IRS hack: Questions ‘only you know’ easy to answer

SAN FRANCISCO – The hackers who got access to over 100,000 personal records through the Internal Revenue Service’s Get Transcript site didn’t need all that much information to break in, say experts.

The IRS said Tuesday that cybercriminals used personal data obtained from elsewhere to get into the transcript service, which allows users to view tax account transactions, line-by-line tax return information and wage and income reported to the IRS.

To access that information, a legitimate user–or a thief–required a name, Social Security number, date of birth, filing status (single, married, etc) and a street address.

Next they needed to answer several personal identity verification questions “that only you can answer,” in the words of the IRS site.

These are known as knowledge-based authentication, or KBA, challenges. They came from a service offered by the credit bureau Equifax, according to security writer Brian Krebs.

Those included information such as a prior address or phone number or car or home loan information. Users had to supply the correct answer to four such questions.

The problem is, that type of data is readily purchased on the Internet underground, where vast databases containing fully built-out portfolios on tens of thousands of people can go for as little as a dollar a record.

Far from being questions “that only you can answer,” the verification queries used by the IRS were easy enough that the hackers tried to break into 200,000 accounts and got information out of 100,000.

“That’s pretty staggering, it’s a 50% success rate,” said Morey Haber, vice president of technology at BeyondTrust, an Phoenix-based computer security company.

It also wouldn’t have been hard to automate, said Robert Hansen, a vice president at WhiteHat Security, a Santa Clara, Calif-based security firm.

“Robotic submissions are extremely easy to do,” he said.

Literally dozens of tools are available, often used by spammers, that map out variables such as name, Social Security number, etc. and insert them one after the other in the correct order, Hansen said.

The IRS attack highlights a problem that security researcher have long worried about –once you’ve got some information about someone, the easier it is to gather more.

With sites increasingly using information beyond name and password as a way to confirm identity, this has opened a potential door for clever hackers.

“The attack on the IRS web application took serious foresight and expertise,” said Trend Micro Global threat communications manager Christopher Budd.

But once the attackers had accumulated and compiled stolen data, they were able to “successfully breach the system and obtain the more valuable information they were after,” he said.

Source: USA Today

Print Friendly

Leave a Reply