Paying taxes is generally an unpleasant time. But the baseline misery of siphoning cash back to bureaucrats sounds downright delightful compared to getting straight up robbed, which is what happened to a lot of people this year. The Internal Revenue Service shut down an online tax filing program today after announcing that thieves breached the system to steal personal information from more than 100,000 people.
The IRS’ “Get Transcript” service was targeted by thieves from February to May. The IRS service wasn’t hacked; the thieves had already stolen or guessed enough identifying information from people to get through the IRS security questions. So this isn’t an example of hackers exploiting a system vulnerability as much as it is a shitty, costly reminder that weak security questions can be dangerous.
“We’re confident that these are not amateurs,” IRS Commissioner John Koskinen told the AP, which seems like an understatement.
An understatement, but probably not a surprise: Security researcher Brian Krebs pointed out how susceptible the IRS’ online services are to fraud back in March. Krebs spoke to a man who knew someone had filed a fraudulent tax refund using his information; the man suspected that the thief had used Get Transcript to steal his information.
Even though the IRS didn’t actually get hacked, its wonky security system made it damn easy for thieves to break in en masse. This incident shows how data leaks, breaches, and hacks can have a domino effect. The thieves didn’t even have to hack the IRS to penetrate its system, because they were able to hijack social security numbers and other sensitive information elsewhere. Since the IRS uses static security questions, once a thief has someone’s basic personal information, they can easily slip into the system and file false tax refunds, getting stolen money directly deposited into their accounts.
The IRS has launched a criminal investigation, and is informing people with affected accounts that they’ve been compromised. Perhaps it’ll consider creating a more dynamic security system to avoid bulk ripoffs like this again.
[AP | Ars Technica]
Contact the author at email@example.com.
Public PGP key
PGP fingerprint: FF8F 0D7A AB19 6D71 C967 9576 8C12 9478 EE07 10C