Dear Taxpayer: We Still Can’t Guarantee Your Security

2015 was the year of the U.S. Internal Revenue Service (IRS) Get Transcript identity theft. Since the spouse and I were affected by this breach last year, I figured I’d better have a look into any recent developments.

The IRS has implemented new safeguards for 2016 to help taxpayers verify their identity and the validity of their tax returns, before it will accept the returns for processing. Here’s a summary:

  • Stronger password with a minimum of eight characters, including alphanumeric and special characters
  • Three security questions to verify identity upon login
  • Account lockout features for session length, and number of login attempts
  • Email address verification, via email or text with a PIN to a mobile phone
  • Optionally, provide a drivers’ license number for filing a state tax return

Four out of five of these requirements are based on inadequate authentication. Strong authentication requires a combination of different types of authentication factors, i.e. something you know, something you have, and something you are. Mixing authentication types can increase the “hassle-factor” for bad guys trying to steal a tax return or other important information.  If an account is more difficult to breach, maybe they’ll move on. So, how do the new 2016 IRS security requirements stack up?

Passwords

Passwords belong to the “something you know” category. Any strong password containing special characters, mixed case letters and digits, is either hard to remember if it’s truly unique, or it is easy to re-use once it’s been typed in a few times. Outside of Centrify, I use a password vault to store strong passwords or passphrases, but don’t rely on them alone for important accounts. Wherever supported, I’ll include a second factor such as a one-time passcode (OTP) or a hardware token such as a Yubikey.

Security questions

The typical answers to security questions are by their nature, also part of the “something you know” category.  The website, goodsecurityquestions.com offers five tips for what constitutes a good security question:

  1. Safe: can’t be guessed or researched from social media, social engineering, or other publicly available information
  2. Stable: doesn’t change over time
  3. Memorable: can be remembered
  4. Simple: is precise, easy, consistent
  5. Many: has many possible answers

IRS security questions

The first set of IRS security questions I encountered seems somewhat stable, simple and memorable, but not that safe —given the availability of public records online.

Email verification

The problem with email verification is that anyone could register their own email address, and gain control over an individual’s account.
On May 14, 2015, IRS  identified a backlog of undeliverable e-mails  that were identified as being sent from suspicious sources. So how can the IRS really verify someone’s identity, without having to show up to an in-person visit to an IRS service center, carrying two forms of government-issued ID?

Driver’s license number

A simple Internet search shows databases that map drivers license numbers to social security numbers (SSNs). So I have to assume all information requested is available on the web, or can be used by anyone.

Electronic filing PIN

To file a tax return electronically, each taxpayer first needs to get an Electronic Filing PIN from irs.gov. Here’s what it currently looks like:
E-file PIN application form
Anyone can get an e-filing PIN by entering basic information into the form. The next image shows what happens when you hit the Submit button. (I’ve blurred out the SSN and PIN).
e-file-pin
Unscrupulous individuals can set up any taxpayer  account, obtain an e-filing PIN, choose a site phrase, site image, and email address, by simply re-using the information that’s already been hacked.
 
On February 9, 2016, the IRS issued a statement about an automated attack on its Electronic Filing Pin application. Thieves using data stolen elsewhere attempted to generate E-file PINs using stolen social security numbers.

Identity Protection PIN

Those of us affected by the Get Transcript breach last year received a letter in the mail from the IRS, which included an Identity Protection PIN. This personal identification number is to be added onto our 2015 tax return, to confirm our identity. Luckily we still have that letter in our files. For if we’d  lost that PIN, we’d have to spend more time on the phone with the IRS. On March 7, the IRS announced their Get An Identity Protection PIN (IP PIN) service on irs.gov has been discontinued until further notice, pending a security review. This service used insufficient authentication, using easy-to-guess questions from a consumer credit bureau.

Form W-2 verification code

Another initiative the IRS is testing for this 2016 filing season is to add a 16-digit code onto some W-2 forms. (For those outside the United States, the W-2 form reports an employee’s annual wages and the amount of taxes withheld from his or her paycheck.) The IRS is running this new code on a subset of W-2 forms, as a trial.
Meanwhile, the IRS has issued a warning to Human Resources (HR)  and payroll professionals about an email phishing scheme on W-2 forms, wherein someone impersonates a CEO who emails HR to get a list of company employees and their W-2 data. KrebsOnSecurity reported that this fraud hit Seagate Technology on March 1, 2016.

Conclusion: U.S. taxpayers are still vulnerable to identity theft

In 2015, the Treasury Inspector General for Tax Administration (TIGTA) conducted an independent audit of the IRS because of the IRS’ failure to adequately authenticate taxpayers who filed tax returns or accessed  tax account information. Some of the findings I found most interesting:
  • The authentication methods that the IRS currently uses do not comply with National Institute of Standards and Technology (NIST) standards. Despite requirements for multi-factor authentication, the IRS only provides inadequate single-factor authentication
  • Single-factor, multi-step authentication is not multi-factor authentication: taxpayers have to complete multiple steps to prove their identity, but they all consist of answering knowledge-based questions from a third-party credit agency
  • The IRS can’t confirm the veracity of a taxpayer’s email address, but has blocked the questionable email addresses and will send a confirmation letter to the taxpayers creating online accounts, via US mail
  • The IRS can’t provide a second authentication factor, such as a one-time passcode or token through its web services, and will have to rely on sending a second authentication factor to taxpayers via US mail

Wherever possible we need to insist on multi-factor authentication (MFA) to protect our identities and financial safety. Unfortunately, it seems we are no closer to getting MFA at irs.gov, at least this year.

Learn more about MFA by joining our upcoming webcast featuring guest speaker Andras Cser, Principal Analyst at Forrester Research and Cheryl Tang, Product Director at Centrify as they explain how to stop attackers in their tracks with MFA, and the steps to take to further mitigate risk from compromised credentials.