With the IRS breach impacting more than 100,000 taxpayers, a lot of people are starting to wonder how this happened and whether they will be affected. The IRS has promised to notify everyone and provide credit monitoring for the affected accounts, but is that enough? Probably not, but that’s the “go to” solution for data breaches these days.
The ease in which hackers were able to compromise the “Get Transcript” site is disturbing. As is the efficacy of the hackers – more than 50% of their attempts were successful! The question becomes, why was this so easy? First, I wouldn’t fully blame the IRS – it wasn’t necessarily lax controls – the verification questions they use to confirm identity are common across many sites and vendors. If you were trying to confirm someone’s identity, you would try to ask them questions only they would know – where they grew up, their high school’s mascot, their first pet’s name. Before the rise in popularity of social networking sites like Facebook and LinkedIn, that personal information was fairly hard to find out. Today, people are posting an incredible amount of information about themselves. So, piecing together the once disparate bits of information now is pretty easy.
We put up with new security measures at airports, forcing us to arrive earlier, take off our shoes and jackets, open our laptops, and sometimes subject ourselves to full body scans. We put up with it because we want a safer travel experience. Post 9/11, it’s the new normal. We may ultimately see a cyber event that creates the same level of change in digital security. For example, today your social security number is the gold standard for identification. But we know it’s becoming a less useful as a way to verify your identity. And with your social security number often interconnected with other data on the web, it’s becoming easier and easier for hackers to acquire. New methods need to be considered such as two factor authentication and dynamic knowledge authentication. Will this make it less convenient for people? Likely. Will it help protect your information? Yes.
The IRS breach is another wakeup call in a string of wakeup calls – Target, Home Depot, JP Morgan, Sony, and Anthem. All have been attacked and information has been lost. We’re sure to see additional security measures in place on web sites, applications, and other portals into our personal and confidential information. Whether it’s two factor authentication or biometric access, our world will change, and we’ll have to accept this new normal.
So, what can you do? If you were one of the 100,000 breached accounts, most likely thieves have some of your personal information that can be used against other systems that use a similar knowledge-based authentication (KBA). If your social security number is one of those pieces of data, you can request a new number. If you do receive a new social security number, you’ll be potentially updating a lot of companies and organizations that have used that number as part of your identity. You will probably also want to update all your financial institutions, healthcare providers, and the myriad web sites that you’ve provided your KBA data for password resets or identity verification. One KBA technique is to answer the challenge questions with nonsensical information. For example, when asked your favorite color, you might say “breakfast” – obviously not a color – but the system won’t care – it just wants to have a word that it can match against its database. Cyberthieves who mine data about you will find it much harder to pass that challenge. In addition to making these changes, you should also increase your vigilance in reviewing your bank statements and other reports that might expose some fraudulent actions. If you’re a victim of identity theft, the road to recovery can be lengthy and painful. The FTC also has suggestions for victims as well. If you’re fortunate enough not to be one of these victims, it’s probably still a good idea to implement some of the above suggestions – make it hard for future thieves to hack your life.
Some further reading on the IRS breach for your convenience.