The IRS announced in an official statement today that it has closed down an online service to obtain tax records after sensing an “unusual activity” and it was detected that an illegal third party had accessed some accounts on the transcript application.
Initially, it was discovered that the access was gained to more than 100,000 accounts through the Get Transcript application.
After the IRS unveiled details it became evident that the user data was not obtained because of a direct hack of government systems, instead it was fault of weak authentication used by the IRS to protect access to taxpayer data.
The hackers were able to access taxpayer records using lifted personal identifying information, apparently hacked from online financial fraud marketplaces. The Get Transcript application that is a feature of the IRS’ site that permits taxpayers to download tax return and tax payment transaction data, was deceptively targeted by financial fraudsters between February and mid-May.
The service was immediately shut down last week as the IRS investigated the activity, which may have a connection to the fraudulent filing of tax returns and transfer of tax refunds. Nearly 200,000 accounts; were targeted and half failed because of improper information inputs during the IRS’ authentication process.
The Get Transcript Online feature of IRS.gov allows taxpayers to get: tax account transactions, line-by-line tax return information, or wage and income reported to us for a specific tax year. In order to retrieve a transcript online, all that’s required is a Social Security number and an active e-mail address. Once the e-mail address was authenticated the system would configure a number of questions about personal, financial, and tax information—including date of birth, tax filing status, and address—before the transcript could be downloaded.
This type of “knowledge-based authentication”, is highly exposed to fraud. It’s based on unchanged information and is available to anyone willing to pay for it out of stolen financial information marketplaces. The transcripts that were falsely downloaded were able to be accessed apparently due to leaked Social Security numbers and other personal data from any one of the many recent data breaches, comprising those at health insurers Anthem and CareFirst. In fact, security reporter Brian Krebs reported on the risks inherent in the IRS’ transcript request system way back in March, he cautioned taxpayers to sign up for accounts on IRS.gov only just to prevent fake account creation.
Krebs investigated a specific case relating a man who had tried to file taxes online, he figured that someone had filed using his personal information right in front of him. The attacker then misused the victim’s information to get a refund direct deposit. When he tried to get a transcript of the fraudulent return using the ‘Get Transcript’ function on IRS.gov, it dawned upon him that someone else had already registered through the IRS’s site using his Social Security number and an unknown e-mail address, Krebs added. The fake return had been filed through the IRS’s own free tax filing site.
In this case highlighted by Krebs, the made-up return receipt was sent to the bank account of a college student who was totally unaware of the fraud. The IRS issued a statement saying that, today’s data breach did not dodge any of the IRS’ core security systems, and the main computer system that handles tax filing submission is deemed secure. However, that information hardly consolidates 100,000 taxpayers whose data is now in clutches of the financial fraud marketplace. Same is the case with other approximately 100,000 individuals whose SSNs were manipulated to access their tax records.
The IRS stated further that they will be sending a letter to all of the approximately 200,000 taxpayers whose accounts had tried unauthorized entries, alerting them that third parties had access to taxpayer Social Security numbers and additional personal financial information from a non-IRS source before they attempted to access the IRS transcript application.
People whose records were accessed will be offered free credit monitoring to safeguard any misuse of their information through other financial avenues. Furthermore, the affected taxpayers’ records will be observed for fraud for the current and 2016 tax reporting periods.
The IRS is making all necessary efforts to ensure the safety of their core processing system to flag for potential identity theft to protect taxpayers going forward, as of now as well as 2016.