The recent IRS breach that exposed the tax data of more than 100,000 households didn’t have to happen if basic security controls were in place.
The IRS blames the unauthorized access to more than 100,000 tax accounts on “complex and sophisticated” attacks and on $1.2 billion in agency budget cuts over the last five years. [http://www.irs.gov/uac/Written-Testimony-of-Commissioner-Koskinen-on-Unauthorized-Attempts-to-Access-Taxpayer-Data-before-Senate-Finance-Committee] But, the attacks were not really that sophisticated, and the agency’s record for spending its IT budget has never been good. The breaches did not have to happen.
Tom DeSot, CEO of Digital Defense, called the lack of basic controls on the IRS Get Transcript application “somewhat shocking. This is just another indication that the government needs to step up its game.”
“Monitoring on Get Transcript should have detected suspicious activity,” said Paul Martini, CEO of iboss Cybersecurity.
The incident, discovered in May, involved more than 200,000 attempts by criminals to access taxpayer accounts, about 104,000 of which were successful. Criminals using stolen personal data apparently used a script to run that data against the challenge and response log-in of the IRS application. The challenge/response scheme gives taxpayers access without having to create an account with a user ID and password. This was meant as a convenience, but the wide availability of personal data on online black markets undermines this authentication scheme.
Accessing thousands of accounts one at a time would not be cost effective for organized criminals, so disrupting the automated process would be an effective defense. This, said DeSot and Martini, could have been done with a variety of simple tools.
Passwords and user IDs have a bad reputation these days, but the inclusion of a password or PIN in the log-in process could have short-circuited the automated process. This would require a user to set up an account prior to accessing information, but this is a minor inconvenience compared with the process of trying to verify your identity to the IRS after a breach. I know—I’ve been there.
Simple schemes, such as CAPTCHA, also could help weed out automated log-ins. There are online tools to subvert CAPTCHA challenges, but it still could raise the bar for criminals. Continuous monitoring of the system for anomalous behavior should also have spotted suspicious log-in attempts. Even spread out over three or four months, the 100,000 failed attempts should have raised some flags. If the Get Transcript system routinely generates that ratio of log-in failures, it should have been replaced anyway.
No security solution is perfect, but workable security is achievable and affordable. These breaches are costing taxpayers billions of dollars, not to mention thousands of wasted and frustrating hours. We deserve better.
William Jackson is a freelance writer with the Tech Writers Bureau [www.techwritersbureau.com] and the author of The Cybereye. Follow him on Twitter @TheCybereye.