Who should get the blame in IRS breach?

The IRS may need to re-think the security process it uses to check taxpayer identities for its Get Transcripts app.

If cybercrime is visualized as a river, its headwaters may be in a doctor's office in places such as South Florida. It's here where a cellphone photograph of a medical form filled out by a patient can be sold for a minimum of $10.

With that information, fraudsters add other data streams from publicly accessible databases, social media sites and other sources, such as stolen credit records. It's this now-river of data that was used to attack an Internal Revenue Service application called Get Transcripts and access the records of more than 100,000 taxpayers.

The U.S. Senate Finance Committee will hold a hearing today on this breach. The IRS will put some of the blame on lawmakers, at least indirectly. The agency has suffered big budget cuts, including to its cybersecurity program, and has lost some key IT personnel.

But does IRS budget-cutting, from $12.15 billion in 2010 to $10.9 billion this year, fully explain the breach?

If the IRS is asked to explain the security processes it will describe "a multi-step process to check identities" for its Get Transcript program. The first part involves submitting personal information about the taxpayer, including Social Security number, date of birth, tax filing status and street address. There are also "out-of-wallet" questions, questions "based on information that only the taxpayer should know, such as the amount of their car payment or other personal information," said the IRS.

But one former IRS IT manager, who didn't want his name used, said that IRS cybersecurity officials "would have preferred to implement a more dynamic and aggressive security framework that would have stopped the fraudsters from being able to get in using the information they stole from the third party." IRS senior leadership favored, instead, an approach to keep the process simpler to encourage use, this manager claimed.

A more complex authentication system would have involved a multi-factor authentication approach - "biometrics, dynamic questions using non-public information rather than static or simple out-of-wallet questioning," said this former IRS manager.

But there's no easy approach here. Even if the government were to implement some form of biometrics, it faced potential problems.

The estimated pay rates for cellphone photographs of medical records comes from Yair Levy, a professor of information systems and cybersecurity at Nova Southeastern University in Fort Lauderdale, Fla. The theft of medical records is major contributor to breaches, and he believes that a multi-authentication process will be needed that includes biometrics.

But Levy says it will be difficult for the government to win acceptance of biometrics. In his research he sees that people, especially in the U.S., "have this mental resistance to biometrics - they see it as giving a copy of themselves to the government." About 75% will refuse to give the government biometric data "no matter what," he said.

One system that the IRS did put in that can be effective is making six-digit PIN available to taxpayers, but Levy said a lot of people are not aware of it.

Nevertheless, attackers have been able to get data to answer out-of-wallet question from publicly accessible records, as well as through the theft of credit records.

"Out-of-wallet challenge response questions, or KBA (knowledge based authentication) would not have offered much of a defense for those who were exploiting the IRS Get Transcript functionality," says John Zurawski, vice president at Authentify, a supplier of authentication services.

Zurawski believes that authentication processes that link phone numbers to people, similar to what online services such as Google now offer, could thwart many attempts to breach records.

IRS funding for cybersecurity has fallen from $187 million in 2011 to $149 million in 2015 -- a drop of more than 20% , said Matthew Leas, an IRS spokesman, in a response to a query from Computerworld.

This biggest cut happened 2011. Funding fell off a cliff in 2011 and declined to $129 million in 2012, and then rose. (This 2011 budget data was not immediately available when Computerworldfirst reportedon the staffing decline and budget. The available data shows an increase from 2012 to 2014.)

"Complicating this situation even further are staffing issues, both in cybersecurity as well as leadership and executive positions across the agency," said Leas, in a statement.

In addition to a smaller workforce, the IRS "lost several key leaders in the information technology and analytics areas due to the loss of streamlined critical pay authority late last year," said Leas, in a statement.

The critical pay authority allowed the IRS to appoint or retain people with a high level of expertise for up to four years at salary rates above normal government levels. But no one could be paid higher than the vice president, who earns $233,000.

IT appointments accounted for most of the positions filled under this program. The "private-sector expertise had been crucial to introducing new leadership to supplement in-house expertise," according to report late last year by the Treasury Dept.'s Inspector General.

Join the CSO newsletter!

Error: Please check your email address.

Tags IRSsecuritydata privacySenaprivacy

More about GoogleInternal Revenue ServiceIRS

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Patrick Thibodeau

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts