IRS Data Breach – 330,000 Users of IRS’s Get Transcript: “Get Got”

Posted August 20, 2015

IRS Data Breach – 330,000 Users of IRS’s Get Transcript:  “Get Got”

KrebsOnSecurity Reports the Number of Victims of the Get Transcript Function on IRS Site Was 3X the Number Previously Thought.
Not familiar with “get got?” — It’s slang for “been had.”
Not familiar with “been had?” — please see “get got.”

Seriously — and in the case of the 330,000 taxpayers whose visit to the IRS’s Get Transcript function may have compromised their personal information and put them at risk of identity theft — very seriously, it means scammed.

On his blog, security expert Brian Krebs not only goes into the question of the under-reported taxpayers put at risk, but also discusses the lack of “effectiveness of the technology that the IRS, banks and countless other organizations use to screen requests for sensitive information.” The following has been excerpted from Krebs comprehensive piece and edited to fit our format. You may find his complete article by clicking on “IRS: 330K Taxpayers Hit by ‘Get Transcript’ Scam.”

How a taxpayer gets a copy of his/her return

[A taxpayer must] provide the IRS with the following information: The applicant’s name, date of birth, Social Security number and filing status. After that data is successfully supplied, the IRS uses a service from credit bureau Equifax that asks four so-called “knowledge-based authentication” (KBA) questions. Anyone who succeeds in supplying the correct answers can see the applicant’s full tax transcript, including prior W2s, current W2s and more or less everything one would need to fraudulently file for a tax refund.

These KBA questions — which involve multiple choice, “out of wallet” questions such as previous address, loan amounts and dates — can be successfully enumerated with random guessing.

Other government agencies use similar process

The same process described to obtain a tax transcript at IRS.Gov works to obtain a free credit report from annualcreditreport.com, a Web site mandated by Congress. In addition, Americans who have not already created an account at the Social Security Administration under their Social Security number are vulnerable to crooks hijacking SSA benefits now or in the future. THE IRS IS STILL VULNERABLE

IRS Data Breach – Taxpayers still vulnerable

The IRS offers “Identity Protection” PINs (IP PINs) to affected taxpayers [whose information may have been compromised] that must be supplied on the following year’s tax application before the IRS will accept the return. However…the IRS.gov website allows consumers who have lost their IP PINs to recover them, and incredibly that feature is still using the same authentication method relied upon by the IRS’s flawed Get Transcript function.

Free credit monitoring not all that useful, says Krebs

The IRS said it is notifying all potential victims and offering free credit monitoring services. But this is hardly a useful solution. [Krebs has] long urged readers to rely instead on freezing their credit files with the four major credit bureaus….

Krebs urges giving cyberthieves the “cold shoulder”

Credit freezes prevent would-be creditors from approving new lines of credit in your name — and indeed from even being able to view or “pull” your credit file — but a freeze will not necessarily block fraudsters from filing phony tax returns in your name.

ThreatMetrix

ThreatMetrix

close btn