05:14 PM
Connect Directly

Over 100,000 E-File PINs Fraudulently Accessed In Automated Attack On IRS App

Personal data stolen from other sources was used in attack agency says

The IRS Tuesday said it has stopped an automated attack in which cyber criminals used social security numbers and personal data stolen from elsewhere to generate personal identification numbers (PIN) required for filing taxes electronically for over 101,000 individuals.

In total, stolen SSNs and personal data was used to try and access an E-File PIN for some 464,000 individuals, the IRS said. The incident, involving what the IRS described as an “automated bot” happened last month but it wasn’t immediately clear how quickly the attack was spotted and stopped.

Though the stolen SSNs were used successfully to generate PINs for 101,000 individuals, no personal data was accessed or stolen from IRS systems itself, the agency said. All affected taxpayers are being notified by mail about their personal information being fraudulently used to generate an E-File PIN. Accounts belonging to the affected individuals have also been marked up to protect against tax-related fraud, the IRS said.

This is the second time in less than a year that cybercriminals have used data stolen from other breaches to try and access taxpayer data in IRS systems presumably to commit tax fraud—like claiming illegal refunds.

Last May, the agency revealed that it had been the victim of an almost identical attack involving the use of personal data stolen from other sources. In that case though, the attackers targeted an IRS application dubbed  “Get Transcript” that basically gives taxpayers a way to get copies of previous year tax returns and transcripts of other records. Initially the IRS claimed the attack had netted the perpetrators full tax account records of some 100,000 people. But later estimates pegged the actual number of affected individuals at around 330,000.

Analysts at that time had pointed to the IRS’s relatively weak user authentication mechanisms for allowing attackers to gain access to the records.

The same concerns have surfaced following news of the most recent attack on an IRS application.

 “The most important thing to note from this attack is that the fraudsters used information that they had stolen previously to gain access to more consumer data,” says Armen Najarian, chief marketing officer at security vendor ThreatMetrix. “Fraudsters have the opportunity to use the information they have stolen or purchased from the dark web to either file fraudulent returns or to enhance their database of PII data for future crimes,” he said in comments to Dark Reading.

“In a digital first, connected world, the traditional methods of identity validation and authentication are irrelevant and companies must find a way to establish true user identity without impacting other customers,” Najarian says.

Such incidents highlight the need for individuals to take their personal privacy and credit protection more seriously says Chris Ensey, COO of Dunbar Security Solutions.

Most individuals are not aware of the extent of the potential damage to personal and professional lives that can be caused by identity theft. “For the enterprise, it should be clear that knowledge based authentication that leverages credit history for a means of second factor, cannot be trusted.  There is far too much end user credit data out there in the open,” Ensey says.

News of the latest cyber attack on the IRS comes just a week after the agency reported major system performance issues that rendered it temporarily unable to receive tax returns.

Related content:



Interop 2016 Las VegasFind out more about cybercrime at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
2/15/2016 | 7:40:27 AM
Proper Perspective
to focus on this as a "problem of computer hackers" is to mis-address the real problem -- which is the use of insecure operating software and symmetric identifications

what is the full cost of hacking today ?

not just the loss of cash and merchandise: there is also the loss of labor employed in attempting ineffective defenses.   defenses which can never be effective because they fail to address the root of the problem: insecure operating software and compromised symmetric identifications

a secure operating system will not allow itself to be compromised by the activity of an application program .   that is the starting point as it is critical to portecting the security software needed for authenticating and protecting documents and transactions .

it is probably necessary to design and deploy a KEK -- key encryption key device

the KEK would carry a copy of GnuPG or PGP plus the related keyrings.    it must be a single purpose device so that updates can be stictly controlled -- not like a "smart" phone .

the KEK is an identification carrier and as such would need to be maintained by facilities that are currently responsible for validating identifications: Credit Unions, DMV, County Clerk, Notaries and such .

the KEK could then be used to authenticate and protect form 1040.

symmetric ID such as traditional name, address, DoB, SSN, phone number, mother's maiden name, e/mail are known as "PII" -- and are hopelessly compromised.  
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.