Lessons from the IRS Data Breach

Last updated: 16 May 2016

IRS Data BreachIn May 2015,  the IRS announced it was hacked leading to the theft of 100,000 taxpayer’s personal information.

The hackers used personal information gained from third-party sources to circumvent authentication protections. The personal information was used to answer simple Q&A questions designed to validate the identity of people trying to access the IRS “Get Transcript” web service, which enables taxpayers to retrieve their tax records.

In total, the breach affected 334,000 taxpayers, whose personal information including Social Security numbers and home addresses, were compromised.

What are the key lessons to be learned from this attack? One of the most important is that knowledge-based authentication processes—in which an application asks a user a series of questions with answers only the user should know—is a weak form of authentication and security.

There are two reasons for this. One is that with the growing number of data breaches that involve identity theft, cyber criminals already have access to a lot of personal information. The second is that people post a lot of personal information on their social media accounts that can provide answers to these questions.

As noted in an article in Healthcare Info Security), systems relying on question and answer and knowledge-based authentication are prone to such attacks: “the method the Internal Revenue Service used to authenticate users for accessing the Get Transcript application—known as knowledge-based authentication, or KBA—has been widely panned by cyber security experts.”

When organizations are assessing risk mitigation vs. user convenience, it’s crucial to understand the sensitivity of the assets that need to be protected. There’s no point in favoring user convenience over risk mitigation if the asset isn’t appropriately protected and could be easily compromised.

According to the 2014 Breach Level Index (BLI) report by Gemalto, the most common type of attack was identity theft. Organizations that year were hit with 843 such attacks, which accounted for more than half of the total number of attacks (54%).

Examples of major breaches include the Korean Credit Bureau, a South Korean financial services provider that suffered an identity theft breach that involved some 104 million records and reportedly affected 27 million people; JP Morgan Chase, the U.S.-based financial services provider, which suffered an identity theft breach resulting in 83 million records being compromised; and Sony Pictures Entertainment, the U.S-based entertainment company that experienced an identity theft attack that involved a relatively small number of records (47,000) but was one of the most highly publicized hack attacks ever.

One effective solution for avoiding the weaknesses of knowledge-based authentication is to use two-factor authentication. This method can secure access to corporate networks and cloud applications, protect the identities of users and ensure that a user is who he claims to be. It authenticates a user by requiring identify through a combination of something the user knows, such as a password; and something the user has, such as a token or smart card.

Some organizations are hesitant to deploy two-factor authentication in order not to impede the user experience. But there are frictionless and secure methods of strong authentication that offer both a good user experience and good security. These include software authentication (installed on mobile devices); out-of-bans SMS passcode delivery to mobile devices; and pattern-based authentication.

The main factors to look at when considering an authentication solution are flexible authentication choices that can offer different levels of assurance and help organizations achieve the balance they need between convenience and risk mitigation. By offering secure, yet convenient, strong authentication, users will be far more likely to maintain good security practices when accessing online resources.

Leave a Reply

Your email address will not be published. Required fields are marked *