US tax system hackers try to use stolen SSNs to generate E-file PINs

Thieves using stolen Social Security numbers attempted to access E-file PINs at the IRS but didn't compromise or expose taxpayer information.
Thieves using stolen Social Security numbers attempted to access E-file PINs at the IRS but didn't compromise or expose taxpayer information.

The US Internal Revenue Service (IRS) pinned a recent attempt to infiltrate its systems on malfeasants using a bot and Social Security numbers stolen from other sources but said the attackers didn't compromise or expose personal information of taxpayers.  

On the eve of the IRS commissioner John Koskinen's testimony before the US Senate Finance Committee regarding President Obama's proposed budget, the agency said in a statement that, “identity thieves used malware in an attempt to generate E-file PINs for stolen social security numbers.” The agency's investigators found that attackers made “unauthorised attempts involving approximately 464,000 unique SSNs” but that only 101,000 of those were successfully used to access an E-file PIN.

“While of great concern, this latest report of a cyber-intrusion involving the IRS is not surprising in light of the vast inventory of PII (in particular Social Security numbers) in the hands of hackers as a result of countless breaches in the past few years,” Adam Levin, chairman and founder of IDT Founder, IDT911, and author of “Swiped”, said in comments emailed to SCMagazine.com.

“The move to send out PINs was smart but not quite sufficient enough to outsmart the adversary,” Chris Ensey, COO of Dunbar Security Solutions, said in comments emailed to SCMagazine.com. “ Ultimately the reliance on Social Security Numbers and date of birth as a primary form of identity is archaic and has left all of us vulnerable to fraud.”

The IRS said it is working with other agencies as well as the US Treasury Inspector General for Tax Administration to further assess the hack and is sharing results with state and private sector partners in its Security Summit, which convened early in 2015 and included the IRS, tax preparation companies, software firms and state government administrators. After its inception, the Summit had divided into three working groups--Authentication, Information Sharing and Strategic Threat Assessment and Response (STAR). Later in the spring Koskinen unveiled a series of recommendations and solutions from summit members aimed at fighting identity theft tax refund fraud, which Summit participants pledged to support by signing a Memorandum of Understanding (MOU).

Koskinen said at the time that the IRS would authenticate taxpayer returns by reviewing the transmission of the returns, using device identification data tied to the returns origin as well as the time taken to complete returns, and capturing meta-data in computer transactions that will scan for fraud. The IRS also agreed, for the first time, to allow the sharing of aggregated analytical data concerning fraud leads throughout the tax industry.

“With proper oversight and web log review, it is possible to identify bots working to steal data from online applications,” Ensey said, noting that “given the scale at which the IRS works,” that's not an easy task. “With millions of users connecting this time of year to retrieve their pin, discovering this activity would be challenging without extremely good behavioural analytics monitoring all connections.”

On Tuesday, the agency said it would notify taxpayers of the most recent attack by mail and is marking affected accounts to safeguard them from tax-related identity theft.