The U.S. Internal Revenue Service (IRS) is gearing up for another busy tax season, and it appears that hackers are getting ready, too. On Feb. 9, the IRS confirmed that it was the victim of an automated attack in January that targeted the electronic filing PIN application form on the IRS.gov Website.
According to the IRS, attackers made use of personal information, including Social Security numbers, that was stolen from other non-IRS Websites. The attackers then used that information in an attempt to generate fraudulent E-File PIN numbers on IRS.gov. With a PIN number, an attacker could have potentially been able to file a tax return or gain access to other taxpayer information.
The IRS investigation has found that 464,000 unique Social Security numbers (SSNs) were used in the attack, with 101,000 being successfully able to access the E-File PIN. The IRS is emphasizing that it has halted the attack and is contacting those who are affected.
“No personal taxpayer data was compromised or disclosed by IRS systems,” the agency stated. “The IRS also is taking immediate steps to notify affected taxpayers by mail that their personal information was used in an attempt to access the IRS application.”
In May 2015, the IRS reported that its Get Transcript service was attacked. Get Transcript enables users to get information about their tax account transactions. As is the case with the new attack against the E-File PIN, the Get Transcript service attack involved user information that was stolen from third-party sites. The success rate for the Get Transcript attackers, however, was higher than it was for the E-File PIN attackers, where 100,000 out of 200,000 hack attempts were successful.
Security experts contacted by eWEEK are not surprised that the IRS is once again reporting an attack against its systems. The fact that the IRS.gov site was attacked with SSNs stolen from other third-party sites is, however, somewhat ironic.
“One of the most successful ways hackers steal citizens’ Social Security numbers is through fraudulent phishing emails or phone calls that appear to be from the IRS,” Darren Guccione, CEO and co-founder of Keeper Security, told eWEEK.
Hackers know the public is terrified of being identity-theft victims and exploit this fear well, often by telling someone they’ve been a victim already and asking for their Social Security number, Guccione noted.
Lance James, chief scientist at Flashpoint, commented that one of the big concerns he sees with the latest IRS attack is the continued reliance on Social Security numbers. “We need to rethink what a Social Security number means these days when it comes to accessing data,” James told eWEEK. “It should not be the administrator password for a person’s life.”
Andy Hayter, security evangelist at G DATA Software, also commented on the risks associated with SSN disclosure. Every bit of an individual’s personally identifiable information that is collected via a breach is one more piece of information that can, and someday will, be used against a person, he said.
“As long as information such as Social Security numbers is used as identification, we will have bad actors trying to collect as much information about individuals to do harm, either through theft or worse,” Hayter told eWEEK.
Inga Goddijn, executive vice president at Risk Based Security, noted that taxpayers should be concerned that questionable security practices at organizations completely unrelated to the IRS have the potential of affecting their tax returns.
Though the IRS has stated that no personal taxpayer data was compromised or disclosed in the new attack, JP Bourget, CEO of Syncurity, noted that there is still a real risk.
“While maybe the IRS can in the end prevent any bad outcomes for taxpayers, I can imagine a few scenarios where a bad guy attempts to file a tax return for a refund that then holds up a valid refund to someone who is owed a refund, and even depending on that refund,” Bourget told eWEEK. “There’s also the angle of now your account is flagged and the uncertainty of how that affects a taxpayer over time and what hidden costs may arise from that.”
One potentially positive outcome that could result from the IRS attack is that lessons learned could help prevent the next attack. Goddijn said that it would be helpful if the IRS can share more detail as to how the agency detected the attack and ideas for preventing these types of enumeration attacks in the future. She added that the U.S. government has been pushing for more threat intelligence sharing and improved security practices for all organizations.
“Why not take this opportunity to lead the charge and share more about the attack with the security community,” Goddijn said. “That may help stop the next, similar assault on a high-value target.”