Slashdot Mirror

← Back to Stories (view on slashdot.org)

IRS: Personal Info of 100,000 Taxpayers Accessed Illegally

Posted by Soulskill on from the disincentive-to-pay-your-taxes dept.

An anonymous reader writes: The Associated Press reports that an online service provided by the IRS was used to gather the personal information of more than 100,000 taxpayers. Criminals were able to scrape the "Get Transcript" system to acquire tax return information. They already had a significant amount of information about these taxpayers, though — the system required a security check that included knowledge of a person's social security number, date of birth, and filing status. The system has been shut down while the IRS investigates and implements better security, and they're notifying the taxpayers whose information was accessed.

8 of 85 comments (clear)

  1. DoB, SSN & Filing Status?? by CrimsonAvenger · · Score: 4, Insightful

    That's all the ID the IRS requires to use their "secure" site???

    Jaysus, you can get most of that (SSN & DoB) by looking at someone's Driver License in most States.

    And guessing Married Filing Jointly will work more often than not, I expect....

    --

    "I do not agree with what you say, but I will defend to the death your right to say it"
    1. Re:DoB, SSN & Filing Status?? by pehrs · · Score: 4, Interesting

      Say after me ten times: Identity is not Authentication, nor Authorization. Identity is not Authentication, nor Authorization. Identity is not...

      Now, got that? You are making the same sad mistake that the IRS did. You are confusing Identity with Authentication.

      SSN & DoB are perfectly fine identifiers for a person. Not quite unique, but they will work for the purpose.

      The problem is that there is no authentication, nor any authorization infrastructure for them to use as far as I know. There are in other countries (see for example https://www.bankid.com/en/). I have understood that there are ideological reasons not to roll out a decent Authentication/Authorization infrastructure in the US, but the lack of such an infrastructure will cost US business (and private person) more and more dearly as important information moves to the internet.

    2. Re:DoB, SSN & Filing Status?? by Charliemopps · · Score: 4, Insightful

      That's all the ID the IRS requires to use their "secure" site???

      Jaysus, you can get most of that (SSN & DoB) by looking at someone's Driver License in most States.

      And guessing Married Filing Jointly will work more often than not, I expect....

      I know, it's hilarious. These agencies/companies get hacked due to their own willful negligence... then scream "Hackers did it!" like hackers have magic hacking wands that turn servers inside out. It seems that the only piece of info that would have been remotely hard to get was filing status... which the "hackers" just guessed at. It looks like they were 50% successful, and I bet if compared with the victims filing status, they likely had a 50% chance of filing jointly or something. What a joke. This is completely and entirely the IRS's fault.

      Make a new law, if you get hacked, you have to pay the person whos data you lost $100,000. Problem solved. You can then decide if spending time on securing the data is worth it, or if you just want to not store it. It IS possible to prevent this sort of thing. These agencies and companies just don't think it's profitable to do so when the penalty for losing a persons info is nothing more than a press release.

    3. Re:DoB, SSN & Filing Status?? by ShanghaiBill · · Score: 4, Insightful

      No-one should have your SSN beyond the government.

      That is silly. The original point of SSNs was so that employers could use them to identify workers when paying social security taxes to the government. So, obviously, your employer needs to know it.

      We need to get away from the ridiculous idea that something can be both widely known and secret. SSNs should only be used for identification, and should never be used for authentication. We should have a separate system for that.

  2. Mad Lib by Voyager529 · · Score: 4, Insightful

    [NEWS_OUTLET] reports that an online service provided by [ORGANIZATION_WITH_PERSONAL_DATA] was used to gather the personal information of [CUSTOMERS_OR_USERS]. Criminals were able to scrape [INSECURE_SYSTEM] to acquire [SUPPOSEDLY_SECURED_INFORMATION]. The system has been shut down while [OVERPAID_AND_INCOMPETENT_ANALYSTS] investigate and [PROMISE], and they're notifying [CUSTOMERS_OR_USERS] whose information was accessed.

    At this point, you can turn this story into a Mad Lib, and fill in the blanks with basically any set of nouns, and it'll mostly be true.

  3. Yeah by Anonymous Coward · · Score: 5, Interesting

    The existence of this system was reported previously on slashdot, and people were recommending that you sign up before a criminal signs up in your name. That way you can protect the account with your own strong password.

    Which is exactly what I did. And I am now quite happy I did. And I don't mind a bit that they shut it down anyway.

    1. Re:Yeah by ChromaticDragon · · Score: 5, Interesting

      So did I.

      But then I stopped and thought a bit about the concept of Testing for Success vs. Testing for Failure. The former is weak testing... lazy testing. It WORKS. That's nice... But does it fail as it should? Have you tested when and how it fails? Do you know the limits?

      So... I decided to act as an identify thief. As previously reported then and now, getting the credentials to sign up are easy. OK. But I had already signed up. So that'd protect me, right?

      NOT AT ALL.

      It was trivially easy to sign up again. Oh sure, an email gets sent to the first email address set up. But this leads to one of two situations. First, the proper user doesn't check his email for a while. Then whatever the thief is going to do they can do. Second, the proper users finds out immediately and gets on and takes it back over. All good? Comically, no. Believe it or not (and I was really stunned at this part) the webapp doesn't force logout the identity thief when the proper user reregisters.

      I was a tad sickened at this point.

      As far as I could tell, this was utterly and completely insecure. The only way for an "average joe" to protect themself here was to sign up and then freeze credit completely at all the credit bureaus. Supposedly (haven't finished this part yet) once you do that, the 20-question stuff will IMMEDIATELY fail and anything like this IRS.GOV site that depends on it will also fail.

      Oh... but it was rather interesting to see what the IRS had stored on me... and what they didn't have. It was somewhat perplexing.

  4. Last Straw by frovingslosh · · Score: 5, Funny

    That does it. I'm going to quit giving them my business.

    --
    I'm an American. I love this country and the freedoms that we used to have.