Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Who should get the blame in IRS breach?

Patrick Thibodeau | June 3, 2015
The IRS may need to re-think the security process it uses to check taxpayer identities for its Get Transcripts app.

If cybercrime is visualized as a river, its headwaters may be in a doctor's office in places such as South Florida. It's here where a cellphone photograph of a medical form filled out by a patient can be sold for a minimum of $10.

With that information, fraudsters add other data streams from publicly accessible databases, social media sites and other sources, such as stolen credit records. It's this now-river of data that was used to attack an Internal Revenue Service application called Get Transcripts and access the records of more than 100,000 taxpayers.

The U.S. Senate Finance Committee will hold a hearing today on this breach. The IRS will put some of the blame on lawmakers, at least indirectly. The agency has suffered big budget cuts, including to its cybersecurity program, and has lost some key IT personnel.

But does IRS budget-cutting, from $12.15 billion in 2010 to $10.9 billion this year, fully explain the breach?

If the IRS is asked to explain the security processes it will describe "a multi-step process to check identities" for its Get Transcript program. The first part involves submitting personal information about the taxpayer, including Social Security number, date of birth, tax filing status and street address. There are also "out-of-wallet" questions, questions "based on information that only the taxpayer should know, such as the amount of their car payment or other personal information," said the IRS.

But one former IRS IT manager, who didn't want his name used, said that IRS cybersecurity officials "would have preferred to implement a more dynamic and aggressive security framework that would have stopped the fraudsters from being able to get in using the information they stole from the third party." IRS senior leadership favored, instead, an approach to keep the process simpler to encourage use, this manager claimed.

A more complex authentication system would have involved a multi-factor authentication approach - "biometrics, dynamic questions using non-public information rather than static or simple out-of-wallet questioning," said this former IRS manager.

But there's no easy approach here. Even if the government were to implement some form of biometrics, it faced potential problems.

The estimated pay rates for cellphone photographs of medical records comes from Yair Levy, a professor of information systems and cybersecurity at Nova Southeastern University in Fort Lauderdale, Fla. The theft of medical records is major contributor to breaches, and he believes that a multi-authentication process will be needed that includes biometrics.

But Levy says it will be difficult for the government to win acceptance of biometrics. In his research he sees that people, especially in the U.S., "have this mental resistance to biometrics - they see it as giving a copy of themselves to the government." About 75% will refuse to give the government biometric data "no matter what," he said.


1  2  Next Page 

Sign up for CIO Asia eNewsletters.