Comments from Vasco and Tripwire on IRS News that Hackers Grabbed Tax Info from 100,000
John Gunn, VP, VASCO Data Security (www.vasco.com):
“This attack has remarkable similarities to the Apple hack of last summer where there were a large number of successful compromises of an unsound security infrastructure that resulted in breach-like consequences.
This highlights the change that has occurred in the market for stolen data. Social Security Numbers are becoming the primary high-value target of hackers because they are worth ten times as much as credit cards and they are protected by a fraction of the security of banking assets. This will obviously have to change or we will see an increasing number of victims.
It begs the question – why does the IRS offer enhanced security only to those who have had their information stolen; why not use a simple one-time-password (OTP) solution to keep everyone else from joining the growing ranks of identity theft victims? OTP security has been proven very effective by large global banks.”
The IRS today confirmed that hackers used an IRS online service called, “Get Transcript” to access tax information from 100,000 taxpayers. The agency admits more than 200,000 attempts were made from questionable email domains, with more than 100,000 of those attempts successfully clearing authentication.
Ken Westin, Senior Security Analyst, Tripwire (www.tripwire.com):
“We live in a world where the Internet has become a database of ‘you’ and where one data breach can easily feed another. According to the IRS, the data came ‘from questionable email domains’ and at a high velocity of requests. The information that was used to bypass the security screen, including Social Security numbers, dates of birth and street addresses, are all components of data that have recently been compromised in health insurance data breaches. Tax filing status can be identified pretty easily if you know whether the person is married or not.
Unfortunately, the high number of large scale data breaches has essentially transformed our personal information into public information; and this data should not be used as security or authentication checks.”