The IRS Breach and the Weakness of KBAs

Feature Article by Ryan Wilk

Over 100,000 Tax Accounts Breached: This IRS breach is yet another example why companies need to stop relying on outdated ways to identify people and users –  known in the security industry as knowledge-based authentication (KBA).

Asking users questions about themselves is flawed. Companies that rely on KBA are constantly breached, revealing personal and private information about users, in this case taxpaying Americans. The repercussions of such data breaches are widespread and often have a snowball effect. Criminals then use the stolen personal information to breach another firm using KBA, obtaining more and more personal information with the end goal of committing fraud such as filing tax returns or applying for credit cards under someone else’s name.

What kind of information did they steal in this attack? By being able to answer the security questions specific to the affected people such as their Social Security number, date of birth, tax filing status and street address. The stolen information the hackers made off with includes tax returns and other sensitive data.

This is why the most fraud intelligent companies employ User Behavioral Analytics (UBA) – the science of user behavior. If the IRS had integrated UBA into its system, it wouldn’t matter how much information the hackers had or even if they guessed the real password because a UBA-based defence system would know it’s not the real user and kept the bad guys out. It could have prevented those fraudsters from being able to obtain sensitive tax return information by stopping them in their tracks earlier in the process.

It’s long past time to stop being reactive to data breaches by offering free credit reports and tweaking the KBA rules. It’s time to stop fraudsters in advance of their attack, before the get even a single byte of data.

For more information on User Behaviour Analytics (UBA) and how companies are using it to stop fraud before it starts, download the white paper here.