27 May 2015

Oops is, yet again, a government term


The BBC has an article about a goof by our friends at the IRS:
A security breach has allowed criminals to access the tax returns of more than a hundred thousand Americans. It appears that the criminals used stolen personal data taken from other websites that had been hacked, to pretend to be legitimate users.
The Internal Revenue Service was warned of the potential for unauthorized access to the accounts in March of 2015. The online IRS' Get Transcript app involved in the breach has been shut down and an investigation is underway.
Organised CrimeThe scam's perpetrators managed to set up fake tax returns and file for tax refunds. The IRS told The New York Times that it had paid nearly fifty million dollars in refunds before it detected the scheme.
The IRS says more than two hundred thousand attempts to view past tax returns using stolen information were made from February to mid-May of 2015, with around half of those being successful.
"We're confident that these are not amateurs," said John Koskinen, the IRS commissioner. "These actually are organized crime syndicates that everybody in the financial industry is dealing with."
Experts say criminals are increasingly using stolen personal information to pretend to be their victims. Security experts are concerned that the IRS' system appeared not to use multi-factor identification, for example sending a one-off code to a users' mobile phone for them to tap into the website, so as to verify that the person giving the information has access to the phone number on record.
The cybersecurity blog Krebs on Security warned in March of 2015 that the IRS' system could be breached when it reported on the case of Michael Kasper, who had tried to file his tax return, only to be told that he had already done so.
In that case, criminals had set up an account in Kasper's name using his social security number, but with a different email address. They filed a false tax return in order to claim a tax refund and had conned the IRS into paying that "refund" into a bank account that Kasper did not recognize.
"The IRS' process for verifying people... is vulnerable to exploitation by fraudsters because it relies on static identifiers and so-called "knowledge-based authentication"— i.e., challenge questions that can be easily defeated with information widely available for sale in the cybercrime underground and/or with a small amount of searching online," said the security website, commenting on Kasper's case.
The IRS has sent letters to the taxpayers whose accounts had been compromized, and said it would offer them free credit monitoring. The authority said its main computer system, which handles tax filings, had not been breached.
Rico says if it was you or me that screwed up like this, the IRS would be whacking us with fines and penalties...

No comments:

Post a Comment

No more Anonymous comments, sorry.