Beginning in February and continuing through mid-May 2015, The Get Transcript service allows taxpayers to review tax account transactions, line-by-line tax return information, or wage and income reported to the IRS for a specific tax year. It is expected that the accounts of the transcripts were accessed with the intention of using the information for identity theft during the next tax season.
Weakness of Knowledge-Based Authentication
The IRS used knowledge-based authentication (KBA) techniques, which require responses to personal questions to authenticate the identity of users accessing their Get Transcript application. The answers to the questions are based on public and private information the IRS collects, like marketing data, credit reports, and transaction history.
The IRS said that hackers likely used personal information obtained from outside sources to correctly respond to the KBA questions. Some cybersecurity experts are considering the possibility that the personal information might have come from other data breaches.
With the widespread availability of personal information via social media, knowledge-based authentication has become an outdated technological safeguard.
While it’s not recommended in practice, if an organization does use KBA to authenticate users, it should also implement multi-factor authentication tools. Multi-factor authentication combines two or more independent credentials: what the user knows (password), what the user has (token), and what the user is (biometric verification). The goal is to create a layered defense, if one factor is compromised the attacker still needs to jump through another hoop before breaking in.
Multi-factor strategies include:
- Logging into an account and being requested to enter an additional one-time password that the host sends to the user’s phone.
- Downloading a virtual private network client with a valid digital certificate and logging into the VPN before being granted access.
- Swiping a card, scanning a fingerprint, and answering a security question.
- Attaching a USB hardware token to a desktop that generates a one-time passcode and using it to log into a VPN client.
For more information on multi-factor authentication and how it can apply to your organization, contact us at (559) 577-1248 or firstname.lastname@example.org.