According to a statement on the agency’s website, the attackers used information obtained from third party sites to gain unauthorised access to taxpayer’s accounts:
These third parties gained sufficient information from an outside source before trying to access the IRS site, which allowed them to clear a multi-step authentication process, including several personal verification questions that typically are only known by the taxpayer.
The Associated Press says the hackers made off with tax returns as well as other filings from previous tax years. Old tax returns are sometimes needed for mortgage or college loan applications.
To gain access to that data, the hackers targeted the IRS’s “Get Transcript” application, a feature designed to allow taxpayers to view “line-by-line tax return information or wage and income” for a given tax year.
The IRS reports that the attackers were able to easily bypass the authentication system despite it requiring a significant amount of personal information, including the taxpayer’s Social Security number, date of birth, address and tax filing status.
An authentication system such as this – called knowledge-based authentication – is highly susceptible to fraud because the vast majority of information it is based upon remains the same throughout the taxpayer’s lifetime.
Much of the information is also readily available from a variety of legitimate sources as well as from the dark web, having been sold by hackers responsible for other breaches such as the recent ones at health insurers Anthem and Carefirst, and the US Passport Agency.
After access was obtained, the hackers downloaded transcripts and proceeded to file bogus tax returns.
According to the New York Times, the IRS issued close to $50 million in refunds before it became aware of the issue.
The IRS was keen to point out that its systems remain secure and that taxpayers had safely downloaded around 23 million transcripts during the recent tax season.
At the time of writing, the online Get Transcript service has been temporarily suspended and taxpayers are advised to use an alternative mail service.
Even though the issue here is that previously stolen personal information was being used to access the IRS system, the agency is sending letters to approximately 200,000 taxpayers whose accounts were targeted and, for the 100,000 whose accounts were compromised, the agency is offering free credit monitoring.
US readers, it would be wise to stay on the lookout for any fake returns or interactions carried out in your name, as well as IRS-themed emails which may not be from whom they say they are.
You might also like to apply for a credit freeze that effectively forces banks and credit card companies to make contact and obtain your authorisation before any credit is granted in your name.
With personally identifiable information (PII) so easily available to buy on the internet, this attack on US taxpayers highlights how data theft can snowball.
While the IRS systems have not technically been breached as the hackers entered the accounts with legitimate (if stolen) credentials, two-factor authentication on the site would go a long way to preventing unauthorised access in the future.
Image of dollar courtesy of Shutterstock.