For bankers, there are scary parallels between the IRS' failure to protect sensitive personal information and their own such struggles.
There's the need to accommodate a wide range of users ranging from tech-savvy to tech-avoiding. The use of static data to verify identity. The need to cope with slow-moving bureaucracy. The well-intentioned efforts to improve security that only open new doors for clever hackers.
So while it's tempting to roll your eyes and crack jokes when a government agency slips up, the IRS breach may hold some useful lessons for the financial services industry.
The tax agency acknowledged recently that the number of taxpayers whose information has been stolen by hackers through its systems is 724,000 — more than double the agency's previous estimate. And reports say some of the same taxpayers are getting targeted twice, through the very mechanism set up to protect them.
How the Breaches Happened
Cyberthieves broke in through the IRS's Get Transcript program, which taxpayers use to obtain copies of their federal income tax returns from previous years. Often people need to provide an old tax return when applying for a mortgage or seeking tuition aid, or starting with a new accountant. (The IRS suspended Get Transcript online in May 2015 and is working to restore it with enhanced security.)
To check the identity of the person applying for a tax return, Get Transcript asked for the applicant's name, date of birth, Social Security number and filing status. After that data was provided, the IRS asked four knowledge-based authentication questions.
"The problem is that, in many instances, this information can be gathered by a diligent hacker from public databases, social media where people provide this information, and [from] data breaches," said Steven Weisman, a professor at Bentley University in Waltham, Mass. who has written several books about identity theft and scams.
Some of the stolen data was used to file fraudulent tax returns in the victims' names. The IRS said in May that it had paid more than $50 million to criminals filing fake tax returns. The number of acknowledged victims has doubled since then; logically, the losses must have grown also, although the agency has not shared new numbers. (The IRS did not respond to requests for an interview by deadline.)
The targeted taxpayer doesn't lose money — once she re-proves her identity she can file her return and receive a full refund. But she'll have to wait — it takes an average of 278 days for the IRS to investigate income tax identity theft and return a refund to the correct taxpayer. The ultimate victims are all of us taxpayers who gradually refill the IRS's coffers.
To compound the problem, some of the original victims have been scammed again. To protect victims of income tax identity theft, the IRS began letting them set up a six-digit Identity Protection PIN when filing their returns.
However, the Identity Protection PIN program is protected by that same knowledge-based authentication that hackers broke into in the first place.
The IRS shut down its Identity Protection PIN program on Tuesday and said it's looking to improve security.
To make matters worse, hackers have latched onto this situation and unleashed phishing campaigns targeting taxpayers who may be confused. (More on this in my next post.)
Milan Patel, who until May was the FBI's cyber division chief technology officer, said the IRS is doing its best.
"They're a quite capable organization," said Patel, who is now managing director of the cyberdefense practice at K2 Intelligence. "The challenge is that you have a lot of data, you have a lot of people in the organization who are not cybersecurity experts. How do you educate tens of thousands of people whose main job is to check finances and not worry about cybersecurity?"
He also points out that the IRS has to deal with people all over the country with a wide range in degree of computer literacy.
"They have to balance accessibility with changing technology such that they don't alienate a huge population of the United States that's not tech-savvy," Patel said. "If my father was doing something with his taxes, he would probably call. If he tried to interact with a website with two-factor authentication, he'd be lost."
There are a few takeaways for banks from this mess.
1. Rethink knowledge-based authentication.
Because so much personal data can be found on the Internet, identity thieves sometimes can answer questions better than their victims can.
"This is one of the unintended byproducts of the oversharing economy," said Al Raymond, specialist leader for privacy and data protection at Deloitte (until recently, he was senior vice president and head of privacy and social media compliance at TD Bank). "By putting out so much information about ourselves in social media, fraudsters can easily piece enough of our lives together" to commit fraud of all kinds.
2. Don't let bureaucracy kill a good security idea.