Slashdot Mirror
IRS Gets Hacked Again, Forced To Scrap Their Entire PIN System (engadget.com)
The IRS has abandoned a system of PIN numbers used when filing tax returns online after they detected "automated attacks taking place at an increasing frequency," adding that only "a small number" of taxpayers were affected. An anonymous reader quotes the highlights from Engadget:
The IRS chose not to kill the tool back in February, since most commercial tax software products use it... If you'll recall, identity thieves used malware to steal taxpayers' info from other websites, which was then used to generate 100,000 PINs, back in February... This time, the IRS detected "automated attacks taking place at an increasing frequency" thanks to the additional defenses it added after that initial hack... the agency determined that it would be safer to give up on a verification method that's scheduled for the chopping block anyway.
Some neck beard has to make a comment about PIN numbers!
I've always been curious about the epithet. People have beards just on their necks? That's odd, but why should we care?
It's like "mouth breather"-- we care about whether people breathe through their nose or their mouth or both? Why?
All this crap just because tax preparation companies throw lobbying money to keep the current system. Most Americans would not need to actually file for taxes, the IRS already has all the data it needs, but noooo we have to keep an obsolete industry going no matter the cost...
Violence is the last refuge of the incompetent. Polar Scope Align for iOS
> Just lock down an account if too many wrong PINS are used
The bad guys don't care which account they access. Suppose you limit it to four tries at a PIN. The bad guys try 250 accounts with four PINs each, not one account with a thousand PINs.
Locking out the account rather than the attacker is just DOSing yourself. I like to call this the Broken MS Windows fallacy, because Windows does it.
This time, the IRS detected "automated attacks taking place at an increasing frequency" thanks to the additional defenses it added after that initial hack...
The IRS is not alone in this. After entities get hacked, they implement tighter detecting tools and sigh with the false comfort that they "are on top of things."
Look ...
If your storage building is being ransacked and you put up security cameras that show people breaking in, you have not actually SOLVED anything if the thefts continue.
It's not hard, folks: Get a goddam lock.
It little behooves the best of us to comment on the rest of us.
You have a quarter billion (more if you include business) tax returns, most PIN being the birth year of the individual (common practice amongst accountants) or something equally stupid (1234, 0000). Since it is only used once a year, most people don't use a custom PIN like a bank card.
Custom electronics and digital signage for your business: www.evcircuits.com
There are plenty of great second factor solutions. The better ones are really easy to use and provide a lot more security. But providers don't want roll out fancy new technology, and users are blissfully unaware of how security works, so they want the same thing that they have had for the last couple of decades.
The upshot is that even when second factors are rolled out, we essentially end up with something no more secure than password and pin, whereas there are beautiful solutions such as FIDO U2F that are ignored.
All this crap just because tax preparation companies throw lobbying money to keep the current system. Most Americans would not need to actually file for taxes, the IRS already has all the data it needs, but noooo we have to keep an obsolete industry going no matter the cost...
Donald Trump's position on tax reform eliminates much of the paperwork. If you're single and earn less than $25,000 or jointly earn less than $50,000 you pay no tax. Send in a single-page form and you're done.
There's not a lot of federal income to be had from low wage earners, so it makes perfect sense to eliminate the extra work on both sides. Also, poor people don't have to spend money on tax filing services (H&R Block, et al).
Poor people get to keep more of their money, the IRS has a lot less work to do (estimated 75 million households), and the federal government gets just as much revenue.
Hillary Clinton doesn't have a unified plan to reform tax reporting (posted on her website).
If you think this issue is important, elect Hillary and nothing will change.
Makes sense. The only reason I thought PIV would be easier is it's a US government standard in use at most or all federal agencies and works on Linux/Mac/Windows out of the box. Very likely the IRS agents and staff use PIV cards to authenticate to IRS systems and obtain physical access to IRS buildings.
https://www.fsf.org/associate/support_freedom
That's why I noted the other criteria (SSN, Name, etc).
In most companies, anyone who works in HR has access to name/SSN for all employees. Employees at hospitals and clinics have access to name/SSN of all patients. When I was in the military, my name/SSN was printed on hundreds of routine forms, often in triplicate. SSNs are not private information, and we shouldn't pretend that they are.
You'd better hope the US doesn't decay too much or too far. One of the hallmarks of failed republics is to become an aggressor-state to prop up the failing system, and Canada would be a tempting and convenient target for US annexation and subsequent plundering of it's wealth and resources.
Hmm...No, I think we already have plenty of maple syrup.
The US has the very real potential to become the greatest threat to the world since Nazi Germany if it goes full-fascist/socialist-oligarchy, which is a distinct possibility if/when the US economy and currency collapses, particularly if there's a 'cult of personality' populist-demagogue type of leader like Trump in charge at the time.
That's quite an if. Europe is much closer to that than the US is. Hell, in the bugger EU nations some 25% of their voters vote for actual self proclaimed fascists. And for all of the things you can say about Trump, fascist just doesn't fit at all. Sure, he's a loudmouth blowhard, and some people think that makes him dangerous, but it really doesn't.
The IRS won't accept liability for its wrong actions on your behalf. If it calculates your taxes wrong, you're liable for the error and penalties related - even though they did the work (and yes, you can ask them to do your taxes for you).
Browsing at +1 - no ACs, I ignore their posts. So refreshing!
We don't spend money defending Canada. The US does maintain radar installations to pick up Russian missiles streaking over the pole, but that's not for Canada's benefit. Canada doesn't spend much on its military because there isn't any need - they maintain friendly relations with the US and everybody else is too far away.
I would add it is a decision which could be revisited should conditions warrant. At the end of WW II Canada had the third most powerful navy in the world, behind the US and the UK.
That's because whenever a government agency decides to "save money" they do so in the dumbest possible way, which almost always costs them more later. Not that corporations never do this, but with government bureaucracies they seem to be a special kind of stupid.
Some neck beard has to make a comment about PIN numbers!
No beard here, but I an a crypto/security type person.
The PIN codes are very low entropy. They don't give the option for a nice high-entropy long password that you can keep in you password manager. So it's no surprise that there are automated attacks.
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
"Herp a Derp" yourself... The rich already pay more than 20% and the gardener pays zero. So what does the gardener care when his Congressman says he's going to raise taxes and increase spending? No skin off his back, right? Just tell Peter to steal from Paul...
Browsing at +1 - no ACs, I ignore their posts. So refreshing!