I started "working" a few hours a week teaching programming at my kids' school. When they put me on the payroll I was astounded by the number of forms I had to fill out. I counted 15 forms requiring my signature, no less than 5 of which required my SSN.
Lo and behold, there was a data breach of employee and volunteer records. Volunteers had to have background checks, which required the SSN. Thousands of people had their IRS return hijacked due to this breach. I personally know dozens of people who were impacted.
From what I've seen of their information security, I remain completely unsurprised that they had this breach and that to this date they have no idea how it happened.
You can look at it from the other side too, maybe Americans are putting too much weight on the SSN. I could practically post my Spanish ID number next to my name online and nothing would probably happen. As a matter of fact, a stupid regional government agency posted it next to my name in 2011 and it's been up ever since.
If you properly protect your security number, which requires some monthly commitment (such as $15 lifelock, or freecreditreport $5 per month), you can pretty much post your SSN online and really not much will happen. Any time someone uses it, you will get the alert and chance to act (stop the inquiry before it hit hard).
It just that most people believe that not making their SSN public is enough for it to be safe.
The CEO of Lifelock posted his SSN in several ad campaigns to tout the effectiveness of Lifelock. And, surprise, his identity was "stolen" 13 times[0].
1) There are free sites to monitor your credit such as Credit Karma. No need to pay hundreds a year. They even send out emails whenever you open up a new line of credit. Lifelock is a huge scam and has been fined by the FTC.
2) Just being alerted when someone else opens up credit in your name is hardly "protection." They still opened up credit in your name and you have to deal with that which is at the very very least inconvenient.
3) Posting you SSN online makes products more expensive for everyone because companies at the very least have to devote extra man hours every time someone else tries to take out credit in your name. Even if nothing happens to you they may have already issued a loan to the person and now has to write that off.
4) This is about fraudulent tax returns which credit monitoring companies wouldn't have info on.
I've had my identity stolen and I can tell you,it is truly awful.
I believe that this actually happened to me -- which tells me the 100,000 number is way too low. To be more precise: when we went to electronically file our 2014 return, it was rejected because our return had already been filed (not by us, of course). I (like 80+ million others) am a victim of the Anthem breach, and I have assumed that my fraudulent return was part of that breach. (Regardless, I have opted into the identity protection that Anthem has provided as restitution to victims of the breach.[1])
As part of clearing this up with the IRS, I had to verify my own identity and validate that the return that we (physically) sent was the true and correct return. After a whopping 2+ hours on hold, I ran a grueling gauntlet of rather obscure questions that amount to some flimsy shared secrets I happen to have with the IRS. Once my identity was confirmed, I learned that the thieves had filed a 2014 AGI that exactly matched my 2013 AGI. The IRS representative told me that this was unusual (that is, that they normally they just make numbers up), and it's clearly stupid (my return was flagged and didn't pay out), but it obviously left me concerned that someone had somehow located my 2013 return. With this latest revelation, it's now clear that this could have easily happened via the IRS itself.
Assuming that my experience is indicative of a larger trend, I expect many more similar revelations as the IRS picks up the debris from the 2014 tax season -- and it wouldn't surprise me at all if the true target of the Anthem breach wasn't in fact the IRS: this crime is just too damn easy to pull off and get away with. The bright side of all this: things very clearly have to change, and I wouldn't be at all surprised if the IRS ends up issuing PINs to all e-filers this coming year.
It's in the second paragraph of the article. They used a Get Transcript web form to get your prior year tax form from the info they had from the Anthem breach.
Which effectively confirmed what we already knew which is that the Anthem breach was made more damaging by the ease by which criminals can file a fake return for you.
Unbelievable that the IRS would have this "Get Transcript" feature readily available via the web without any password, or better two-factor authentication. It's already been taken offline, but was up for a long time.
Will there be punitive lawsuits against the IRS as there were for Target and likely will be for Anthem?
So the IRS has a form you can send in to put a fraud alert or some type with them so I guess they will give your tax return special attention to see if it is really you next time.
Also - I'm confused - I have an e-file PIN. You don't?
You can e-file without an IRS-issued e-file PIN. I know of at least one tax filing software program that uses only your previous year's AGI to verify your identity to the IRS.
So having an e-file PIN, or even using an e-file PIN to e-file, does not imply that your tax return can't be e-filed by someone else who only has your previous year's AGI.
If this were a company, the headline would have been "IRS hacked; tax information stolen from 100,000." Instead the IRS was able to spin it to The Washington Post. The headline is "thieves stole tax info." Thieves!
> Instead the IRS was able to spin it to The Washington Post. The headline is "thieves stole tax info." Thieves!
They spun it even better than that. The headline is "thieves stole tax info from 100,000 people" (i.e. not from the IRS, but from the people themselves)
That's not borne out in the slightest by what we know from the article. These people might've been phishing victims - you wouldn't claim a bank is hackable because people entered their bank password on a phishing site.
But these aren't phishing victims. The IRS deployed a system which returns a treasure trove of personal information to anyone who presents a few shared secrets. This is a fundamentally flawed authentication mechanism devised by the IRS.
Those shared secrets were likely obtained by either phishing or a data breach. There's no indication thus far that the IRS was the source of the information that let people obtain these returns.
"Kasper said the detective learned that money was deposited into her account, and that she sent the money out to locations in Nigeria via Western Union wire transfer, keeping some as a profit, and apparently never suspecting that she might be doing something illegal."
I am having a really tough time believing she never suspected she was doing something illegal.
Its actually more common than you think, people can be pretty naive. These people create a fake company name and website and then post "work from home" jobs listings on monster.com.
I think the system used to claim your account is the one that had data stolen from it.
Our luck ... our data was stolen in the Anthem fiasco and used to submit fraudulent returns. No problem. The IRS contacted us to let us know and asked us to use the verification system to prove we were ourselves.
I cannot wait for the auto notification we were part of this data issue. lol
What I cannot understand about the issue is no one noticed a 50% failure rate in the process.
After Brian Krebs exposed this security loophole in March 2015, the IRS apparently did nothing. Why doesn't the IRS site allow users to create a secure account? For example, see the Social Security site at https://secure.ssa.gov/.
Yeah, I saw it then and got PDF's of all prior year taxes. Info needed was suprisingly little. I had way more trouble changing the first password I used than I did setting up my account in the first place.
Since the IRS has custody of other people's sensitive data, they should be held to a different standard than the carefree homeowner in your example.
If I pay my bank for a safe deposit box, good security is part of what I am paying for. If it can be shown that they were lax/careless/negligent in the event of a theft, then I certainly would lay blame with both the bank and the thief for loss of my assets.
This is even more the case for a government with vast resources.
Perhaps, but what I can blame them for is for having very poor monitoring (50% failure rate and nobody noticed??) and poor security, culminating in this data breach.
People need to be held accountable for the security of their systems when they are storing personally identifiable information on customers or the public at large.
Edit: Perhaps they shouldn't be blamed when someone leverages a zero-day to break in, but if this is due to their failure to patch their systems, IMO their 100% liable for everything that follows.
50% failure rate is probably pretty normal for a form asking for SSN, name, address, and birth date - I fail my bank's security questions at least 1/3 of the time because things like "Anywhere Street" and "Anywhere St" are not the same.
Shouldn't that work with companies as well, not just IRS?
Take for example some large corporations. I.e. if Amazon or Google stores their customer information carelessly, and someone steals it - then Amazon would be victim, and if you say that they should have protected the information, you are blaming the victim because you don't like them?
The American revenue service has even larger resources and also a larger responsibility than even the largest of multinational corporations. They should be held accountable for what they do (like the tax officials in any country).
There is a fundamental difference between HN and the IRS (for Americans, and corresponding agencies of the government for people in other countries): using HN is completely voluntary. Giving your personal information in a tax return is mandatory and not complying is punished severely.
In my opinion, this sets the required standard to a completely different class. The tax services have an important responsibility to process their information in a secure way. The information needs to be protected against leaks.
And from the outcome we can see that the protections are not adequate.
"In my opinion, this sets the required standard to a completely different class. The tax services have an important responsibility to process their information in a secure way. The information needs to be protected against leaks."
There is no way to protect leaks 100%. So you have unrealistic expectations.
Taxes in the U.S. are absolutely ridiculous. Nearly everything is already reported to the IRS by employers, banks, brokers, etc. Why spend hours filling out and copying all that crap, and signing thing after thing after thing just to send the IRS information they already have?
The problem seems to be trying to carve out exemptions for little things here and there.
Just use a decent tax rate, get rid of all that crap, calculate what I owe and send me a bill or send me a check if I over-withheld or something.
Why spend hours filling out and copying all that crap, and signing thing after thing after thing just to send the IRS information they already have?
Because Intuit, H&R Block, and others like them who have built substantial businesses doing all that empty-work for you have made damn sure that Congress doesn't legislate their meal ticket away.
The IRS said the thieves accessed a system called “Get Transcript.” In order to access the information, the thieves cleared a security screen that required knowledge about the taxpayer, including Social Security number, date of birth, tax filing status and street address.
Do we know if the system was compromised, or if the thieves just had access to the personal information of those taxpayers?
This happened to a few people I work with. 100k seems low. They found out by the IRS rejecting their return as they had "already filed".
You'd think we'd have a better system by now than a short-ish unique number which never changes during your lifetime as the key for much of your financial / credit-related authorization.
SecureKey IIRC is used by Canada. USPS is in a unique position in that they have a ton of employees literally who can verify mailing addresses by brute force. Every day (except holidays). Rain, Snow or shine.
Having USPS in charge of the US's future "online identity" would be a good way of transforming the ailing agency and giving them a very useful purpose that only USPS can do. There's a lot of win/win potential here.
I believe that verifying and vouching for the identity of it's citizens is one of the legitimate roles of government. I find it odd that we can have government issued social security numbers, passports, and driver's licenses, but I can't go to some office and have the US government sign my public key or SSL certificate. For some reason, if it's electronic, government is expected to defer to the free market.
This is/should be the main offering of the USPS - secure identity location verification.
It's too bad their hands are so tied by Congress (and a malicious one at that - having to pay pension fund 75 years early)... they might have made this move a decade or so earlier.
This isn't about the normal theft of someone's tax refund by fraudulently filing a tax return. This about the IRS itself divulging the sensitive data required to fraudulently file tax returns. Someone tried about 200k times and got about 100k sets of people's tax histories.
In the more mundane act of fraudulently bypassing the IRS's trivial security to steal a tax return… thieves got me, probably as a result of Anthem's inadequate security. The thieves didn't even have the courtesy to pay what I owed! I say you file my tax return, you take your chances.
The maddening part, aside from the scramble when the April 14th filing from the tax people failed, is that no one in law enforcement is the slightest bit interested in enforcing the law.
As a french citizen, and on behalf of everybody I know who doesn't live in the US (and some that do), the idea that knowing somebody's SSN basically puts you in control of their life and gives you the ability to ruin it is unbelievably ridiculous.
Someone fraudulently used my social security number. It is such a sick and terrible feeling knowing that your number is "out there" and can be used by anyone for a whole host of things. It feels horrible and really, really violating.
* Sequential numbers assigned to members of the same family are causing problems;
* More than one person is assigned or using the same number;
* A victim of identity theft continues to be disadvantaged by using the original number;
* There is a situation of harassment, abuse or life endangerment; or
* An individual has religious or cultural objections to certain numbers or digits in the original number. (We require written documentation in support of the objection from a religious group with which the number holder has an established relationship.)"
The problem is it wasn't a designed system, it just came about by itself slowly over time. Social security numbers were never designed to be used in any way outside of social security.
That's a much larger problem than this current breach in the linked article. People have been filing early fraudulent returns for a long time because it's not that hard to do. I seem to recall reading the tricky part if figuring out how to actually get the money, since it will be issued in the name of the person who filed. The good news is it's often detected when people file their real return. I'm sure it's a giant hassle though.
If you're wondering whether or not this happened to you, one way to know is if you were able to file your own return. If your own tax return was rejected because it had already been filed, it means someone was able to attempt to file a fraudulent return using your identity. Of course, this is only assuming that they managed to submit a return as you at all. It's possible your information was taken but not used.
Imagine if all government software was open source and significant bug reports and contributions were rewarded with cash... I hope we reach some happy medium between that and what we have today in the future.
This wasn't a hack or a bug - open source software built to do the same thing would've been just as vulnerable to this.
Per the article, the attackers had to put "the taxpayer’s Social Security number, date of birth, address and tax filing status" into a form to get access.
You assume that the goal is to make society better. Currently one of the two major parties has aggressively staked out the position that government cannot work and should be privatized – from that perspective dysfunction is a goal, not a problem.
I liked Adam Gopnik's summation last week:
“What we have, uniquely in America, is a political class, and an entire political party, devoted to the idea that any money spent on public goods is money misplaced, not because the state goods might not be good but because they would distract us from the larger principle that no ultimate good can be found in the state. Ride a fast train to Washington today and you’ll start thinking about national health insurance tomorrow.”
Feel like expanding that point? I mean shrinking government and changing society so people depend on it less is literally part of the national GOP platform. Is your argument just that they're not willing to sabotage things for political advantage? (and, if so, how are we to explain the billions spent shutting down the federal government as a negotiating tactic?)
Let's see the drug war, DHS, military, NSA, no child left behind--just to name a few. The gov increased under Reagan despite what conservatives will tell you. The GOP has been part of massive increases in gov. Why would someone in political power ever be for downsizing gov, save a few outliers? It's just pandering to the base.
A short-term sabotage is not out of the question.
Actually, I have a graph showing how gov actually increases more under GOP control than democrats. Hold on.
I must not have made my position clear. I don't think that they're particularly committed or effective deficit hawks – the true fiscal conservatives were purged years ago – but rather that this is now a key part of their public image. They heavily promote the idea that government is inefficient because it keeps people voting for them and, most importantly, keeps corporate-backed groups like Fox News from going on the attack in the next election.
That might necessitate a token effort somewhere to cut things but the real goal is the posture, not the results, so maximizing inefficiency isn't something they're concerned with. In most cases, they'll try to cut things which affect people who don't vote for them anyway – mass transit, funding for the poor, etc.
So you really think whatever they tell you is true? The GOP has not actually shrunk the government. Even when they had full control over the senate, house, and the presidency, they did not shrink the government... in fact, they made it bigger.
Lately they have cut things – the sequester was real and will be causing damage for decades[1] – but generally in the least productive ways possible. That gives them something to point at while still leaving plenty to rant about and, of course, more chances to grandstand over self-created problems like backlogs at the IRS, VA, etc. I'm sure we're going to hear plenty about this security breach and nobody will mention that the federal pay scale tops out below what the average infosec professional makes or that agencies have been begging for funding to improve their IT staff for years.
1. Most young scientists are leaving research due to budget cuts at NIH, NSF, NASA, etc. They're unlikely to ever come back so we've lost a large chunk of an entire generation of research in most fields. Sure, many of them are going to industry but I would submit that a crop of data scientists selling ads is less productive for the country long-term than all of the foundational pure research which industry rarely funds.
The poster above is saying that it's part of the GOP's political agenda that's marketed to voters, rather than necessarily what they do once they're in office.
No he's not. It's called a "thread". He's replying to a post that says "Just a talking point--empirically that's not true." and he's saying it's more than a talking point because it's in the GOP platform.
It's not complicated to understand if you already understand the prerequisite concept of individuality - that each person acts somewhat independently of everyone else in the world.
You have to understand individuality and apply it broadly. If you don't, then it's cognitively easier to lump people into groups that you don't have to care about, and can even grow to hate.
It looks like they've at least pulled the link to request transcripts online.
Alert:The online Get Transcript service is currently unavailable.Transcripts may still be ordered using the Get Transcript byMail service. We apologize for any inconvenience.
Lo and behold, there was a data breach of employee and volunteer records. Volunteers had to have background checks, which required the SSN. Thousands of people had their IRS return hijacked due to this breach. I personally know dozens of people who were impacted.
From what I've seen of their information security, I remain completely unsurprised that they had this breach and that to this date they have no idea how it happened.