100,000 Electronic Filing PINs Stolen

By   ISBuzz Team
Writer , Information Security Buzz | Feb 14, 2016 06:30 pm PST

The Internal Revenue Service (IRS) in the US was the target of an attack that used stolen social security numbers and other taxpayer data to obtain PINs that can be used to file tax returns electronically.

The attack occurred in January and targeted an IRS Web application that taxpayers use to obtain their so-called Electronic Filing (E-file) PINs. The app requires taxpayer information such as name, Social Security number, date of birth and full address. Attackers attempted to obtain E-file PINs corresponding to 464,000 unique SSNs using an automated bot, and did so successfully for 101,000 SSNs before the IRS blocked it. Brian Spector, CEO of MIRACL explains whether this could also happen to the UK’s HMRC.

[su_note note_color=”#ffffcc” text_color=”#00000″]Brian Spector, CEO of MIRACL :

Insight into what happened?

“It’s obvious that e-PIN’s were being stored like passwords but in the worst possible way. Instead of creating a one-way hash function on the PINs, the PINs were able to be recalled in plain text to the user (or attacker).

This is a glaring security oversight.”

Could the same thing happen to HMRC?

“No. Because Gov.UK is rolling out the Verify program, of which every website will be on after April 16th, many of the verification services, like Experian, are using strong authentication technologies like MIRACL’s M-Pin.  Further, the authentication is happening on a separate service, so the user data is isolated from the user authentication data.”

How should the IRS protect itself going forward?

“They should use the latest zero knowledge proof protocols to protect all customer data.”[/su_note]

[su_box title=”About MIRACL” style=”noise” box_color=”#336588″]miraclMultiprecision Integer and Rational Arithmetic C Library – the MIRACL Crypto SDK – is a C software library that is widely regarded by developers as the gold standard open source SDK for elliptic curve cryptography (ECC).[/su_box]