IRS counters efforts to hack e-filing PIN system.
The Internal Revenue Service (IRS) has released details about a cyber attack upon its Electronic Filing PIN application. The IRS reported that it has stopped the cyber attack.
IRS officials said they identified unauthorized attempts involving approximately 464,000 unique Social Security Numbers (SSNs), of which 101,000 were used to successfully access an E-file PIN. The automated attack used personal data stolen elsewhere outside the IRS to attempt to generate E-file PINs for the SSNs.
“Using personal data stolen elsewhere outside the IRS, identity thieves used malware in an attempt to generate E-file PINs for SSNs,” the IRS said in a prepared statement. “No personal taxpayer data was compromised or disclosed by IRS systems. The IRS also is taking immediate steps to notify affected taxpayers by mail that their personal information was used in an attempt to access the IRS application.”
All affected taxpayers will be notified by mail of the attack. “The IRS is also protecting their accounts by marking them to protect against tax-related identity theft,” the agency added.
The IRS was also quick to assure that the attack was not related to the temporary shutdown of the e-filing system, during which time the IRS could not accept many returns due to a system-wide computer failure, according to Fortune.
IRS cybersecurity experts are currently assessing the situation, and the IRS is working closely with other agencies and the Treasury Inspector General for Tax Administration. The IRS also is sharing information with its Security Summit state and industry partners.
In this recent event, cyber criminals used a list of known SSNs to make repeated attempt to access the IRS’s Get My Electronic Filing PIN portal. But as Naked Security pointed out, “Ironically, an E-Filing PIN is a sort of second factor of authentication (2FA), that you need, along with other personal data, when submitting online tax returns. In other words, it seems that you can request your second factor of authentication by using your first factor, which isn’t quite the idea of 2FA.”
This new attack follows a 2015 massive data breach at the IRS, during which hackers stole information from approximately 330,000 taxpayers to obtain $50 million in federal funds through false tax returns. An inspector general report following the breach discovered that the computer system the IRS had been using to detect identity theft may have been vulnerable to hackers.
These breaches underscore the importance of ensuring proactive data security that circumvents the opportunities for such events to occur in federal databases. It also highlights concerns about requiring multi-factor authentication to access sensitive data.