The Green Sheet Online Edition

June 08, 2015 • Issue 15:06:01

Threat indices rise as 'fullz' rush in to IRS site

The Internal Revenue Service confirmed reports of a wide-scale attack on one of its web portals, describing the incident as "a sophisticated effort" involving "unauthorized access" to numerous taxpayer accounts. The agency did not directly refer to it as a security breach. A statement issued May 26, 2015, indicated identity thieves had used the Get Transcript web portal to obtain approximately 100,000 consumer records, initiating an estimated 15,000 fraudulent tax refunds.

The Get Transcript portal is temporarily closed pending oversight by the IRS Criminal Investigation unit and Treasury Inspector General for Tax Administration. The IRS reported it will notify about 200,000 taxpayers whose accounts were targeted by criminals, including the 50 percent whose accounts were not compromised due to attempted break-ins that failed to authenticate.

The IRS stated it will offer free credit monitoring services to approximately 100,000 taxpayers whose Get Transcript accounts were illegally accessed, "to ensure this information isn't being used through other financial avenues."

Analysts have speculated that unusual activities in the Get Transcript portal began as far back as February 2015. However, the IRS detected no unlawful activities in its main computer system, which handles tax filing submissions. At a May 26 press briefing, IRS Commissioner John Koskinen claimed the IRS security infrastructure is essentially intact. "This is not a hack or data breach," he said. "These are impostors pretending to be someone."

Big data, big crime

In his book Future Crimes, Global Security Adviser and Futurist Marc Goodman wrote that nearly 20 percent of U.S. and European consumers have been victims of identity theft.

"These stolen identities are often referred to as 'fullz' by hackers and contain names, addresses, Social Security numbers, dates of birth, workplaces, bank account numbers, bank routing numbers, state driver's license numbers, mother's maiden names, e-mail addresses, and additional online account names and passwords," he wrote.

Goodman went on to predict that tax refund identity theft will cost the IRS as much as $21 billion over the next five years, "all because we're leaking massive amounts of data from deeply insecure systems that can easily be traded at tremendous profit on the Dark Net." Security analysts are concerned by the scope and sophistication of recent cyber security attacks, which have enabled criminals to leverage stolen personally identifiable information to gain access to consumers' financial assets and identities.

The IRS revealed that criminals were able to answer personal identity verification questions that are typically known only to taxpayers. "In this sophisticated effort, third parties succeeded in clearing a multi-step authentication process that required prior personal knowledge about the taxpayer, including Social Security information, date of birth, tax filing status and street address before accessing IRS systems," it stated.

Senate Finance Committee wants answers

Government leaders have been critical of the IRS' attempts to downplay the seriousness of the situation. In a letter to IRS Commissioner John Koskinen dated May 27, Senator Orrin G. Hatch, Chairman of the Senate Committee on Finance, referred to the IRS incident as a data security breach, stating that his committee "has an obligation to ensure that proper protections are in place and that such a breach is less likely in the future."

Hatch also noted a separate investigation initiated by the committee in April into stolen identity refund fraud. He described it as a key concern highlighted by the recent IRS breach. He believes it is critically important for the committee to fully understand what took place and what appropriate legislative responses may be required to reduce the risk of recurrence.

Hatch wrote, "To this end, I ask that you provide my Committee staff with a confidential briefing by no later than June 5, 2015." The briefing would cover the following questions:

• When did the breach occur?
• When did the agency learn of the breach, and how did it become aware?
• What information allowed the hackers to obtain access, and what is the agency's understanding of how the attackers gained this information?
• Is the agency working to cross-reference the stolen identities used in this attack with identities compromised in recent breaches of other organizations?
• To what information did the attackers gain access? Does your agency know the extent to which the attacks were successful for each identity?
• Does the agency have information indicating the geographic source of the attack? To the best of your knowledge, have the attackers subsequently used the taxpayer information obtained in this breach? Press reports indicate that about 15,000 refunds were claimed subsequent to this attack. Is this correct?
• Describe the agency's coordination with other federal departments. Has the agency requested assistance or information from other federal departments, and if so, has it received that assistance or information?

Federal departments referenced in Hatch's letter may include The Cyber Threat Intelligence Integration Center, which monitors foreign cyber threats, and the Department of Commerce's National Institute of Standards and Technology, a consortium of technology experts committed to enhancing critical security infrastructure.

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.