Slashdot Mirror

← Back to Stories (view on slashdot.org)

IRS: Personal Info of 100,000 Taxpayers Accessed Illegally

Posted by Soulskill on from the disincentive-to-pay-your-taxes dept.

An anonymous reader writes: The Associated Press reports that an online service provided by the IRS was used to gather the personal information of more than 100,000 taxpayers. Criminals were able to scrape the "Get Transcript" system to acquire tax return information. They already had a significant amount of information about these taxpayers, though — the system required a security check that included knowledge of a person's social security number, date of birth, and filing status. The system has been shut down while the IRS investigates and implements better security, and they're notifying the taxpayers whose information was accessed.

3 of 85 comments (clear)

  1. Yeah by Anonymous Coward · · Score: 5, Interesting

    The existence of this system was reported previously on slashdot, and people were recommending that you sign up before a criminal signs up in your name. That way you can protect the account with your own strong password.

    Which is exactly what I did. And I am now quite happy I did. And I don't mind a bit that they shut it down anyway.

    1. Re:Yeah by ChromaticDragon · · Score: 5, Interesting

      So did I.

      But then I stopped and thought a bit about the concept of Testing for Success vs. Testing for Failure. The former is weak testing... lazy testing. It WORKS. That's nice... But does it fail as it should? Have you tested when and how it fails? Do you know the limits?

      So... I decided to act as an identify thief. As previously reported then and now, getting the credentials to sign up are easy. OK. But I had already signed up. So that'd protect me, right?

      NOT AT ALL.

      It was trivially easy to sign up again. Oh sure, an email gets sent to the first email address set up. But this leads to one of two situations. First, the proper user doesn't check his email for a while. Then whatever the thief is going to do they can do. Second, the proper users finds out immediately and gets on and takes it back over. All good? Comically, no. Believe it or not (and I was really stunned at this part) the webapp doesn't force logout the identity thief when the proper user reregisters.

      I was a tad sickened at this point.

      As far as I could tell, this was utterly and completely insecure. The only way for an "average joe" to protect themself here was to sign up and then freeze credit completely at all the credit bureaus. Supposedly (haven't finished this part yet) once you do that, the 20-question stuff will IMMEDIATELY fail and anything like this IRS.GOV site that depends on it will also fail.

      Oh... but it was rather interesting to see what the IRS had stored on me... and what they didn't have. It was somewhat perplexing.

  2. Re:DoB, SSN & Filing Status?? by pehrs · · Score: 4, Interesting

    Say after me ten times: Identity is not Authentication, nor Authorization. Identity is not Authentication, nor Authorization. Identity is not...

    Now, got that? You are making the same sad mistake that the IRS did. You are confusing Identity with Authentication.

    SSN & DoB are perfectly fine identifiers for a person. Not quite unique, but they will work for the purpose.

    The problem is that there is no authentication, nor any authorization infrastructure for them to use as far as I know. There are in other countries (see for example https://www.bankid.com/en/). I have understood that there are ideological reasons not to roll out a decent Authentication/Authorization infrastructure in the US, but the lack of such an infrastructure will cost US business (and private person) more and more dearly as important information moves to the internet.