September 13, 2015 -
This is a guest post by Ryan Wilk, director of customer success at NuData Security
The Office of Personnel Management and IRS data breaches this year have become all-too-common headlines. However, when it comes to government breaches, the effects can be particularly devastating due to the quantity and type of data involved as well as the sheer number of people affected. In the case of the IRS, over 220,000 taxpayers had their accounts accessed and fraudulent returns filed while hackers made attempts on another 170,000 households, indicating hackers had at least partial, sensitive personal information. This was on top of the already-confirmed hacked accounts, bringing the total to over a half million taxpayers affected by or at risk from the hack.
Like many other Americans sitting down and completing their tax returns online, Michael Kasper was blocked from filing because the system had already registered a tax filing a week ago. As a security expert, Kasper shared his story and his investigation into how his account had been breached and what had happened as a result.
When he reported the issue, the IRS agreed that he was likely the victim of fraud and that the rebate was scheduled to post and could not be canceled. However, due to confidentiality regulations, the IRS was unable to share information on where the money was to be posted until they’d completed their own audits – rules that also prohibit them from sharing that information with law enforcement or banks where funds may be sent. Kasper wasn’t prepared to leave it at that.
Hackers had used the Get Transcript tool on the IRS website to gain information on taxpayers so that they could submit tax forms. The Get Transcript tool allowed users to request e-copies of prior years’ tax returns with very little information. While the online version has since been shut down, getting a paper copy through the website only requires a SSN, date of birth and address from the last tax return. They locked Kasper (and others) out of the e-system, but Kasper was able to obtain a paper transcript that confirmed what the crooks knew and gave him the lead on the bank account that the money had been deposited into.
With a copy of his prior return and information like his SSN, marital status, date of birth, real address and even his salary, they could complete the tax forms and bypass Knowledge-Based Authentication questions that, some believe, may have been automated as well.
The thieves then had to figure out how to actually get the money without being noticed. So, how did they do it? An intriguing possibility was that the hackers found on-the-ground conduits for small amounts of money. In Kasper’s case, the stolen tax rebate was deposited into a small account, and someone hired from Craigslist periodically wired money out of the country.
And the crooks did this successfully over 300,000 times.
The scale involved in assembling the necessary data, pinging the IRS servers with Get Transcript requests and then automated tax return filings, suggests a well-thought out plan that would take advantage of the IRS’s own rules about confidentiality and fly low enough under the radar to not alert banking institutions they used to funnel the money out.
We’re not talking about a couple of guys in a basement making some small change from stolen credit cards anymore. This is a set-up that is, for all intents and purposes, run like a business – a big one, a startup of criminals organizing and running a long-term scam.
And it all hinges entirely on a system of Knowledge-Based Authentication questions that was likely broken by robust computer hacking. What we are witnessing is the rise of accomplished hacker organizations that will continue to profit and exploit individuals until we stop using the same lock on every door. Without KBAs, the plan fails before the crooks can gain entrance to personal tax accounts.
The IRS knows it needs to change its security measures and is no doubt hard at work doing so. But it needs to follow the lead of large e-commerce companies and financial institutions, who have recognized the failure of KBAs and switch to User Behavior Analytics (UBAs), also known as behavioral biometrics, instead, or its other security measures may be in vain. For more information on how UBAs work, read the white paper here.
DISCLAIMER: BiometricUpdate.com blogs are submitted content. The views expressed in this blog are that of the author, and don’t necessarily reflect the views of BiometricUpdate.com.