Abstract

As the entity responsible for tax collection and tax law enforcement, the Internal Revenue Service (IRS) is privy to Americans’ most sensitive data. Despite the importance that these accounts remain secure, the IRS has faced numerous preventable attacks from unidentifiable hackers. The IRS’s “Get Transcript” application was exploited in 2015 to access individuals’ yearly tax information. The following year, the tools “Get My Electronic Filing PIN” and “Identity Protection (IP) PIN Recovery” suffered similar attacks. Cybercriminals used these tools to generate taxpayers’ E-file PINs and steal IP PINs respectively (both of which were used to file fraudulent tax returns). These breaches in security have resulted in the release of the personal accounts of over 700,000 taxpayers and in the loss of about $50 million dollars. While the IRS has improved their system’s defenses, it still remains susceptible to data breaches.

Superficial Issues

The media has depicted the attack on the IRS’s “Get Transcript” application (and the following attacks on the IRS’s “Get My E-filing PIN” and “IP PIN Recovery” tools) as the government’s continued failure to protect individuals’ information. In addition, they used this opportunity to remind people that the IRS has been susceptible to cyber attacks since the late 1990s and that the IRS remains unprepared to protect taxpayers’ confidential information.

The press focused on how the IRS’s systems enabled attackers to file fraudulent tax returns efficiently. Additionally, reports acknowledged that the IRS did not leak any personal data, but that its systems allowed cybercriminals to use information they acquired elsewhere to impersonate taxpayers.

Although there is little to no evidence identifying the party responsible for these attacks, multiple news organizations accused Russian hackers of exploiting the IRS’s insecure system.

The Underlying Technical Issues

While it is unclear how the hackers obtained the information necessary to perform these attacks against the IRS, a possible source could have been the Anthem and Premera Blue Cross’s data breach. Other viable options included purchasing the information over the dark web, sending phishing emails, or using malware software. Furthermore, SSNs were not created for identification. Social Security Numbers can easily be guessed by attackers if they know a taxpayer’s time and place of birth. The first five digits of a SSN are related to this information and can be looked up in a chart while the last four digits can be obtained from various forms that require the last four SSN digits. Regardless of the data’s origin, the attackers used private taxpayer information to target the IRS’s “Get Transcript”, “IP PIN Recovery”, and “Get My E-filing Pin” applications.

The “Get Transcript” tool allows people to access their Form 1040-series either online or through the mail. The web service authenticates users by first asking for their name, address, SSN, and filing status, and then verifies their identity by asking a series of security questions. These questions, known as Knowledge Based Authentication(KBA), are commonly used by financial institutions to establish people’s identities. These type of questions should generally be known only to the user; examples would include “What is your monthly mortgage payment?” and “Have you taken out a loan for $XX,XXX at Bank of America in the past year?” KBA failed here because the attackers were equipped with stolen taxpayer information as well as an automated bot which could guess the answers to the questions with brute force. Armed with the previously stolen data and the additional detailed tax information, attackers were able to file false tax returns and redirect the money into their own accounts.

After discovering the breach on their “Get Transcript” application, the IRS temporarily removed the application from their website in May 2015, informed the victims that their transcripts were accessed without authorization, and offered free credit monitoring to over 100,000 taxpayers that were impacted by the attack. In order to increase security, the IRS decided to issue Identity Protection PINs (IP PINs) to those who were affected by the attack. This annually distributed PIN served as an extra layer of security by forcing taxpayers to include it on all future tax returns. Since the IRS would mail people their PINs, the IRS assumed that this would prevent fraudulent returns from being filed.

The following year, the IRS released two applications vulnerable to the same attacks as “Get Transcript”. Firstly, attackers were able to access taxpayers’ IP PINs through the “IP PIN Recovery” tool; the very PIN that was distributed to protect taxpayers from a similar “Get Transcript” attack. This tool requested personal information in the form of KBA questions - the same type of questions used and subverted in “Get Transcript” tool’s authentication. However, the IRS did stop 800 fraudulent tax returns that used IP PINs.

Through the use of automated bots, the unidentified attackers were also able to access the “Get My E-filing PIN” tool to successfully generate over 101,000 E-file PINs, after querying a total of around 460,000 unique SSNs. After the attackers acquired these 101,000 E-file PINs, they were able to steal more money by filing fraudulent tax returns.

Current Security Practices

The last update to the IRS’ website security platform came on June 7th 2016 and July 19th 2016, when the IRS re-released both their “Get Transcript” application and “IP PIN Recovery” tool. The update comes in the form of further authorization, where users will need to input an email and mobile phone number when filling out the “Get Transcript” application in order to receive a verification code via email or phone to access taxpayer’s transcripts. The update to the “Get Transcript” application also features the ability for taxpayers to see the last date and time their “Get Transcript” online page was accessed. While this update has not seen any attacks yet, we predict another attack on the IRS’ “Get Transcript” application, as this added layer of authorization could be susceptible to man in the middle attacks.

Suggestions for Future Attack Prevention

Since the average taxpayer uses their social security number on multiple forms, one possible method of prevention for the IRS is to issue a separate private ID number, used only for the purposes of viewing taxpayer information and submitting tax returns. It is nearly impossible to protect one’s SSN on every form it is used on, but if attackers do acquire this information, adding an extra private ID that can only be found within the IRS’s database could potentially stop hackers from committing the attacks we have seen against the IRS. Furthermore, the IRS and other private/government agencies should stop using SSN as identification. When SSNs were created, the intention was not for identity verification and it does not provide security. The IRS and other government agencies should use a different form of identification to verify taxpayers.

Additionally, the IRS should contact the Social Security Administration (SSA) to issue new SSNs for those people whose identities have been compromised. Currently, the US government has strict rules when it comes to who can get a new number and the process is difficult and lengthy. Also, it is generally ill-advised to request a new SSN as it is unlikely that the new number will reach all government agencies and private companies that were using your old number. Another issues with requesting a new SSN is that it can erase your credit history, which would make applying for loans or credit cards challenging.

The IRS is currently fighting a losing battle against technology as they do not have the resources necessary to maintain the identity of millions of people. They need an increased budget that will allow them to hire cybersecurity experts that can improve the systems currently in place, many of which have not been updated for years.

Incentives

The main incentive for these attacks is the ability for criminals to file fraudulent tax returns. While the attackers already knew SSNs, names, birthdays, and addresses, the “Get Transcript” application gave them line-by-line information regarding tax returns for previous years. Although the most obvious incentive for these attacks is money, a more dangerous and possible incentive is identity fraud. Attackers can use the social security numbers, birthdays, addresses, and yearly tax transcripts they obtained to open lines of credit, bank accounts, and to continue stealing future tax returns.

The harm caused by these two attacks was mainly felt by the victims of the tax and identity fraud. Even though these victims were notified that their accounts were potentially compromised, the resources available from the IRS to help those affected is limited to increased credit monitoring. In addition, it is incredibly difficult to receive a new SSN, so while affected taxpayers know that their private information is compromised, they remain unable to protect themselves.

In addition to the victims, the IRS lost its credibility as a secure government agency and $50 million dollars because of its inability to stop fraudulent tax returns. As the IRS is funded by taxpayer money, the effects of this breach continue to be felt by its victims, the American people.

Although the IRS did not break any laws as they did not release any personal information, their response to the attacks did raise important ethical issues regarding the IRS’s lack of action. One possible source of information for the cybercriminals in this attack is from the Anthem and Premera Blue Cross’s data breaches which released millions of people’s’ medical information including their SSN, name, and addresses. This hack was public information that the IRS should have been aware of and should put in preventive measures to protect their current security systems.

Furthermore, the “Get My E-filing PIN” and “IP PIN Recovery” tools should have never requested the same information as in “Get My Transcript”. All of these applications used a similar form of authentication and if one could be exploited the IRS should have realized that the other applications were also vulnerable.

Acknowledgements

We would like to acknowledge Ann Ming for helping us develop our presentation.

Sources

https://qz.com/445233/inside-the-irss-massive-data-breach/

https://nakedsecurity.sophos.com/2016/06/27/irs-hacked-again-say-goodbye-to-that-pin-system/

http://www.usatoday.com/story/money/2016/02/26/cyber-hack-gained-access-more-than-700000-irs-accounts/80992822/

https://nakedsecurity.sophos.com/2015/08/18/irs-estimate-of-stolen-tax-records-balloons-to-over-300000/

https://www.forbes.com/sites/stevemorgan/2016/02/28/irs-reports-700000-u-s-taxpayers-hacked-and-47-million-get-transcripts-ordered/#1e03a8227b93

https://nakedsecurity.sophos.com/2016/02/11/pin-stealing-irs-attack-affecting-100000-taxpayers/

https://www.treasury.gov/tigta/management/management_fy2015.pdf

https://nakedsecurity.sophos.com/2016/02/11/pin-stealing-irs-attack-affecting-100000-taxpayers/

http://www.usatoday.com/story/tech/2015/08/17/irs-hack-get-transcript/31864171/

https://qz.com/445233/inside-the-irss-massive-data-breach/

https://qz.com/628761/the-irs-is-using-a-system-that-was-hacked-to-protect-victims-of-a-hack-and-it-was-just-hacked/

https://www.cnet.com/news/russian-hackers-behind-50-million-irs-hack-report-says/

http://edition.cnn.com/2015/05/27/politics/irs-cyber-breach-russia/

http://www.cnbc.com/2016/02/10/ex-fbi-official-irs-is-a-favorite-hacking-target.html

https://www.irs.gov/uac/newsroom/irs-statement-on-ip-pin

https://www.irs.gov/uac/newsroom/irs-statement-on-get-transcript

https://arstechnica.com/tech-policy/2016/02/irs-website-attack-nets-e-filing-credentials-for-101000-taxpayers/

https://www.irs.gov/uac/written-testimony-of-commissioner-koskinen-on-unauthorized-attempts-to-access-taxpayer-data-before-senate-finance-committee

https://www.irs.gov/uac/written-testimony-of-commissioner-koskinen-on-unauthorized-attempts-to-access-taxpayer-data-before-senate-finance-committee

https://www.irs.gov/uac/encryption-requirements-of-irs-publication-1075

https://www.irs.gov/tax-professionals/e-file-providers-partners/security-during-transmission-of-mef-returns-using-the-internet

https://www.irs.gov/uac/taxpayer-identity-verification-information

https://en.wikipedia.org/wiki/Knowledge-based_authentication

http://money.cnn.com/2015/05/26/pf/taxes/irs-website-data-hack/

https://www.youtube.com/watch?v=Erp8IAUouus&feature=push-u-sub&attr_tag=ImO3vYdLf2kfqfIv-6&ab_channel=CGPGrey