IRS Breach Way Bigger Than Initially Thought

HardOCP News · Aug 17, 2015

Of course the IRS breach was bigger than initially thought. The funny thing is, had this been a regular citizen that incorrectly estimated this number, there would be a form to fill out, with a penalty and interest.

Today the agency increased that number by an additional 200,000 folks, bringing the total number of potential cases to 334,000. Using a "Get Transcript" tool to access tax returns from previous years -- a vulnerability that the government knew about -- hackers were able to use personal details on 610,000 taxpayers to retrieve tax-related info on the over 300,000 accounts.

Jim Kim · Aug 17, 2015

good thing the IRS did not have Hillary's e-mail on their servers

TwistedAegis · Aug 17, 2015

Just to be clear on this, this isn't a breach in the full sense of the word.

These "hackers" already had the person's full name, address, DOB, SSN and was able to answer knowledge based/out of wallet questions ("Which of these 4 addresses have you ever lived...)".

Basically, with that information you can get into 99% of banks. They simply logged into the IRS to build an even more full profile of already compromised identities, which should make those people very, very concerned that they went to all that effort to be able to spoof pretty much anyone but your mother, in-person.

aShrubbery! · Aug 17, 2015

Which raises the question... WHY THE HELL DOES THE FINANCIAL WELL BEING OF EVERY INDIVIDUAL REST ON A NUMBER WHICH CANNOT BE REPLACED IN CASE OF FRAUD AND NO BIOMETRIC SAFETY MEASURE, NO ID????

The US should come off its high horse - a national prying one's head out of one's arse - and learn from other countries and realize that some of its established ways of doing things need a thorough scrapping.
With those standards, I am surprised the US is the the only remaining superpower.
This is ridiculous!!!! Ask a foreigner what it takes to 'steal' someone's identity in their country.

TwistedAegis · Aug 17, 2015

Talk about reforming identity, unfortunately, brings out the paranoiacs and you can't get anything done.

Not that they are 100% wrong (see: USA PATRIOT Act); however, we need to be able to continue to progress as a country and have sane discourse. No clue how to make that happen.

mullet · Aug 17, 2015

What does the goobermint do that is not a total screw up?

Cerulean · Aug 17, 2015

aShrubbery! said:
Which raises the question... WHY THE HELL DOES THE FINANCIAL WELL BEING OF EVERY INDIVIDUAL REST ON A NUMBER WHICH CANNOT BE REPLACED IN CASE OF FRAUD AND NO BIOMETRIC SAFETY MEASURE, NO ID????

The US should come off its high horse - a national prying one's head out of one's arse - and learn from other countries and realize that some of its established ways of doing things need a thorough scrapping.
With those standards, I am surprised the US is the the only remaining superpower.
This is ridiculous!!!! Ask a foreigner what it takes to 'steal' someone's identity in their country.

Why do you care? Nothing is going to change so long as business is business.

Do you know how easy it is to get access into someone's bank account? They don't care about security, and if you expose them they'll label you as a hacker and pursue for criminal charges. Only if the event is enough to cause bad PR will they engage in damage control mode -- but only long enough to CYA. It's 100% selfish and greed.

Jagger100 · Aug 17, 2015

Cerulean said:
Why do you care? Nothing is going to change so long as business is business.

Do you know how easy it is to get access into someone's bank account? They don't care about security, and if you expose them they'll label you as a hacker and pursue for criminal charges. Only if the event is enough to cause bad PR will they engage in damage control mode -- but only long enough to CYA. It's 100% selfish and greed.

So when nothing happens to anyone at the IRS, what will that be called?

Cerulean · Aug 17, 2015

jpm100 said:
So when nothing happens to anyone at the IRS, what will that be called?

A great mafia success.

$$$

Old_Way · Aug 18, 2015

Over 6% of the population has more than 1 SSN associated with their name. Over 40 million us are sharing SSN's with other people. Over 100K of us have 5 or more SSN's associated with our names. The IRS has never been a good watchdog of our data... This is just one more item to add to the list.

FndTheRver · Aug 18, 2015

Old_Way said:
Over 6% of the population has more than 1 SSN associated with their name. Over 40 million us are sharing SSN's with other people. Over 100K of us have 5 or more SSN's associated with our names. The IRS has never been a good watchdog of our data... This is just one more item to add to the list.

I'm curious to know the source of your information.

TwistedAegis · Aug 18, 2015

jpm100 said:
So when nothing happens to anyone at the IRS, what will that be called?

I'm no lover of the IRS, but again, how is this their fault? If I go to any bank in the US that opens online accounts, with the information these "hackers" had, I could open it.

If I walk up to your house with a key I've stolen from you previously, don't think that is the door knob's fault.

CreepyUncleGoogle · Aug 18, 2015

aShrubbery! said:
Which raises the question... WHY THE HELL DOES THE FINANCIAL WELL BEING OF EVERY INDIVIDUAL REST ON A NUMBER WHICH CANNOT BE REPLACED IN CASE OF FRAUD AND NO BIOMETRIC SAFETY MEASURE, NO ID????

The US should come off its high horse - a national prying one's head out of one's arse - and learn from other countries and realize that some of its established ways of doing things need a thorough scrapping.
With those standards, I am surprised the US is the the only remaining superpower.
This is ridiculous!!!! Ask a foreigner what it takes to 'steal' someone's identity in their country.

Try anger management classes. I know a guy at work who used to go into rage tantrums and the counseling thing really helped him stay more tranquil. Now he spends the summer gardening and canning which is pretty awesome and a lot of us are really happy for him.

westrock2000 · Aug 18, 2015

Today the agency increased that number by an additional 200,000 folks,

I blame Obama.....for making it ok to use the word "folks". "Folks" is not an acceptable word to use in formal speaking. Public speaking and published works are considered formal.

Obama is particularly bad about it. Refer to people in Kentucky as "folks" and then refer to people in Afghanistan that we just blew up with drones as "folks".

It's colloquial, exactly like "dudes" and "peeps".

westrock2000 · Aug 18, 2015

aShrubbery! said:
Which raises the question... WHY THE HELL DOES THE FINANCIAL WELL BEING OF EVERY INDIVIDUAL REST ON A NUMBER WHICH CANNOT BE REPLACED IN CASE OF FRAUD AND NO BIOMETRIC SAFETY MEASURE, NO ID????

Because it wouldn't be practical to implement now, and it damn sure wouldn't have been practical to implement 50 years ago.

That being said, the only reason that it is used is because it is a consistant and unique identifier that all people in this country should have. It's standardized, thus it was easy to implement. It was never meant to be used in the way that it is now, but there is no other infrastructure out there that can provide the same means.

Jagger100 · Aug 18, 2015

TwistedAegis said:
I'm no lover of the IRS, but again, how is this their fault? If I go to any bank in the US that opens online accounts, with the information these "hackers" had, I could open it.

If I walk up to your house with a key I've stolen from you previously, don't think that is the door knob's fault.

http://www.engadget.com/2015/05/26/thieves-steal-irs-tax-data/

The evildoers successfully circumvented a security check that asks for static info like your Social Security number and tax filing status. The IRS is temporarily shutting down transcripts and says that its main servers are safe, but this could lead to the culprits filing for bogus tax refunds and getting victims in trouble.

The kicker? Security researchers have known about vulnerabilities in the transcript service for a while.

Having stolen personal information on much of the American public is a given. Things like past addresses are public knowledge if you want to put a little effort into it so much of it isn't technically stolen. The only stolen information you're needed to alert the IRS about is your social security number. Hackers were able to bypass that part of the requirement

You're analogy is grasping at straws. The optimism of an authority lover is never ending so I'm sure you don't see it that way.

TwistedAegis · Aug 18, 2015

Yes, I'm an "authority lover" because I'm trying to disseminate facts rather than make this out to be some error in the code, etc.

Per the Kreb's article which the Engadget article uses as its source, to retrieve a transcript from the IRS portal these "hackers" were required to provide:

Name, DOB, SSN, filing status.

You then need to correctly answer 4 KBA questions.

These "hackers" came to this IRS portal with all of that information in advance. And again, this information can currently be used to open an account with any financial institution in the US.

So yes, I agree our identity system in this country is FUBAR. But this isn't a "hack", there was no exploitation of code, improper encryption, etc. The IRS made personal information available using the most common commercially available identity verification specs, and people used previously compromised data to access it.

Signed,
A straw grasping authority lover

IRS Breach Way Bigger Than Initially Thought

HardOCP News

[H] News

Jim Kim

2[H]4U

TwistedAegis

[H]F Junkie

aShrubbery!

[H]ard|Gawd

TwistedAegis

[H]F Junkie

mullet

[H]ard|Gawd

Cerulean

[H]F Junkie

Jagger100

Supreme [H]ardness

Cerulean

[H]F Junkie

Old_Way

Gawd

FndTheRver

Gawd

TwistedAegis

[H]F Junkie

CreepyUncleGoogle

Supreme [H]ardness

westrock2000

[H]F Junkie

westrock2000

[H]F Junkie

Jagger100

Supreme [H]ardness

TwistedAegis

[H]F Junkie