Friday, May 29, 2015

IRS Hack Used Questions "Only You Should Know"



Wow, isn't it nice to know the IRS is taking our personal financial info so seriously?  It seems that recently around 100K-200K individuals had their info stolen from the IRS database.  Seriously?

The saddest part is that the bad guys didn't actually break in.  They just posed as the user and answered some questions that "Only You Should Know" but in reality were just easy questions to answer.

From USA Today:

The hackers who got access to over 100,000 personal records through the Internal Revenue Service's Get Transcript site didn't need all that much information to break in, say experts.
The IRS said Tuesday that cybercriminals used personal data obtained from elsewhere to get into the transcript service, which allows users to view tax account transactions, line-by-line tax return information and wage and income reported to the IRS.
To access that information, a legitimate user--or a thief--required a name, Social Security number, date of birth, filing status (single, married, etc) and a street address.
Next they needed to answer several personal identity verification questions "that only you can answer," in the words of the IRS site.
These are known as knowledge-based authentication, or KBA, challenges. They came from a service offered by the credit bureau Equifax, according to security writer Brian Krebs.
Those included information such as a prior address or phone number or car or home loan information. Users had to supply the correct answer to four such questions.
The problem is, that type of data is readily purchased on the Internet underground, where vast databases containing fully built-out portfolios on tens of thousands of people can go for as little as a dollar a record.
Far from being questions "that only you can answer," the verification queries used by the IRS were easy enough that the hackers tried to break into 200,000 accounts and got information out of 100,000.
"That's pretty staggering, it's a 50% success rate," said Morey Haber, vice president of technology at BeyondTrust, an Phoenix-based computer security company.

Post a Comment