IRS Breach Update
In May 2015 the IRS announced that they had been breached and that only about 100,000 people had been affected. A couple of months later, they said “wait…wait…Maybe that number was higher…about 334,000.” Now, here we are several months later and the IRS is saying, “Just kidding! It was actually 724,000.” Bang. Head. Here.
So now we have over a half million tax payers that have had their information stolen from the original breach. The solution to protect the victims was to give them “Identity Protection PINs” and hope for the best. Because no one has ever cracked a PIN number before.
Brian Krebs, (A source that we find to be VERY valid) has recently reported that at least one of the original breach victims got to play victim for a second time when her PIN was stolen along with her tax refund this year, (no big screen TV for you!). Not only that, but when she called the IRS, their response was not one of shock, frustration, or even confusion. It was basically, “Yeah, it’s been a big problem for us this year.”
How it Happened
Apparently this was made possible by the ability to retrieve a lost PIN. When someone loses their PIN, they go to https://www.irs.gov/Individuals/Get-An-Identity-Protection-PIN and they follow the instructions to obtain the PIN. Seems simple, right? And it is. Especially for the hackers, considering this is using the SAME TECHNOLOGY THAT WAS HACKED IN THE ORIGINAL BREACH.
The technology is called Knowledge-Based Authentication. It’s a very simple way for loose, secondary authentication by asking security questions based on you. Birthday, previous address, etc. This is used on a lot of sites and probably was pretty easy to bypass by simple enumeration tactics.
Apparently the solution from the IRS is to send new PINs to tax payers every year, limiting the window of opportunity for hackers to be able to access the information. So in other words….they’re dragging their feet until somebody makes them come up with a better idea. Let’s hope the American people are frustrated enough to demand that they come up with that new idea sooner rather than later, or I highly doubt this will be the last breach headline we read about the IRS.
Written By: Derrick Masters, Security Engineer