The IRS issued an official statement on the incident and specified that the compromised system was “Get Transcript.” The Transcript service could be used by taxpayers to get a transcript online or by mail to view their tax account transactions.
The Get Transcript Online feature of IRS.gov allows taxpayers to get “tax account transactions, line-by-line tax return information or wage and income reported to us for a specific tax year,” according to the official page of the IRS.
In order to obtain a transcript online, the users have to provide a Social Security number and an active e-mail address. Once the e-mail address was confirmed as legitimate, the IRS procedure requests a number of questions about personal, financial, and tax information of the users before making the transcript available for the download.
The hackers bypassed the security screen requiring user information such as SSN, date of birth, and street address in order to access taxpayers’ data.
The IRS counted more than 200,000 attempts, about half of them were successful. The IRS has temporarily interrupted the service, explained that the service was targeted by the hackers in a two-month period between February and mid-May.
“The online Get Transcript service is currently unavailable. Transcripts may still be ordered using the Get Transcript by Mail service. We apologize for any inconvenience.” states the message on the IRS page.
“In all, about 200,000 attempts were made from questionable email domains, with more than 100,000 of those attempts successfully clearing authentication hurdles,” an IRS spokesperson said in a statement to reporters. “During this filing season, taxpayers successfully and safely downloaded a total of approximately 23 million transcripts.”
The Government Office hasn’t provided further details on the attack neither revealed how hackers bypassed authentication mechanisms.login screen has not been revealed at this time. In March 2015, the popular security expert Brian Krebs reported for first the risks related to the access for the IRS’ transcript service.
The expert explained that someone had already registered through the IRS’s site using his Social Security number and an unknown email address. The hackers had used the personal information of the taxpayers to get a refund direct deposit.
“If you’re an American and haven’t yet created an account at irs.gov, you may want to take care of that before tax fraudsters create an account in your name and steal your personal and tax data in the process.” worte Krebs on this blog.
The process of authentication implemented by the IRS service is based on the knowledge of user personal information (knowledge-based authentication) that never changes making possible for an attacker to gain them in various ways.
SSN numbers, for example, along with other PII are easy to acquire in the various black markets, recent data breaches of Anthem and CareFirst have made available on the market data related to million customers.
“The IRS is continuing to conduct further reviews on those instances where the transcript application was accessed, including how many of these households filed taxes in 2015. It’s possible that some of these transcript accesses were made with an eye toward using them for identity theft for next year’s tax season,” a statement form the IRS explained.
(Security Affairs – IRS, data breach)