The Internal Revenue Service (IRS) in the US was the target of an attack that used stolen social security numbers and other taxpayer data to obtain PINs that can be used to file tax returns electronically.
The attack occurred in January and targeted an IRS Web application that taxpayers use to obtain their so-called Electronic Filing (E-file) PINs. The app requires taxpayer information such as name, Social Security number, date of birth and full address. Attackers attempted to obtain E-file PINs corresponding to 464,000 unique SSNs using an automated bot, and did so successfully for 101,000 SSNs before the IRS blocked it. Brian Spector, CEO of MIRACL explains whether this could also happen to the UK’s HMRC.
[su_note note_color=”#ffffcc” text_color=”#00000″]Brian Spector, CEO of MIRACL :
Insight into what happened?
“It’s obvious that e-PIN’s were being stored like passwords but in the worst possible way. Instead of creating a one-way hash function on the PINs, the PINs were able to be recalled in plain text to the user (or attacker).
This is a glaring security oversight.”
Could the same thing happen to HMRC?
“No. Because Gov.UK is rolling out the Verify program, of which every website will be on after April 16th, many of the verification services, like Experian, are using strong authentication technologies like MIRACL’s M-Pin. Further, the authentication is happening on a separate service, so the user data is isolated from the user authentication data.”
How should the IRS protect itself going forward?
“They should use the latest zero knowledge proof protocols to protect all customer data.”[/su_note]
[su_box title=”About MIRACL” style=”noise” box_color=”#336588″]
[/su_box]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.