Read what Jeff Williams has to say about the data breach the IRS experienced exposing over 100,000 records. What can the IRS do about it and how should it be prevented from happening again in the future?
Point-of-View by Jeff Williams
IRS hit by data breach exposing 100,000 records
Remember that old New Yorker cartoon, “On the internet, nobody knows you’re a dog?” Authentication relies on being able to properly identify people… at least once. Once you have a password (or a stronger credential) established, then all our high-tech authentication stuff works fine (well actually not that great – but that’s another post). But how do you know who you’re dealing with before that first identification happens?
Well the IRS decided that if you know a persons SSN, birthday, and street address, then you must be that person. Hackers figured this out and started scanning for people’s tax records.
I’m irritated that the IRS would expose my information in this way. I didn’t authorize them to disclose it to anyone with a little bit of my personal information. Who has my SSN, birthday, and address? My employer, my healthcare providers, any other government agency, my school, etc… Any of them could have requested my tax information. I guess they could still request it by mail.
It appears that you can set up a more secure credential with the IRS, but I don’t want to have to run around setting up credentials everywhere I want to protect my information. I wouldn’t even know where to start and I’m sure I would miss places.
This isn’t a problem that is unique to the IRS. Think about how you register for just about anything. Typically it’s an email address or some personal information. Hackers can spoof these registrations and hijack your online identity. This whole process is nowhere near secure enough.
For government agencies in particular, we can do better. We should have an official channel that can provide higher assurance authentication before granting access to our personal information.
What can the IRS do about it?
They can set up a better authentication system that relies on a strong identity verification. When you go to the DMV, you have to provide birth certificate, passport, etc… This might be the start of a real authentication system.
There are technologies that can help. There are databases of information that only the real individual would know, such as the make and model of car you bought in 2004. The street you lived on in 1998. PGP did it through a web-of-trust, that involved lots of people vouching for an individual’s identity.
I don’t think there’s a short-term fix, but this would be a useful area to invest in cybersecurity, instead of some of the legislation that government is currently pursuing
How can it prevent this happening again?
Well, they have a service that is built on a very weak identity verification process. They can either turn off the service or beef up the identity verification.
Some might argue that they should look for behavioral anomalies in the use of the Get Transcript service. Perhaps multiple requests for the same transcript, or too much traffic from a single IP. But that’s a very noisy channel and unlikely to detect this attack.
Personally, I can’t believe that you can get people’s tax returns with just an SSN, birthday, and address. What were they thinking?
And, can cybersecurity sharing laws (think CISA currently in congress) prevent against these attacks, which, essentially are lone-wolf and nearly almost unpredictable?
Cybersecurity sharing laws are not going to help against anything except the most hamfisted broadly targeted scans, which aren’t much of a threat anyway. The vast majority of the information currently being shared is from honeypots, which are never specifically targeted. And firms are not inclined to share threat information even with laws allowing it. There’s a tragedy of the commons – not much benefit for sharing, better to be a free-rider.
And even if people did share attack information, you are right that it wouldn’t have anything to do with a targeted attack like this. Actually, even if every hacker in the world started targeting this IRS problem, no amount of sharing would help.
We need laws that encourage companies to be open and transparent about their defenses, like the “Security Facts” label concept I’ve been talking about. In my opinion, that’s the least intrusive way to create incentives for better security. All this talk about threats and attacks is targeting the part of the problem that is completely out of our control.