2015 was the year of the U.S. Internal Revenue Service (IRS) Get Transcript identity theft. Since the spouse and I were affected by this breach last year, I figured I’d better have a look into any recent developments.
The IRS has implemented new safeguards for 2016 to help taxpayers verify their identity and the validity of their tax returns, before it will accept the returns for processing. Here’s a summary:
- Stronger password with a minimum of eight characters, including alphanumeric and special characters
- Three security questions to verify identity upon login
- Account lockout features for session length, and number of login attempts
- Email address verification, via email or text with a PIN to a mobile phone
- Optionally, provide a drivers’ license number for filing a state tax return
Four out of five of these requirements are based on inadequate authentication. Strong authentication requires a combination of different types of authentication factors, i.e. something you know, something you have, and something you are. Mixing authentication types can increase the “hassle-factor” for bad guys trying to steal a tax return or other important information. If an account is more difficult to breach, maybe they’ll move on. So, how do the new 2016 IRS security requirements stack up?
Passwords
Passwords belong to the “something you know” category. Any strong password containing special characters, mixed case letters and digits, is either hard to remember if it’s truly unique, or it is easy to re-use once it’s been typed in a few times. Outside of Centrify, I use a password vault to store strong passwords or passphrases, but don’t rely on them alone for important accounts. Wherever supported, I’ll include a second factor such as a one-time passcode (OTP) or a hardware token such as a Yubikey.
Security questions
The typical answers to security questions are by their nature, also part of the “something you know” category. The website, goodsecurityquestions.com offers five tips for what constitutes a good security question:
- Safe: can’t be guessed or researched from social media, social engineering, or other publicly available information
- Stable: doesn’t change over time
- Memorable: can be remembered
- Simple: is precise, easy, consistent
- Many: has many possible answers
The first set of IRS security questions I encountered seems somewhat stable, simple and memorable, but not that safe —given the availability of public records online.
Email verification
Driver’s license number
Electronic filing PIN
Identity Protection PIN
Form W-2 verification code
Conclusion: U.S. taxpayers are still vulnerable to identity theft
- The authentication methods that the IRS currently uses do not comply with National Institute of Standards and Technology (NIST) standards. Despite requirements for multi-factor authentication, the IRS only provides inadequate single-factor authentication
- Single-factor, multi-step authentication is not multi-factor authentication: taxpayers have to complete multiple steps to prove their identity, but they all consist of answering knowledge-based questions from a third-party credit agency
- The IRS can’t confirm the veracity of a taxpayer’s email address, but has blocked the questionable email addresses and will send a confirmation letter to the taxpayers creating online accounts, via US mail
- The IRS can’t provide a second authentication factor, such as a one-time passcode or token through its web services, and will have to rely on sending a second authentication factor to taxpayers via US mail
Wherever possible we need to insist on multi-factor authentication (MFA) to protect our identities and financial safety. Unfortunately, it seems we are no closer to getting MFA at irs.gov, at least this year.
Learn more about MFA by joining our upcoming webcast featuring guest speaker Andras Cser, Principal Analyst at Forrester Research and Cheryl Tang, Product Director at Centrify as they explain how to stop attackers in their tracks with MFA, and the steps to take to further mitigate risk from compromised credentials.