As the IRS begins to dig into forensics around a breach in its online "Get Transcript" application that exposed 100,000 tax accounts to intruders, early information released this week to the public is offering security food for thought to both public and private sector organizations. According to security pundits, the breach offers ample evidence of authentication weaknesses prevalent today and also shows how interconnected unrelated data breaches can really be.
The IRS said in a statement yesterday that criminals used taxpayer-specific data from "non-IRS sources" to gain unauthorized access to the breached accounts.
"These third parties gained sufficient information from an outside source before trying to access the IRS site, which allowed them to clear a multi-step authentication process, including several personal verification questions that typically are only known by the taxpayer," the statement said, explaining that the Treasury Inspector General and the IRS Criminal Investigation unit are looking into it and have shut down the application in the interim.
According to Ken Westin, the way this breach went down illustrates how large scale breaches have transformed personal information into public information—or at least information publicly available on the black market.
"We live in a world where the Internet has become a database of ‘you’ and where one data breach can easily feed another. According to the IRS, the data came ‘from questionable email domains’ and at a high velocity of requests," he explains. "The information that was used to bypass the security screen, including Social Security numbers, dates of birth and street addresses, are all components of data that have recently been compromised in health insurance data breaches."
The authentication problems are two-fold. One is that agencies like the IRS, as well as private sector organizations, don't do enough to properly verify identity during enrollment for new accounts.
"Authentication relies on being able to properly identify people at least once. But how do you know who you’re dealing with before that first identification happens?" says Jeff Williams, CTO of Contrast Security. "Well, the IRS decided that if you know a person’s SSN, birthday, and street address, then you must be that person. For government agencies in particular, we can do better. We should have an official channel that can provide higher assurance authentication before granting access to our personal information."
The second authentication weakness is the age-old weakness of depending solely on the lowly password to keep intruders at bay.
"This data breach demonstrates the limitations of using static authentication credentials, especially information that cybercriminals are showing they can easily steal and then repurpose for data breaches such as this," says Tsion Gonen, vice president of strategy in identity and data protection at Gemalto.