The latest numbers from the IRS data breach are pretty big. Not as big as the 21-million-plus compromised Office of Personnel Management records, but still pretty big. To the initial 114,000 accounts improperly accessed that were announced in May, the IRS added another 220,000 in August.
But the number I found most sobering is the success rate of the “unauthorized third parties” who accessed these accounts. According to the agency’s accounting, the criminals were successful in 334,000 out of 615,000 attempts. That is an amazing 54 percent success rate in breaking the authentication process that was supposed to protect access to the online Get Transcript application.
Clearly something was seriously wrong with the access control for Get Transcript. But that was only one part of a chain of problems that enabled this breach, and there is plenty of blame to go around. The thieves apparently already had a wealth of personally identifiable information in their possession before they signed on to the IRS site.
To use a well-worn but accurate cliché, there is no silver bullet to prevent this kind of attack. But there are some lessons to be learned from it.
It is not just the IRS
The IRS breach is an example of the increasingly common multistage attack, in this case with the IRS at the second (or third) stage. The attackers use a successful exploit against one target to compromise a second, and continue moving — either vertically or laterally — until they reach a point at which they can profit from their successes.
As the IRS repeatedly points out in its statements, “unauthorized parties already had sufficient information from a source outside the tax agency.” Given the number of individuals compromised and the variety of personal information required, it is unlikely that it came from any single source. Some enterprising crook assembled and/or bought the information and then built or had someone else build an application to use it. The information then was used against the IRS to gather additional personal tax data. This data then can be used to file fraudulent tax returns or in any number of other identity theft scams.
No one link in this chain can completely stop the crime. Even in the 46 percent of cases in which the IRS stopped the intruder, the personal information is still out there to be used and reused by crooks. Stopping this kind of crime is like trying to stop the English ivy that is overrunning my house. You can pull it down, but unless you get at the root, it will just keep showing up again.
The Turing test
Public-facing applications that enable access to sensitive information (or that could be used as stepping stones in a multistage attack) must be able to distinguish between an automated program and a human being.
When Alan Turing proposed his “imitation game” in 1950, it was an attempt to answer what was then an academic question, “can machines think?” Today, the ability to distinguish between a human and a machine in an electronic exchange has practical implications. By a score of 334,000 to 281,000 the IRS attackers clearly won the imitation game. And we lost.
Some form of out-of-band verification such as a phone call, or a challenge not based on personal information such as CAPTCHA, could help. They are not perfect, but they could help shift the odds in this imitation game.
The IRS breach is routinely cited as an example of the need for better cybersecurity. But much of the personal information used in this attack could have been gleaned from public sources.
The IRS Get Transcript system used multiple challenge questions generated from data held by a credit bureau. But a lot of the same information is in the open on social media networks and other online postings. Scrubbing these posts and dummying up online about our personal lives won’t completely solve this problem, but it couldn’t hurt.
None of these lessons offers a complete solution to protecting our online resources. But if the IRS breach does anything for us, it reminds us that cybersecurity is complex and that the threats we face have real consequences.