Some likely identity thieves were able to correctly answer authentication questions,” the report said, “while some legitimate taxpayers were not.”
Gizmodo, If the IRS Actually Cares About Not Getting Hacked, It Has a Funny Way of Showing It:
Hackers stole sensitive records from over 700,000 people by breaching the Internal Revenue Service in 2015. You’d think that kind of horrific security breach would prompt some soul-searching, but [insert joke about soulless taxman here] nope. The IRS continues to use an impressively bad PIN authentication process to protect people from fraud.
Washington Post, The Security That IRS Provided Tax-Fraud Victims Just Got Hacked