Slashdot Mirror
Identity Thieves Obtain 100,000 Electronic Filing PINs From IRS System (csoonline.com)
itwbennett writes: In January attackers targeted an IRS Web application in an attempt to obtain E-file PINs corresponding to 464,000 previously stolen social security numbers (SSNs) and other taxpayer data. The automated bot was blocked by the IRS after obtaining 100,000 PINs. The IRS said in a statement Tuesday that the SSNs were not stolen from the agency and that the agency would be notifying affected taxpayers.
with ten-thousand 4-digit PINs. Interested?
NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
I'm pretty sure I forgot my e-file pin, it would be ever so helpful if the hackers would offer to sell it to me for a reasonable fee so I wouldn't have to go through the bother of a reset.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Would love to be hacked and have someone pay my back taxes for me!
love is just extroverted narcissism
Since when do systems allow brute-force attacks on PIN numbers? Many systems have been locking out (or slowing down) logins after a certain number of failed attempts for a long time now. While this allows for denial-of-service attacks, it seems better than allowing a bot to try 1000 passwords per second until it succeeds.
Have you read my blog lately?
This is why you do your taxes early and often.
What else is new?
That's probably why the IRS sent me a letter with my 2014 IP PIN and a follow-up letter that I should use my 2014 IP PIN for filing my taxes. Filed my taxes through H&R Block and my return got accepted yesterday.
Because the IRS can't or won't.
Just remember folks, these are the same people in charge of your healthcare now.
Why we trust these people with our lives is beyond me. And why are systems so dependent upon stupid things like PINs for security?
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
The IRS really should assign everyone PINs or, preferably, better security. There's no good reason that additional security is restricted to people in Georgia, Florida, or those who have suffered tax-related identity theft. Also, why not simply maintain a registry of public keys for individuals? Require tax returns to be filed electronically and digitally sign them using the private key of individuals. As long as people don't allow anyone access to their private keys, this could prevent a lot of the problem. Why we're still using SSNs for identity information in the 21st century is beyond me. They were supposed to serve one purpose and one purpose only -- an identifier to track people's contributions to social security.
I hate all anonymous shitbags. Log in, you filthy bastards.
You guys are really taking so much time separating internet A and internet B from the current internet. The differece between A and B is, if You access the one that You can't access for doing bad stuff... You die and goto to Hades. hehehe.
I've been doing electronic tax filing since the days of yore, even back when the tax software was generating a special machine-readable "1040PC" form with all your data on one page. If I remember correctly, the PIN was supposed to be a replacement for your physical signature on the return, since the rules say you need to certify that you are submitting a true return and acknowledge the penalties for not doing so. So, I'm not sure it was a secret PIN in that sense.
BUT -- these e-filing services shouldn't be so insecure that someone can just sniff traffic and collect the PINs. I always assumed that it worked something like this -- IRS hands out TLS certificate to "authorized e-file providers" who operate the tax payment gateways and communicate the return data from the program, to the gateway, to the IRS. Hopefully they're not just FTPing the data around :)
...and the government wants to move to e-records for your healthcare. So far I've been compromised with the Target breach, the Home Depot breach, the TMobile Experian breach. The government has been breached many times including this one to the tune of millions of people. You have to assume that your information is out there already. I'm not keen on moving to those electronic health records...
Seeing this makes me wonder if this was the real reason for the IRS stopping to accept electronically filed returns last week. No mention of it in TFA, but the Christian Science Monitor was a bit cynical when reporting Tax filing halted by IRS computer outage. Will refunds be delayed? by putting quotes around the "hardware failure".
A "hardware failure" forced the shutdown of several tax processing systems, including the e-file system, the IRS said in a statement.
whereas the actual IRS statement was (in the same article)
The IRS experienced a hardware failure this afternoon affecting a number of tax processing systems, which are currently unavailable. Several of our systems are not currently operating, including our modernized e-file system and a number of other related systems. The IRS is currently in the process of making repairs and working to restore normal operations as soon as possible. We anticipate some of the systems will remain unavailable until tomorrow.
I am Slashdot. Are you Slashdot as well?
The app requires taxpayer information such as name, Social Security number, date of birth and full address.
It was not brute force. They had a lot more information about the person to get the PIN.
Am I missing something here? What is the risk in someone having my SSN and e-file PIN? Are they going to file my taxes for me? Even if they file a fraudulent return and the IRS cuts a check to the bad guy, I'm not seeing any liability for me.
I had my SSN stolen and used once for illegal employment. I only found out when the IRS contacted me and asked why I hadn't filed my "other" W-2. It was pretty clear that I wasn't simultaneously working two full time jobs, and they quickly marked the other W-2 as fraudulent and moved on.
Okay, I find it funny that the IRS reassuring people that SSN's were not stolen from them. Not sure it matters, the SSN' s were already stolen. All they wanted was the PINs and, Hey, 25% isn't bad. Still worth a fortune. Wonder if data would be safer being send by pigeon carrier. All these data breaches recently. FBI, CIA and the IRS.
"Imagination is more important than knowledge" - Einstein
"Not stolen from the agency."
Thieves' Computer: Is this a valid pin?
IRS' Computer: Nope
Thieves' Computer: Is this a valid pin?
IRS' Computer: Nope
Thieves' Computer: Is this a valid pin?
IRS' Computer: (Smirks and looks away) Nope!
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
All a PIN does is act as a proxy for a ink signature, an issue that the government hasn't been able to figure out yet.
love is just extroverted narcissism
Everyone who gets a letter from the IRS saying their SSN was compromised needs to sue the government.
See subject & this http://slashdot.org/comments.p... - taste of FOOT in yer MOUTH washed down w/ the bitter taste of SELF-defeat perhaps?
LMAO - Absolutely!
* :)
(You did it to yourself... nobody else!)
APK
P.S.=> You're ridiculously easy to see thru so another question I have of you is this:
Question = WHAT IS YOUR FAVORITE COLOR?
Answer = TRANSPARENT... apk
Wow, they must be as incompetent as the ignoramus at BIZX who thought buying Slashshit and SourceFuck was a good idea.
I've been claiming 0 on my taxes so that I get a big refund. The logic is that it's easier for me to put away $3k on day then $115.0684931506849 every two weeks. I'm also quick to file my taxes because I want my money. For years this has worked well but now I think I should rethink my strategy.
"you are stealing other people's work in your code" - by Coren22 (1625475)
I don't steal (you project YOU do). I write my own code (you don't) & use public data to protect + speed up users.
---
"You have yet to submit to a code review from anyone but your friend. No, I don't trust that" - by Coren22 (1625475)
A seasoned security pro & competent coder reviewed my work as safe & IT'S WHAT HE DOES (unlike you). He can't "play friends": It's his site & reputation.
---
"You are terrified someone will steal your software if you publish the source code." - by Coren22 (1625475)
I don't give source away W/ GOOD REASON (Google's mistake w/ CHROME) -> http://it.slashdot.org/story/1...
---
"You have yet to address the issue of name resolution performance of anything not found in your hosts file. This is a serious issue when the hosts file is so large" - by Coren22 (1625475)
Placing users' FAVORITE SITES where they spend 95++% of their time online @ TOP of hosts files cached in LOCAL RAM gets them to sites FASTER & MORE RELIABLY than a more-than-potentially REDIRECT POISONED DNS SERVER (99.999% of ISP DNS aren't patched vs. the kaminsky flaw, or DNS amp attacks).
---
"DNS outperforms your hosts file solution several fold" - by Coren22 (1625475)
No it doesn't (see above) - & DNS outperforms hosts in GOING DOWN (does a lot) OR poisoning users via redirect poisonings (DNS amp attacks = another).
---
"so why not just run your own DNS server? Oh, resources eh?" - by Coren22 (1625475)
More resource consumption + moving parts complexity + POWER USE doesn't = a GOOD solution vs. hosts by using redirect poisoning/DNS amp attack exploitable DNS w/ only a few systems @ home.
---
"But you have no problem running 100k copies of the hosts file in a domain" - by Coren22 (1625475)
It works easily migrated by central admins via scripts or chronjobs/scheduled tasks w/ less moving parts complexity, room for exploit & breakdown, OR power usage.
APK
P.S.=> You FAIL menial... apk
"the secretary at MalwareBytes took a look at his source code and said it looked all good to them" - by Coren22 (1625475) on Wednesday November 18, 2015
My code went thru verification by Mr. Steven Burn of Malwarebytes' hpHosts
hpHosts Site Admin Mr. Steven Burn quoted:
"I've been asked to further clarify so for the record yes I've seen the code, and yes, it is safe."
FROM http://forum.hosts-file.net/vi...
(On my latest 9.0++ code engine above & from past versions -> http://slashdot.org/comments.p... )
A competent coder & BEST security researcher I know of FROM THE BEST ANTIMALWARE THERE IS http://www.av-test.org/en/news...
NOT a secretary!
I don't give away work to be stolen OR misused like GOOGLE CHROME http://it.slashdot.org/story/1...
---
"won't demonstrate security of his product be exposing the source" - by Coren22 (1625475) on Wednesday November 18, 2015
Bullshit: 62 reputable sources + /. users say different:
Safe by 57 antivirus programs in 64-bit model https://www.virustotal.com/en/...
+
the 32-bit model https://www.virustotal.com/en/...
&
Per VirScan (installer too)-> http://f.virscan.org/APKHostsF...
MalwareBytes' hpHosts Admin (MalwareBytes employee) hosts & recommends it -> http://hosts-file.net/?s=Downl... & MalwareBytes = BEST antivirus per this VERY recent testing of them all http://www.av-test.org/en/news...
APK
P.S.=> Eat your words, scumbag:
Tell us about AD + DNS too while you're @ it & how you said I said not to run DNS when I use it myself & said to NOT use external to network DNS with AD http://slashdot.org/comments.p...
OR
About how my program NEEDS admin privelege to update too (& it doesn't http://slashdot.org/comments.p... )
LOL... fool - 'eat your words' on ALL those accounts chump!
... apk
"you are stealing other people's work in your code" - by Coren22 (1625475)
I don't steal (you project YOU do). I write my own code (you don't) & use public data to protect + speed up users.
---
"You have yet to submit to a code review from anyone but your friend. No, I don't trust that" - by Coren22 (1625475)
A seasoned security pro & competent coder reviewed my work as safe & IT'S WHAT HE DOES (unlike you). He can't "play friends": It's his site & reputation.
---
"You are terrified someone will steal your software if you publish the source code." - by Coren22 (1625475)
I don't give source away W/ GOOD REASON (Google's mistake w/ CHROME) -> http://it.slashdot.org/story/1...
---
"You have yet to address the issue of name resolution performance of anything not found in your hosts file. This is a serious issue when the hosts file is so large" - by Coren22 (1625475)
Placing users' FAVORITE SITES where they spend 95++% of their time online @ TOP of hosts files cached in LOCAL RAM gets them to sites FASTER & MORE RELIABLY than a more-than-potentially REDIRECT POISONED DNS SERVER (99.999% of ISP DNS aren't patched vs. the kaminsky flaw, or DNS amp attacks).
---
"DNS outperforms your hosts file solution several fold" - by Coren22 (1625475)
No it doesn't (see above) - & DNS outperforms hosts in GOING DOWN (does a lot) OR poisoning users via redirect poisonings (DNS amp attacks = another).
---
"so why not just run your own DNS server? Oh, resources eh?" - by Coren22 (1625475)
More resource consumption + moving parts complexity + POWER USE doesn't = a GOOD solution vs. hosts by using redirect poisoning/DNS amp attack exploitable DNS w/ only a few systems @ home.
---
"But you have no problem running 100k copies of the hosts file in a domain" - by Coren22 (1625475)
It works easily migrated by central admins via scripts or chronjobs/scheduled tasks w/ less moving parts complexity, room for exploit & breakdown, OR power usage.
APK
P.S.=> You FAIL menial... apk
"the secretary at MalwareBytes took a look at his source code and said it looked all good to them" - by Coren22 (1625475) on Wednesday November 18, 2015
My code went thru verification by Mr. Steven Burn of Malwarebytes' hpHosts
hpHosts Site Admin Mr. Steven Burn quoted:
"I've been asked to further clarify so for the record yes I've seen the code, and yes, it is safe."
FROM http://forum.hosts-file.net/vi...
(On my latest 9.0++ code engine above & from past versions -> http://slashdot.org/comments.p... )
A competent coder & BEST security researcher I know of FROM THE BEST ANTIMALWARE THERE IS http://www.av-test.org/en/news...
NOT a secretary!
I don't give away work to be stolen OR misused like GOOGLE CHROME http://it.slashdot.org/story/1...
---
"won't demonstrate security of his product be exposing the source" - by Coren22 (1625475) on Wednesday November 18, 2015
Bullshit: 62 reputable sources + /. users say different:
Safe by 57 antivirus programs in 64-bit model https://www.virustotal.com/en/...
+
the 32-bit model https://www.virustotal.com/en/...
&
Per VirScan (installer too)-> http://f.virscan.org/APKHostsF...
MalwareBytes' hpHosts Admin (MalwareBytes employee) hosts & recommends it -> http://hosts-file.net/?s=Downl... & MalwareBytes = BEST antivirus per this VERY recent testing of them all http://www.av-test.org/en/news...
APK
P.S.=> Eat your words, scumbag:
Tell us about AD + DNS too while you're @ it & how you said I said not to run DNS when I use it myself & said to NOT use external to network DNS with AD http://slashdot.org/comments.p...
OR
About how my program NEEDS admin privelege to update too (& it doesn't http://slashdot.org/comments.p... )
LOL... fool - 'eat your words' on ALL those accounts chump!
... apk
How is it that these people don't get tracked?
Require refunds to go to a domestic bank with an account name matching the name on the return. Better yet, require refunds to be processed through the employer who collected the taxes in the first place if the taxpayer is still employed there.
"The community says, in a fairly loud voice, that we do not want to see your advertisements. People with mod points use them to deal with your malicious behavior - by amicusNYCL (1538833) on Monday January 25, 2016 @04:01PM (#51368907)
/. users, not almostalladsblocked shill sockpuppets, say different LOUDER:
"his hosts program is actually pretty good" - by xenotransplant (4179011) on Monday August 10, 2015 @03:34PM (#50287195)
"I like your host file system." - by Karmashock (2415832) on Wednesday September 09, 2015 @03:57PM (#50489401)
"APK is kinda right. I've given up on JS based adblocking and gone to blackholing in /etc/hosts, just like it was back in the 90s. The computational load has gotten intolerable for any ad-blocking using JS. I've tried his hosts file generating software. It works." - by bmo (77928) on Thursday October 15, 2015 @11:30AM (#50736071)
"APK is totally right on this count. Adblock Plus on Firefox mobile is a dog on older, or lower end, phones. A hostfile based adblocker makes for a much better experience in this context" - by chihowa (366380) on Saturday May 16, 2015 @11:40AM (#49705641)
"his hosts tool is actually useful for those cases in which one does indeed want to locally block stuff outright while consuming minimum system resources" by alexgieg (948359) on Friday September 25, 2015 @09:57AM (#50596461)
"I find your hosts file admirable." - by vel-ex-tech (4337079) on Tuesday November 24, 2015 @10:27PM (#50999097)
"APK isn't wrong" - by cfalcon (779563) on Sunday October 04, 2015 @05:11PM (#50657891)
"No complaints from me, I like APK's spam. Reminds me to use a host file. Also, his stuff is free." - by aaaaaaargh! (1150173) on Tuesday November 17, 2015 @09:31AM (#50947415)
* Want more?
APK
P.S.=> Which of these are you representing:
1.) Advertiser
2.) Webmaster
3.) Inferior competitor
4.) Malware maker/Botnet herder
(/. users like my program. It gives more speed, security, reliability & anonymity - enumerated list above doesn't)
... apk
You also ran when asked a simple question here too http://slashdot.org/comments.p...
"The community says, in a fairly loud voice, that we do not want to see your advertisements. People with mod points use them to deal with your malicious behavior - by amicusNYCL (1538833) on Monday January 25, 2016 @04:01PM (#51368907)
Real /. users not almostalladsblocked shill/sockpuppets say different LOUDER:
"his hosts program is actually pretty good" - by xenotransplant (4179011) on Monday August 10, 2015 @03:34PM (#50287195)
"I like your host file system." - by Karmashock (2415832) on Wednesday September 09, 2015 @03:57PM (#50489401)
"APK is kinda right. I've given up on JS based adblocking and gone to blackholing in /etc/hosts, just like it was back in the 90s. The computational load has gotten intolerable for any ad-blocking using JS. I've tried his hosts file generating software. It works." - by bmo (77928) on Thursday October 15, 2015 @11:30AM (#50736071)
"APK is totally right on this count. Adblock Plus on Firefox mobile is a dog on older, or lower end, phones. A hostfile based adblocker makes for a much better experience in this context" - by chihowa (366380) on Saturday May 16, 2015 @11:40AM (#49705641)
"his hosts tool is actually useful for those cases in which one does indeed want to locally block stuff outright while consuming minimum system resources" by alexgieg (948359) on Friday September 25, 2015 @09:57AM (#50596461)
"I find your hosts file admirable." - by vel-ex-tech (4337079) on Tuesday November 24, 2015 @10:27PM (#50999097)
"APK isn't wrong" - by cfalcon (779563) on Sunday October 04, 2015 @05:11PM (#50657891)
"No complaints from me, I like APK's spam. Reminds me to use a host file. Also, his stuff is free." - by aaaaaaargh! (1150173) on Tuesday November 17, 2015 @09:31AM (#50947415)
* Want more?
APK
P.S.=> Which of these are you representing:
1.) Advertiser
2.) Webmaster
3.) Inferior competitor
4.) Malware maker/Botnet herder
(/. users like my program giving 'em more speed/security/reliability & anonymity - enumerated list above doesn't)
... apk
APK, the things that you do or say to me (or, for that matter, what any bipolar sociopath has to say) don't affect me, other than as a source of entertainment and possibly pity. Go ahead, let's hear again how nothing that I can do will affect you, because from what I hear you're about to see the effects. Slashdot is about to speak in a loud voice that your trollish shit is not welcome. It's a long time coming, and I will have zero sympathy for you when you're gone. You contribute nothing of value to this site, regardless of what you want to believe. In the past you had the opportunity to actually form some sort of small following here, but you completely squandered that opportunity by shitting all over the site at every available opportunity. There's no one who constantly says that you're a bad programmer, your ideas are wrong, etc, everyone always talks shit about your ridiculous behavior. Trying to bitch and moan about people wanting to silence your ideas is complete bullshit, the only thing that needs silencing is your constant flood of crap that contributes nothing. You're not being persecuted like some martyr, you're being blocked for being an abuser. That's what you are, an abuser. You're not some sympathetic persecuted martyr figure, you're just a troll, and you're about to add Slashdot to the long list of technical discussion sites where you are persona non grata. Think about what that says, is it more likely that there are all of these websites out there that have it wrong, or is it more likely that you're just an asshole? What's the simplest explanation for the fact that you are banned from so many discussion sites? You had an opportunity to gain a following with the substance of your posts, but that ship has sailed. At this point you are nothing but a minor nuisance just waiting to get squished by the inevitable shoe. Good riddance, I'll admit that I'll miss the entertainment value of the absurdity of some of your insults and claims, but I'm really not going to miss you. I'll be happy to continue to contact the site owners to let them know how I believe they can improve their service by way of removing you from it. You are determined to be a pain in the ass, so don't be surprised when you're treated like one. And don't try to pull the victim card either like a little bitch, you made your bed and now you get to lie in it. And I know you understand what it means to lie. What's the first rule when dealing with a spammer?
Adios, trollchacho.
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
See subject: BIG "courageous troll" that you are, lol... no balls is more like it (or hiding things about yourself).
* Me, by way of comparison? I don't - I take the risk of putting MYSELF out there, you don't (you don't have ANYTHING worth championing of your OWN is why, lol).
OTHER REAL /. USERS MADE YOU EAT YOUR WORDS CHUMP http://slashdot.org/comments.p...
(Want more than those alone? Ask - I've got 'em... )
APK
P.S.=> So STFU "Mr. TRULY ANONYMOUS NOBODY", ok? Your own bogus practices defeat you and SO DID I MAKING YOU EAT YOUR WORDS http://slashdot.org/comments.p...
If apk doesn't affect you adversely why reply? You give away he does. You did it to yourself. Apk used facts you can't beat in slashdot users saying they like his posts http://slashdot.org/comments.p...
I like how you talk about the "risk of putting yourself out there", and then immediately follow that up 6 minutes later with a post where you act like you're someone else. Posts # 51500355 and 51500369 - 14 posts on Slashdot on Saturday morning and one of them just happened to be an anonymous supporter of yourself, and you still think that no one knows it's you. You're either a world-class hypocrite, or you are actually so bipolar that you really do think you're someone else. Maybe that's another personality shining through, I don't know. Either way, I'm done with you.
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
amicusnycl makes accusations he can't back behind his fake name online too. Courageous and accomplished he is (not) who likes eating his words vs. apk http://slashdot.org/comments.p... so answer the question in the subject sock puppet of life.