Pando

"Organized crime syndicates" steal information from the IRS about 100,000 taxpayers

By Nathaniel Mott , written on May 27, 2015

From The News Desk

It hasn't been a good year for taxpayers.

First there were the problems with TurboTax, which started with fraudulent claims and eventually led to phishing campaigns meant to steal information from people who thought they might have been affected by those fraudsters.

Now there's the news that the Social Security numbers, dates of birth, street addresses, and other information of 100,000 people were compromised by attackers who abused the "Get Transcript" feature available on the IRS website.

Here's what the IRS said about the theft in its official statement:

The IRS determined late last week that unusual activity had taken place on the application, which indicates that unauthorized third parties had access to some accounts on the transcript application. Following an initial review, it appears that access was gained to more than 100,000 accounts through the Get Transcript application.

In this sophisticated effort, third parties succeeded in clearing a multi-step authentication process that required prior personal knowledge about the taxpayer, including Social Security information, date of birth, tax filing status and street address before accessing IRS systems. The multi-layer process also requires an additional step, where applicants must correctly answer several personal identity verification questions that typically are only known by the taxpayer. IRS Commissioner Josh Koskinen told the Associated Press that the theft, which led to around $50 million in fraudulent claims, was done by "organized crime syndicates" that "everybody in the financial industry" must deal with.

It's not clear how the fraudsters gained access to their targets' information before they stole the transcripts. Yet at least one part of the theft -- the bit involving hackers answering verification questions -- can be easily explained.

Google researchers said earlier this month that many security questions aren't as secure as people might think. As I wrote after that research was made public:

The first problem is that hackers can often guess the answers to easy questions about someone’s favorite food or their city of birth because they aren’t unique. For example, a hacker with one try has an estimated 19.7 percent chance of correctly guessing that an English speaking user said pizza is their favorite food.

[...]

The second problem is that people can’t remember the answers to questions that would be harder to guess. As an example, people asked to remember their frequent flier number, which is unique to them and difficult for someone to randomly guess, only remembered that number about 9 percent of the time. The IRS says roughly 200,000 people were targeted in this campaign. It plans to warn everyone who was targeted about the attempt; it will also offer free credit monitoring to the 100,000 people whose information was actually stolen.