IRS Announces Data Breach; 200K Taxpayers Affected



  • https://www.stickleyonsecurity.com/sos_examples.jspx?sosnoteid=789&utm_source=Emailbrain&utm_medium=email&utm_term=NewsletterLink&utm_campaign=052815&utm_content=pzivovic%40inlandbank.com

    The IRS announced this week that it was the victim of a data breach and the full files of 100,000 US taxpayers were accessed.

    The event occurred between February of this year and sometime in May. The information in a tax file includes social security numbers, addresses, income, date of birth, tax filing status, and perhaps a lot more personal information.

    The IRS is offering credit monitoring service to those affected by this. Should you get a letter from the agency stating you were one of them, take advantage of this service...

    Yay.

    According to the announcement from the IRS, the "criminals used taxpayer-specific data acquired from non-IRS sources to gain unauthorized access to information" on the tax accounts. Whomever did this acquired enough information from this outside source to bypass the multi-factor authentication that the IRS uses.

    Information gathered was enough to bypass multi-factor authentication? :wtf:


  • sockdevs

    @redwizard said:

    Information gathered was enough to bypass multi-factor authentication?



  • Wait, so, specific taxpayer information was enough to get information on other taxpayers? :wtf:



  • No no, the taxpayer info was gathered using info gotten from somewhere else. The info from somewhere else was enough to bypass the checks the IRS uses (which could be called multi-factor).



  • @locallunatic said:

    multi-factor).

    Not if there is only one source...



  • @redwizard said:

    "criminals used taxpayer-specific data acquired from non-IRS sources to gain unauthorized access to information"

    That sounds more like what I said, tbh.



  • Multi-factor authentication is covered in detail in the wiki.

    For those who don't know and feel the wiki is tl,dr:
    Multi-factor is a combination of two or more methods of authentication that involves:

    1. Something you know (e.g., PIN or password)
    2. Something you have (e.g. ATM card or token)
    3. Something you are (e.g. retina pattern or fingerprint)

    Not sure how a compromise of taxpayer information alone (something you know) would involve something the taxpayer has or is. Any ideas?

    Unless there's missing data in the report, such as use of social engineering to have something you have (e.g. token) reissued by the IRS to the taxpayer (who is really the fraudster), which then led to the compromise. Seems labor-intensive given the scale of the compromise, though.



  • It sounds like someone logged in as a taxpayer and compromised the system from there, and they don't want to admit it.



  • What they probably mean by "multi-factor" is the attacker needed your IRS site password and then answers for things like DOB, address, some kind of ID number, and such like. Which what many people think counts as multi factor, and so it is going the terms used in announcements.



  • @locallunatic said:

    What they probably mean by "multi-factor" is the attacker needed your IRS site password and then answers for things like DOB, address, some kind of ID number, and such like. Which what many people think counts as multi factor, and so it is going the terms used in announcements.

    Correct concept.

    The term for that is multi-layer, which some of us in the field also call "wish it were multi-factor."


  • mod

    Yeah, it was probably actually "wish-it-was two-factor" , where you need to know two things instead of having two actual factors.

    :hanzo:'d



  • Well yeah, I was just working on an edit to point out most think two passwords counts as multi-factor as they don't know the difference between the different kinds of multi.



  • @redwizard said:

    2) Something you have (e.g. Mobile phone)


  • Winner of the 2016 Presidential Election

    Google Authenticator is a thing.

    But yeah, sending just an SMS code is probably not the best way to do things. My bank sends a message and asks me to reply with a code... makes it a little safer...



  • @redwizard said:

    Information gathered was enough to bypass multi-factor authentication?

    Shouldn't be too hard to gather enough information to bypass wish-it-was-multi-factor authentication.



  • @sloosecannon said:

    My bank sends a message and asks me to reply with a code

    My bank offers that, as well as a TOTP dongle. I picked the TOTP dongle because I need to trust fewer entities that way.


  • Discourse touched me in a no-no place

    @Yamikuronue said:

    wish-it-was two-factor

    Since no-one's linked to it yet:


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.