Sign Up At irs.gov Before Crooks Do It For You

tsu doh nimh writes If you're an American and haven't yet created an account at irs.gov, you may want to take care of that before tax fraudsters create an account in your name and steal your personal and tax data in the process. Brian Krebs shows how easy it is for scammers to register an account in your name and view your current and past W2s and tax filings with the IRS, and tells the story of a New York man who — after receiving notice from the agency that someone had filed a phony return in his name — tried to get a copy of his transcript and found someone had already registered his SSN to an email address that wasn't his. Apparently, having a credit freeze prevents thieves from doing this, because the IRS relies on easily-guessed knowledge-based authentication questions from Equifax.

Hell already froze over.

[Ungrounded+Lightning]

Maybe, some day, Congress will actually fix some of the real fucking problems we have, with having a pseudo, tech. intergrated Government. And maybe, Hell will actually freeze over!

I hear Hell already froze over - several decades ago.

It was a particularly cold snap during winter in Michigan, with sub-zero (farenheit) temperatures. The expanding ice blew out a small (millpond-ish) dam. The water under the ice rushed down the river and overflowed it, pouring down the main street of the little village of Hell, Michigan. It was several inches deep when it slowed enough that the extreme cold froze it solid.

Since then a lot of the stuff that was waiting for Hell to freeze over has been happeng. That explains the last several decades nicely, eh? B-)

Re:Sign up?

[TechyImmigrant]

I did. That's how I found the place to sign up.

I signed up.

It gave password rules and validated the password on the fly with four green ticks, one against each rule (> 8 chars, special chars etc.). I used a 32 character password generated from my password manager.

The web page then errors out each time I tried to enter the password, saying it needed a valid password, even though the password was declared valid each time. In the end I got it to work when I reduced the password length below 20 characters. This may be due to the length, or some other difference, since my password manager was creating a different password each time I fiddled with the generator rules.

The whole thing sticks of basic programming incompetence.

 

"Knowledge-based" questions are really bad

[RobinH]

I was signing up for something through my bank, and it was asking me some of these questions like, "Which of these employers did you previously work for?" Unfortunately none of them were correct (this wasn't a huge surprise because I had already tried to correct my credit report information... they seem to have me confused with someone else). That meant I couldn't continue, but it turns out if you start the test over again, it gives you the same question but randomly selects the "wrong" answers. All I had to do was remember what the original multiple-choice answers were, and pick the one that didn't change. Basically that means there's almost zero security with this method of authentication.