05:14 PM
Connect Directly

Over 100,000 E-File PINs Fraudulently Accessed In Automated Attack On IRS App

Personal data stolen from other sources was used in attack agency says

The IRS Tuesday said it has stopped an automated attack in which cyber criminals used social security numbers and personal data stolen from elsewhere to generate personal identification numbers (PIN) required for filing taxes electronically for over 101,000 individuals.

In total, stolen SSNs and personal data was used to try and access an E-File PIN for some 464,000 individuals, the IRS said. The incident, involving what the IRS described as an “automated bot” happened last month but it wasn’t immediately clear how quickly the attack was spotted and stopped.

Though the stolen SSNs were used successfully to generate PINs for 101,000 individuals, no personal data was accessed or stolen from IRS systems itself, the agency said. All affected taxpayers are being notified by mail about their personal information being fraudulently used to generate an E-File PIN. Accounts belonging to the affected individuals have also been marked up to protect against tax-related fraud, the IRS said.

This is the second time in less than a year that cybercriminals have used data stolen from other breaches to try and access taxpayer data in IRS systems presumably to commit tax fraud—like claiming illegal refunds.

Last May, the agency revealed that it had been the victim of an almost identical attack involving the use of personal data stolen from other sources. In that case though, the attackers targeted an IRS application dubbed  “Get Transcript” that basically gives taxpayers a way to get copies of previous year tax returns and transcripts of other records. Initially the IRS claimed the attack had netted the perpetrators full tax account records of some 100,000 people. But later estimates pegged the actual number of affected individuals at around 330,000.

Analysts at that time had pointed to the IRS’s relatively weak user authentication mechanisms for allowing attackers to gain access to the records.

The same concerns have surfaced following news of the most recent attack on an IRS application.

 “The most important thing to note from this attack is that the fraudsters used information that they had stolen previously to gain access to more consumer data,” says Armen Najarian, chief marketing officer at security vendor ThreatMetrix. “Fraudsters have the opportunity to use the information they have stolen or purchased from the dark web to either file fraudulent returns or to enhance their database of PII data for future crimes,” he said in comments to Dark Reading.

“In a digital first, connected world, the traditional methods of identity validation and authentication are irrelevant and companies must find a way to establish true user identity without impacting other customers,” Najarian says.

Such incidents highlight the need for individuals to take their personal privacy and credit protection more seriously says Chris Ensey, COO of Dunbar Security Solutions.

Most individuals are not aware of the extent of the potential damage to personal and professional lives that can be caused by identity theft. “For the enterprise, it should be clear that knowledge based authentication that leverages credit history for a means of second factor, cannot be trusted.  There is far too much end user credit data out there in the open,” Ensey says.

News of the latest cyber attack on the IRS comes just a week after the agency reported major system performance issues that rendered it temporarily unable to receive tax returns.

Related content:



Interop 2016 Las VegasFind out more about cybercrime at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
2/15/2016 | 7:40:27 AM
Proper Perspective
to focus on this as a "problem of computer hackers" is to mis-address the real problem -- which is the use of insecure operating software and symmetric identifications

what is the full cost of hacking today ?

not just the loss of cash and merchandise: there is also the loss of labor employed in attempting ineffective defenses.   defenses which can never be effective because they fail to address the root of the problem: insecure operating software and compromised symmetric identifications

a secure operating system will not allow itself to be compromised by the activity of an application program .   that is the starting point as it is critical to portecting the security software needed for authenticating and protecting documents and transactions .

it is probably necessary to design and deploy a KEK -- key encryption key device

the KEK would carry a copy of GnuPG or PGP plus the related keyrings.    it must be a single purpose device so that updates can be stictly controlled -- not like a "smart" phone .

the KEK is an identification carrier and as such would need to be maintained by facilities that are currently responsible for validating identifications: Credit Unions, DMV, County Clerk, Notaries and such .

the KEK could then be used to authenticate and protect form 1040.

symmetric ID such as traditional name, address, DoB, SSN, phone number, mother's maiden name, e/mail are known as "PII" -- and are hopelessly compromised.  
Register for Dark Reading Newsletters
White Papers
Current Issue
Five Emerging Security Threats - And What You Can Learn From Them
At Black Hat USA, researchers unveiled some nasty vulnerabilities. Is your organization ready?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
According to industry estimates, about a million new IT security jobs will be created in the next two years but there aren't enough skilled professionals to fill them. On top of that, there isn't necessarily a clear path to a career in security. Dark Reading Executive Editor Kelly Jackson Higgins hosts guests Carson Sweet, co-founder and CTO of CloudPassage, which published a shocking study of the security gap in top US undergrad computer science programs, and Rodney Petersen, head of NIST's new National Initiative for Cybersecurity Education.