May 29, 2015

The IRS announced on Tuesday (5/26/2015) that identity thieves had attempted to access the accounts of 200,000 taxpayers through the IRS’s “Get Transcript” online application. The scary part is that the IRS has admitted that more than 104,000 of those attempts were successful. The hackers’ operation started in February and ran through mid-May. All in all, the IRS was tricked into sending nearly $50 million in refunds for fraudulent returns.

The IRS has started an investigation in the breach and has temporarily closed down the “Get Transcript” application, a service that allows taxpayers gain access to their information. Taxpayers who need access to old tax returns to apply for mortgage or college loans can now request them by snail mail.

irs_data_breachThe IRS is notifying the 200,000 taxpayers whose accounts were tampered with that their Social Security numbers and other personal financial information is in the hands of hackers. It is also offering complimentary credit monitoring to the 104,000 whose “Get Transcript” accounts were accessed to ensure their private information is not used by criminals to fill in bogus bank loans and credit card applications.

This is by no means the first time the IRS has been the victim of online crime. According to a report published by the U.S. Government Accountability Office in January 2015, identity thieves cheated the IRS out of $5.8 billion in falsely claimed refunds during 2013 alone.

Who Stole from the IRS?
According to Peter Roskam, Illinois republican and chairman of a House subcommittee that supervises the IRS, the IRS Commissioner John Koskinen said to him in a telephone call that the theft originated from within Russia. The IRS’s investigation is still ongoing and IRS officials have neither confirmed nor denied Roskam’s statement.

John Koskinen, the IRS commissioner, did say to the press that he was confident they weren’t dealing with amateurs. “These actually are organized crime syndicates that not only we but everybody in the financial industry are dealing with.”

How Did Identity Thieves Steal $50 Million from Taxpayers?
When you think of hackers stealing money from big corporations or government agencies you probably have the image of shady programmers strong-arming the security protocols of their victims’ servers with their sophisticated code; but this isn’t what happened here. Strictly speaking the IRS wasn’t hacked. The identity thieves didn’t need to hack their way into the IRS, because they had all the answers to the IRS’s identification confirmation questions.

As Peter Roskam put it, the identity thieves “went into the front door of the IRS and unlocked it with the key.” The hackers had already obtained personal information on taxpayers, such as their date of birth, address and Social Security information, from previous hacking heists. With that information thieves were able to clear the IRS’s multi-step authentication process, including several personal verification questions that usually only the taxpayer can answer.

What Should You Do?
First, don’t panic. Your personal information is already out there. A motivated hacker can easily obtain it for a few dollars. But this doesn’t mean you should sit on your hands. Consumers can, and should, make things harder for criminals. You could compare it to your home’s front door. No matter how much you spend on security, a professional burglar could break in, but that doesn’t mean you should leave the door open or that you shouldn’t invest in a decent security system.

Here are four things you can do right now to protect yourself after the IRS breach:

1.) Change your passwords again. This is an obvious but often overlooked measure after major breaches. Don’t use your name or words that can be found in a dictionary. The first thing hackers do is use programs that test every word in the dictionary. Instead, create your own secret codes by using anagrams or substituting letters from common words with numbers.

2.) Turn on multi-level authentication. Only use sites that offer you the option of confirming access by receiving a one-time code either via a phone message or email.

3.) Lie on security questions. With the advent of social networks and our propensity to over-share, most security questions are easy to hack. Finding out where someone went to high-school or their mother’s maiden name just isn’t that difficult anymore. Instead of offering truthful answers, provide a second password as your answer. This will make it much harder for hackers to guess your security answers.

4.) Monitor your credit. There are no fail proof security measures against identity theft. You can try to make it harder for criminals but the chances are you will fall victim to identity thieves sooner or later. You can minimize the damage of these attacks by regularly monitoring your credit by scanning your credit history with the three major credit reporting agencies.