Tag Archives: IRS

Security News Bites for the Week Ending July 31, 2020

Many Cyberspace Solarium Commission Recommendations Likely to Become Law

The Cyberspace Solarium Commission was a blue ribbon commission that made recommendations to Congress earlier this year on improving government cybersecurity. It appears that many of their recommendations are being added to the National Defense Authorization Act, which is “must pass” bill to fund the military. President Trump has said that he will veto it because it directs the Pentagon to rename bases named after Confederate Generals. Stay tuned; that sausage is still being made. If they do remain in the bill, that would be a great thing. Credit: CSO Online

Fintech “Dave” Exposed 7.5 Million Customers’ Data

Fintechs, those Internet firms that act as an intermediary between your financial institutions and you, are not regulated in the same way that say, banks are. Fintech Dave (yes, that is their name) exposed data on 7.5 million customers as a result of a breach at one of their vendors. One more time, vendor cyber risk management is an issue and Dave will wind up with the lawsuits and fines. While credit card data was not exposed, passwords, which were very weakly encrypted, were compromised. Credit: Dark Reading

IRS “Recommends” 2FA – Makes it Mandatory Next Year

IRS is “Recommending” Tax Pros Use Multi-factor Authentication, especially when working from home. They say that most of the data thefts reported to the IRS this year by tax pros could have been avoided if they used multi-factor authentication. Starting in 2021, this will be mandatory for all providers of tax software. The IRS seems to recommend two factor apps like Google Authenticator over SMS messages which are easier to hack. Credit: Bleeping Computer

5G is Here – Sort Of

The article says “After years of hype, 5G making progress in the US”. While true, there is less to the statement than most people would like. Last week AT&T joined T-Mobile in claiming that have deployed 5G nationwide. While this is a true statement, they are doing it using the low frequency band. They are doing this because they can cover the country with an order of magnitude less cell sites. Unfortunately, this also means that the speed that you will see after you fork over a thousand bucks for a new 5G phone is basically the same as the speed you currently have with your current phone without spending the money on the new phone and new plan. For details, read the article in USA Today.

IRS Turns Off Data Retrieval Tool Due To Fraud

For anyone who has filled out the federal student financial aid form called FAFSA, they know it is a pretty daunting task.

Well now it has become a bit more daunting.

Kind of like the problem the IRS had a few years ago with the tax transcript retrieval tool where hackers used the tool to get enough information to file fraudulent tax refunds, hackers were using the Data Retrieval Tool (DRT) to do the same thing.

Apparently, according to testimony by IRS commissioner John Koskinen earlier this week, the IRS noticed a spike in use of the tool where the student aid application was never finished.

The IRS told the Education Department that they would have to shut down the tool if there was any indication of criminal activity.

Last month the IRS acted and shut down the tool as millions of students apply for financial aid for the fall.

While they have not released the details of how the scam works, I gather you start a financial aid application like you were a new student and once you get to the point where the tool imports the tax data into the application, you stop and use that data to file a fraudulent tax refund.

For students, not having the tool means that they have to find last’s tax return for themselves (if they have one) and their parents and enter the data manually.  Technically, not the end of the world, but it makes things a little more difficult.

And difficultly – or the opposite of that, simplicity – is the crux of the problem.

How does the IRS know that Joe, posing as a student applying for financial aid, is really Joe.

This is the same problem that EVERY company that allows users to interact with them on the Internet deals with every day.  How does your bank know that you are you?  Or a department store?  Sure you know your Social Security Number and Birth Date, but that data is not hard to find.  HOW DO YOU KNOW THAT JOE IS REALLY JOE.  That is not easy to do.

Because, at the root of this question is that old mantra “SECURITY.  CONVENIENCE.  PICK ONE.  If you make it hard for people to use the system, people complain.  If you make it easy to use, then it may well be unsecure.

In this case, 100,000 taxpayers will be receiving a letter from the IRS.  “Dear Taxpayer, sorry, your tax data has been hacked.”  Not a letter anyone wants to get.

In a scale that only the government can appreciate, the IRS says that ONLY 30 million dollars in fraudulent refunds were granted before the tool was shut down.  The only good news is that the IRS was able to stop another 14,000 refunds from going out.

They plan to turn the tool on once they figure out how to make it harder for hackers to abuse, but I am skeptical that they can actually do that and still make it usable by students.  We shall see what they do.  AND, what the hackers do.

 

Information for this post came from Pymnts.com .

IRS Breach Grows – Do They Really Know The Answer?

The AP is reporting that the IRS didn’t really know how many taxpayers had their information stolen by hackers who used the Get Transcript web site.

Originally, the IRS said that hackers tried to get information for about 200,000 taxpayers and were successful in getting information for 100,000 of them.  Originally, they said the hack started in February.

Now they are saying the hack started in November and the hackers attempted to get information for over 600,000 taxpayers and were successful for over 300,000 taxpayers.

That means that they were off by a factor of 3 in how many taxpayers had their data stolen.  That is a big discrepancy.

The fact that they did not know when the hack started or how many records that the hackers attempted to get and succeeded at getting is not a big surprise.  While we can point to antiquated systems in the government – the IRS has been trying to “modernize” their systems unsuccessfully for years, many private businesses are in the same boat.

Even for private businesses who don’t have antiquated systems, they often don’t log all of the information necessary to answer those questions.  And, if they do, they often don’t save the data long enough to have it around when the breach is discovered.  The issue is usually cost.

The specifics of what happened is the balancing act that every organization has to deal with – CONVENIENCE OR SECURITY.

The IRS, like lots of organizations, opted for convenience.

All that was required to get a copy of your tax return “transcript” (the data on your return) was a few bits of supposedly private information – birthdate, the amount of your income from last year – things like that.

With all the breaches in the last few years, that supposedly private information is no longer private.

Any company that assumes that this sort of “out of wallet” information is really private is playing Russian roulette.

After the breach became public, the IRS shut down the web site.  Sort of like closing the barn door after ….

The convenience vs. security aspect comes from the fact that you are trying to make things easy for your customer.  In the case of the IRS, the customer is the taxpayer, the convenience is making it easy to get a copy of your tax return.

Web site password resets are an example of this in the private sector.  To make it convenient when customers forget their passwords, web sites often give you a link that you can click on to reset your password.  Often all you need is access to your email to reset your password.

The good news for the IRS is that they are unlikely to get sued and even less likely to go out of business.

That is not the same for you.  If you were to lose control of customer information for 300,000 customers, you are likely to get sued and for many small businesses, they go out of business.

So, as I always say – security or convenience.  Pick one.  My suggestion is that you pick carefully.

 

 

Information for this post came from the AP.

The IRS Breach – Where Convenience Trumps Security

The NY Times is reporting that the IRS finally admitted that their tax transcript service is great for identity thieves and shut it down.  In 2013, thieves used it and other techniques to get over $5 billion in bogus tax refunds – costing the U.S. government (AKA you and me) a lot of money and costing taxpayers time and delayed refunds (see article).

The AP is calling this a breach and, I guess after looking up the definition in the dictionary (an act of breaking or failing to observe a law), it is technically, but it is not what we usually consider a breach.

Hackers did not break into the IRS’ computers and steal your data.  The IRS left it out on the front doorstep, so to speak, for hackers to come pick up at their convenience.

So what is the story?  Citizens on occasion need to get a copy of an old tax return.  The IRS, in attempting to be customer focused, created a service that allowed you to request that copy.  The problem comes from two things – how do you identify someone on the Internet and customer convenience.

It used to be that if you wanted a tax transcript, you had to fill out an IRS form (Form 4506) and mail it in to the IRS, wait a few weeks and they would mail the transcript back to you.  Not terribly secure, but more secure than today.  And if you got a hundred requests to be mailed to the same address for different taxpayers, you could get suspicious.

Today (or more accurately last week since they shut the service down) you go to the IRS web site, enter anyone’s social security number, their date of birth, tax filing status and street address.  The user then was asked some questions from one of the credit bureau’s public information services like “what was your high school mascot?”.

The problem is that in the day of the Internet, information is available and in trying to be customer focused, the identity verification is pretty weak.  Could someone find out where I went to high school and then Google my high school mascot.  Probably.  Like in maybe 15 seconds.  That is not secure.  But it is convenient.

And, if people are honest, then this is probably secure enough.

But, we are talking about money – billions of dollars in 2013.  The IRS CLAIMS that they have mostly shut down the business of bogus tax returns, but I am less than convinced.  Here’s how this works.

The hacker obtains copies of your old tax returns, courtesy of the IRS’ convenient tax transcript service and uses that data to create bogus W2s for the current year.  They then file a current year tax return  saying that they are owed a refund, but have it mailed to the hacker’s address, or, better yet, sent to a hard to trace debit card.  The IRS, being customer focused, pays the refund – even though these bogus W2s don’t match a real W2 sent in by an employer (remember, the IRS is trying to be taxpayer friendly).  To add insult to injury, when you file your real tax return to get your real refund (or pay taxes), the IRS says sorry, we already have a tax return from you, go away.

Then you have to go through a process of trying to convince the IRS that THEY were scammed (you can probably imagine that this is not a quick or simple thing to do) in order for you to get your refund or pay your taxes.  Expect this process to take 9-12 months, on average.

And, in reality, there is not a lot you can do (see one of Brian Krebs’ stories on the subject here).  Supposedly you can sign up for an account at IRS.Gov, you I don’t think that is really terribly effective (call me a skeptic).

The IRS tax transcript service and filing of false tax refund requests have been used by the fraud community for many, many years.  It is just that now with the Internet, it is much easier to scale up.

The problem comes from two facts that I started with before, plus one more.

1. How do I REALLY know who you are on the Internet – and don’t tell me by your userid and password?

2. Convenience trumps security – almost everywhere.  Not so much in the Department of Defense or the Intelligence Community, but even in one of the supposedly most secure place in the world, the NSA, Edward Snowden walked off with millions of highly classified documents.

3. All these data breaches that some people laugh off as irrelevant give the hackers more data about you than you have, so answering the questions becomes a query into the hacker’s information – they don’t even have to reach out to Google.

Oh, yeah, now that IRS has gotten SOME control over this, the hackers have moved on to the 50 states + U.S. Possessions.  The only ones that don’t have to worry about that are the states that don’t have an income tax.  The hacker community is sharing among themselves which states are easy to con and which ones are not. SIGH!

Unfortunately, this is not likely to change any time soon, so you just need to be a vigilant as you can and hang on for the ride.

Also remember, the IRS just happens to be this week’s poster child – they are not alone – just one of many.

Sorry to be a Debbie Downer.

 

 

IRS Scam Running Amok

CNN is reporting a tax scam which, while quite old, is apparently still way too effective.  The IRS is reporting that they are getting complaints at the rate of 10,000 to 12,000 new complaints a week.

The scam goes like this.  Someone calls you with a Washington, DC phone number and says you are under investigation;  in danger of losing your home or that the authorities have been notified and will be there in 30 minutes.

The victims report that the caller knows information that they felt only the real IRS would know (or perhaps someone who bought data from the Anthem breach or one like it).

The victims were given specific instructions.  The scammer stayed on the phone as one victim drove around Charlotte for five hours depositing $500 payments into a paypal account set up by the scammer.  The scammer would give the victim store names, street names, etc.

Victims were of all types – a radio host, a minister, old people, immigrants.  Even someone with a PhD.

On occasion, bank tellers and money wiring clerks would convince victims not to do it.

To be clear, the United States Government does not use a Paypal account.  They also will ALWAYS mail you letters – sometimes way too many letters before they would ever take court action.  In theory, IRS agents are not supposed to threaten you.

However, if new cases are showing up at the rate of 10 to 12 thousand new cases a week, this thing has legs.

People hear IRS, arrest, jail and they freak out.  Understandable.

First thing to do is to get a call back number and hang up.  Of course, the scammer is not going to want you to do that.  Do it anyway. If they won’t give you a call back number, that is your first clue.  IF the cops are really on their way, it won’t make a difference.

Next find someone you trust. Maybe a professional like a lawyer or accountant, but if you don’t have one of those or can’t afford one, at least a trusted friend who is not the target of the scam.

You can call the Treasury Department Inspector General for Tax Administration (TIGTA) at 800-366-4484.  They also have a specific web page set up to report this particular scam (link).

Some people have been conned out of as much as $16,000.  Don’t be the next victim.

Mitch