In August of this year, the IRS announced that over 220,000 taxpayers had their accounts accessed and fraudulent returns filed while hackers made attempts on another 170,000 households, indicating hackers had at least partial, sensitive personal information. This was on top of the already confirmed hacked accounts, bringing the total up to over a half million taxpayers affected by or at risk from the hack.
In an in-depth article, tax payer Michael Kasper shared his story and his investigation into how his account had been breached and what had happened as a result. Like many other Americans sitting down and completing their tax returns online, Kasper was blocked from filing because the system had already registered a tax filing a week ago. When he reported the issue, the IRS agreed that he was likely the victim of fraud and that the rebate was scheduled to post and could not be canceled. However, due to confidentiality regulations the IRS was unable to share information on where the money was to be posted until they’d completed their own audits. (Rules that also prohibit them from sharing that information with law enforcement or banks where funds may be sent.) Kasper has some history in the security industry, and wasn’t prepared to leave it at that.
Hackers had used the Get Transcript tool on the IRS website in order to gain information on taxpayers to be able to submit tax forms. The Get Transcript tool allowed tax papers to request e-copies of prior years’ tax returns with very little information. While the online version has since been shut down, getting a paper copy through the website only requires a SSN, date of birth and address from the last tax return. They locked Kasper (and presumably others) out of the e-system but Kasper was able to obtain a paper transcript that confirmed what the crooks knew and gave him the lead on the bank account that the money had been deposited into.
With a copy of his prior return and information like his SSN, marital status, date of birth, real address, and even his salary, they could complete the tax forms and bypass Knowledge-Based Authentication questions that, some believe, may have been automated as well.
The thieves then had to figure out how to actually get the money without being noticed. So how did they get the money? An intriguing possibility was that the hackers found on-the-ground conduits for small amounts of money. In Kasper’s case, the stolen tax rebate was deposited into a small account and someone hired off of Craigslist periodically wired money out of the country.
And the crooks did this successfully over 300,000 times.
The scale involved in both assembling the necessary data, pinging the IRS servers with Get Transcript requests and then automated tax return filings, followed up a well-thought out plan that would take advantage of the IRS’s own rules about confidentiality and fly low enough under the radar to not alert banking institutions they used to funnel the money out, speaks to the scale that had to be involved.
We’re not talking about a couple of guys in a basement making some small change off of stolen credit cards anymore. This is for all intents and purposes, running like a business, a big one, a start up of criminals organizing and running a big, long-term scam.
And it all hinges entirely on a system of Knowledge-Based Authentication questions that were likely broken by robust computer hacking. We’re seeing the rise of accomplished hacker organizations that will continue to profit and exploit individuals until we stop using the same lock on every door. Without KBAs, the plan fails before the crooks can gain entrance to personal tax accounts.
It’s time for the IRS to take a page out of the playbooks of financial institutions and e-commerce giants to ditch KBAs and make the switch to User Behavior Analytics (UBAs). For more information on how UBAs, read our white paper here.