The IRS released a statement last week about an unsuccessful attack on its systems wherein fraudsters were attempting to generate an E-file PIN using externally stolen data. In legitimate instances, a tax payer receives an E-file PIN by providing some personal information and answering questions about the previous year’s tax return. The PIN then goes along with the current tax return to the IRS to act as a form of identity verification.
The IRS statement notes this incident was an automated attack of “464,000 unique SSNs, of which 101,000 SSNs were used to successfully access an E-file PIN”. That’s approximately a 22% success rate.
Reflecting on last year’s IRS breach, fraudsters were able to get copies of the prior year’s tax return and refile them, so clearly the identity thieves are privy to information on the tax return. This makes me wonder: Is a system that verifies tax payers using data from a tax return really that secure? I believe verification and authentication of personal information and digital data at the point of tax return-submission is a critical step that should be added to the process.
Authenticating at the point of submission puts an extra step in the process to deter fraudsters and create more risk for them. They have to go through the effort to prepare a return and hope they can file it successfully. However, a likely low rate of success and high time-cost makes this route much less attractive. If authentication at the point of submission was implemented, the identity thieves would have to prepare multiple bogus returns. With more fraud deterrents in place with authentication at the point of submission, more returns would be declined––a lot of work for not a lot of return for the thieves. The type of attack attempted this week depends on high volume—so the key is to deter fraudsters by requiring more authentication at the point of tax return submission to the agency.
The other consideration that came to mind about this incident is that it was an automated attack executed in high volumes—over 460,000 unique SSNs. Clearly this wasn’t an attack executed by 464,000 different people on 464,000 different laptops. The digital data generated from this attack would have been massive and informative. For example, did the automated bot operate like a human clicking through the E-file PIN request application? Did the digital footprint show proxy servers were used, geo coordinates were unusual, or cloud servers were used?
The IRS may or may not have used this kind of technology to identify and stop this attack. Certainly this technology could be used to study the digital data and behavior of an entity—real or not—accessing a site that could be exploited for fraud and expose tax payers to risk. At TransUnion we believe this is a critical piece of fraud prevention and have shown this with our investment in risk and information solutions, innovation—including the recent acquisition of Trustev.
The IRS has one of the toughest cybersecurity challenges in the Federal government. Kudos to them for figuring this one out in time. Share your thoughts about this incident below or contact us to learn more.
Internal Revenue Service, IRS Statement on E-filing PIN, February 9, 2016