THE TRUTH: IRS 'cyber-hack' exposes 100,000 people whose identities were already stolen The US Internal Revenue Service said on Tuesday that info including tax returns and income forms for some 100,000 people were illegally accessed this year. The US tax agency believes a group collected a trove of information on the victims and then used that data to fill out the authentication forms for the IRS's online "Get …
It appears to me (WAG time) some is building a data warehouse from multiple breaches rather than than just one breach. If the victim information came from just one breach, that's mildly scary since we haven't had such a report. If warehoused, that's... seriously scary. It will only get better with age.
What is scary is the people on facebook giving up all sorts of information playing these fun games. What's your mother's maiden name, what's your first pet's name, etc.
Just today I had an email offering a checkstub service so I can print them out on my computer. "We just need a little information ..."
It is not known how the personal information used to fill out the transcript requests was gathered, or from where.
Outside of the SSN it's typically public information that's available online. Oftentimes the mark will help out by posting it on their little piece of the interweb along with a link to their mother and her brother who just so happens to also have her maiden name on his page. Huh, go figure.
The elephant in the room is, as you say, whether anyone is doing any linking to other data breaches like Home Depot or Target. Perhaps it's not about maxing out a bunch of $20k credit cards and heading to a white sandy beach but building up a sizable enough portfolio of current data that if used properly and all at once could take down an economy. Think of it as a run on credit which would be analogous to a run on the bank only backward. Would printing more money solve the problem. Where's the house economist?
Seriously, thanks once again for reporting responsibly and with enough detail to give readers a chance to reach our own conclusions.
I'm a Yank, and I could be in the affected group. On a side note, your report is the first I've seen (so far) and you've given me the opportunity to be in a position help those near me to avoid the panic the fear mongers are so likely to stir up.
Heard this reported on the evening news tonight, and they did indeed say the IRS was hacked. Journalists are so ignorant of technology it annoys me until I realize they are ignorant about all other fields as well. They aren't exactly getting the best and brightest, especially given the falling prestige of that career.
It's not about the hackers "viewing your 1040EZ" you blithering twit. It's about having someone file a fraudulent tax return in your name next year and making off with a sizable refund check and leaving you,the hacked, on the hook for it all until it gets sorted out, which can take forever but in the meantime you still have to make good and the IRS works - legally - on the principle of guilty until you prove otherwise.
Knowledge-based authentication is no longer a viable method of determining identity. This may not have been a 'hack' in the strict sense, but it does illustrate a rolling zero-day in the IRS mechanism, and as such, its effect is the same as if their systems had been breached electronically.
There is no quick fix for this, no techno-bandaid like 2FA will change the fundamental problem that the IRS is broken administratively, legally, and technologically.
That is, information available to anyone in the HR department of your employer.
I'd hazard a guess that the rest of the "personal information known only to..." is pretty easy to obtain these days with a couple web-searches.
"Secret Questions" are the weakest link of any authentication scheme. One should at _least_ be able to opt out of that method of authentication. (Yes, I know I could lie, and then put my lies in a password manager, or a post-it note, but then we are back to "no better than a password, but more hassle")
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
