Dear Taxpayer: You’ve Been Breached

A few weeks ago the spouse and I learned of an identity theft — our own. We received a notice from the Internal Revenue Service. It said that someone had filed a false return in our names, in an attempt to steal our tax refund.

Letter from the IRS

I’m glad IRS flagged the return and sent us a letter. But everyone’s favorite government agency has had to learn its vigilance the hard way. In 2013, it paid out $5.2 billion in fraudulent identity theft tax refunds. The IRS breach is a product of a much bigger problem: large-scale data breaches involving identity and authentication.

Keeping up with the times, but making matters worse

IRS logoThe IRS launched its Get Transcript service in January 2014 to make it easy for taxpayers to view and print their prior years’ returns in minutes. It used to take five to seven business days — a burden on IRS staff and the folks waiting for their transcripts. The newer service required a multi-step process to prove one’s identity using knowledge-based authentication like Social Security Number, birthdate, mailing address, and a few “out of wallet” facts about credit history.

But the verification relied on a response using a confirmation code sent to an email address. You know, an email address the requestor provided. In other words, the IRS probably had no way to verify if the email address belonged to a real taxpayer, or a crook. Get Transcript became a target of attacks between mid-February to mid-May of 2015. My spouse and I hadn’t yet filed our tax return during this time, and we got caught up in the flurry of fraudulent returns. So far, the breach has affected 334,000 taxpayers in the 2015 filing season. 

Pointing the finger at other data breaches

The IRS maintains that its own systems were not compromised and that the attacks originated from information gleaned from data breaches occurring elsewhere. The scale of breaches in the past year are staggering. The Office of Personnel Management alone admits to a breach affecting 21.5 million individuals, or 1 in 15 U.S. citizens.

Armed with names and Social Security Numbers obtained possibly through breaches at government, health insurance or financial sites (to name a few), attackers could figure out the rest of the information they needed through social engineering and public records.

Compromised credentials

The username and password are the most common credentials we use to authenticate ourselves on the Internet. For convenience, many people tend to reuse the same credentials across many sites.

username password

The security analysts we track believe compromised credentials are involved in every breach. And we’ve been saying that attackers first crack the end user account, find credentials for a privileged admin account, and gain access to the critical infrastructure housing valuable customer data.

An attacker may launch spear phishing email blasts targeting key individuals in an organization. The email may have links that prompt the recipient to enter their credentials into fraudulent intranet sites. Another type of attack may involve locking out a user account by entering the wrong password too many times. The bad guy contacts the call center, requests a password reset and takes over the account. Attackers may sniff out credentials from open Wi-Fi networks, or buy stolen passwords off the dark web.

In its written testimony before the Senate Finance Committee, the IRS noted that they’ve formed a working group, along with with state tax administrators and tax software and payroll companies, to focus on improved authentication. 

The case for no passwords

At Centrify, we recommend eliminating the problem of passwords altogether. Single Sign-on (SSO) with SAML or other standards lets us authenticate without entering a password for every app. SAML uses a one-time, expiring, digital “token” to exchange authentication and authorization data between an identity provider and an application provider.  Users log in only once with their network credentials, to get one-click access to thousands of cloud applications. Users are individually identifiable and accountable for access to shared apps.

Single Sign On SSO

Multi-factor authentication

Centrify Mobile AuthenticatorWe also recommend locking down applications even further using multi-factor authentication (MFA). The Verizon 2015 Data Breach Investigations Report calls credentials “the keys to the digital kingdom.”  They recommend securing credentials “with a second factor such as a hardware token or mobile app and monitor login activity with an eye out for unusual patterns.”

Centrify Identity Service uses MFA to secure and manage application access with policy based on location, network, device posture and more. There’s also an option to authenticate into Identity Service itself, without having to enter a password at all.

SSO and MFA are two ways we can reduce the attack surface for the apps we use. And they help protect organizations and end users from the risks of compromised credentials.

Privileged Identity Management can reduce the attack surface by getting users to log in as themselves and elevate privilege as needed, securing privileged accounts that are often shared, and monitoring all privileged activity.

Fingers crossed

Lucky for the spouse and me, the IRS caught and put a hold on that fraudulent return. We filed the obligatory police reports and got a free year of credit monitoring, and an Identity Protection PIN.

As for the IRS, they’ve turned off instant access to taxpayer transcripts until they can figure out better authentication.

And we should be getting our tax return any day now.

For a quick read on mitigating security risks using IDaaS, check out this new infographic. For more details, read this short paper.