Two of the industry’s top cybersecurity experts commented on the recent hack of the IRS online Get Transcript service to access tax information from 100,000 taxpayers. The agency admits more than 200,000 attempts were made from questionable email domains, with more than 100,000 of those attempts successfully clearing authentication.
Igor Baikalov, Chief Scientist, Securonix:
“According to the IRS statement, attackers had enough information to successfully pass identity verification for over 100,000 taxpayers. I don’t know how the IRS can be so sure that this data was obtained from ‘a non-IRS source,’ since it seems to be exactly the kind of information the IRS has, including tax filing status. Social Security, date of birth, street address, and additional sensitive financial information – something like the amount of specific loan payment or the balance, I assume – that’s more than enough data to get access to many financial instruments.
In addition to this data, now the attackers are armed with tax transcripts, and it’s only logical to expect this wealth of information being thrown into a new wave of sophisticated attacks against a whole range of financial institutions. Once the identity verification layer is broken, behavioral analytics is the last line of defense. Institutions should monitor every behavioral indicator available to them, such as time and location of access, frequency and amount of transactions, for anomalies and inconsistencies to detect malicious behavior.
If the IRS would have used behavioral analytics, instead of relying on static verification steps, it was bound to detect this breach long before it hit 200,000 attempts. Requests for multiple transcripts from the same network segment or geo-location, unusual source IP address and location or questionable email domains – there were definitely plenty of indicators to warrant earlier investigation.”
Stewart Draper, Director of Insider Threat, Securonix:
“Previous data made public from another breach could have easily been used to gain access to the Get Transcript application. Similar verification information is often used across different companies and could have been leveraged as an authentication. The volume of some 200,000 attempts over the course of just 3 months could indicate some form of automated scripting in order to attempt to gain access to these tax records.
A combination of behavior analytics that looked at application security logs, fraud intelligence and network traffic could have made identification of this attack easier and saved a good number of tax payers the risk of having false tax returns filed.”