Earlier this week, the IRS announced that the hacking of its “Get Transcript” program, which they had originally announced in May and which was the subject of my Scam of the day for May 28th was far worse than they originally disclosed. While originally, the IRS stated that 104,000 people were affected by the IRS data breach, now the IRS is saying that the number of people affected is more than 300,000. As a result of the data breach, the IRS indicated it paid more than 50 million dollars in fraudulent returns filed using the information stolen from the IRS’ “Get Transcript” program. The”Get Transcript” program enables taxpayers to get copies of their federal income tax returns from previous years. People often use this service to get copies of earlier income tax returns for uses such as when they apply for a mortgage or financial aid for college. The IRS shut closed this service when it became aware that vulnerabilities in the system resulted in hackers attacking the system from mid February until May posing as legitimate taxpayers and getting copies of income tax returns which could provide information that would enable the hackers to steal the identities of their victims and file phony income tax returns in the names of their victims and claim bogus refunds.
Although many people were surprised at this hacking, Scamicide readers were not among them because here at Scamicide, we exposed this vulnerability in the “Get Transcript” program in our Scam of the day for April 3, 2015. Apparently, the IRS doesn’t read Scamicide. Maybe it should.
The problem with the system was in the authentication process used by the IRS to limit access to this information to the taxpayer who is seeking his or her own income tax returns. In order to access the income tax returns, the system required the inquirer to provide his or her name, Social Security number, birth date, address and other personal identity verifications, such as what was your high school mascot or when you got a mortgage. The problem is that, in many instances, this information can be gathered by a diligent hacker from public data bases, social media where people provide this information to hackers, and data breaches.
If you are one of the people affected by this data breach, you will get a letter, not an email, from the IRS and will be offered free credit monitoring services. These letters will not require you to provide any personal information in response. Any communication you get that purports to be from the IRS that requests that you provide personal information is not from the IRS, but from another scammer.
A lesson for all of us is to remember to try to protect the privacy of your Social Security number as best you can. Most identity theft starts with the identity thief obtaining and exploiting the victim’s Social Security number. Don’t provide it to companies with which you do business unless you absolutely must do so. Medical care providers routinely ask you to provide this, but they have no need for this and the health care industry has been among the worst in protecting its data from being hacked.
The verification process of using personal identity verification information is fundamentally flawed in today’s world. Better systems should be used, such as dual factor authentication where a code is sent to your smartphone when you need to access an account.