IRS cyber theft tactics could work at any agency

Greg Nash

The digital theft of more than 100,000 old tax returns from the Internal Revenue Service has shed light on a method hackers could wield to easily hit any federal agency using minimal technical skill, according to experts.

The IRS revealed Tuesday that cyber crooks, likely backed by an organized crime syndicate, had accessed returns for roughly 104,000 taxpayers through the agency’s “Get Transcript” feature.

The scheme appeared to be part of a larger plot to file fraudulent tax returns and collect illegitimate refunds.

But the digital thieves didn’t actually break into the IRS's database. They simply imitated individuals using information culled from the vast trove of personal data being traded on the dark Web after numerous company data breaches in recent years.

Any federal agency with valuable data could fall victim to the same maneuver, experts explained.

“The possibility of the same tactic being reprised at other agencies that have public-facing missions, I think, is very high,” said Jim Penrose, a former head of the National Security Agency’s Operational Discovery Center and now an executive vice president at cybersecurity firm DarkTrace.

Security specialists pointed to agencies where online accounts can be used to access financial information and credit reports as attractive targets for a similar scam. At the Treasury Department, for instance, people can open online accounts to buy Treasury notes, bills and bonds.

“Anytime you’ve got a Web-based service where it’s just an online sign-up, they're not going to really be able to securely identify you,” Penrose said.

Mammoth hacks at major companies including Home Depot, JPMorgan Chase and health insurer Anthem have left hundreds of millions of people’s sensitive data at online criminals' fingertips.

“Your exposed personal and financial data is pay dirt for cyber criminals,” said Adam Levin, chairman of identity security firm IDT911. “Once identity thieves have your Social Security number, they have the skeleton key to your life, and they can use it to commit all types of fraud.” 

The IRS is also taking flak for its weak security questions in the wake of the incident.

In addition to providing basic personally identifiable information such as a Social Security number and date of birth, the cyber thieves had to answer various security questions (i.e. “What was your high school mascot?”).

The answers were easy enough to find online that hackers were successful in roughly half their attempts to access tax returns.

“This is something that if you’ve got the time, if you’ve got the inclination and the computer savvy — and it really isn’t that much computer savvy, really just spending the time to go find these databanks — is a threat to other government agencies,” said Steven Weisman, a professor at Bentley University, lawyer and author of several books on identity theft.

A recent Google study found that its own security questions were anything but secure.

“They suffer from a fundamental flaw: their answers are either somewhat secure or easy to remember — but rarely both,” the study concluded.

“The problem is bigger than the IRS,” Weisman said. “The problem is authentication in order to get important and private information. We need things better than passwords. We need things better than Social Security numbers.”

But immediate alternatives are limited.

Some companies are pushing online authentication tools using mobile devices, digital rings, fingerprints, retinal scans and even bracelets. The White House has invested $16.5 million into several of these initiatives, hoping to bring them to a wider market more quickly.

In the meantime, security researchers are pressuring government agencies to better secure authentication process using what’s available.

Agencies could also ask for a code texted to a mobile phone on top of the requisite personal information. Or they could mandate an actual phone call back to confirm.

These are fallible options, though, and they’re a hassle.

“At some point it gets to become too much, and people probably will rebel quickly,” said Bill Ho, CEO of Biscom, which focuses on secure document delivery.

But they might be a necessary evil.

“It’s a conundrum,” Ho said. “How much hassle are we willing to put up in order to live our lives?”