Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Government Bug Crime Privacy Security The Almighty Buck United States

IRS Gets Hacked Again, Forced To Scrap Their Entire PIN System (engadget.com) 104

The IRS has abandoned a system of PIN numbers used when filing tax returns online after they detected "automated attacks taking place at an increasing frequency," adding that only "a small number" of taxpayers were affected. An anonymous reader quotes the highlights from Engadget: The IRS chose not to kill the tool back in February, since most commercial tax software products use it... If you'll recall, identity thieves used malware to steal taxpayers' info from other websites, which was then used to generate 100,000 PINs, back in February... This time, the IRS detected "automated attacks taking place at an increasing frequency" thanks to the additional defenses it added after that initial hack... the agency determined that it would be safer to give up on a verification method that's scheduled for the chopping block anyway.
This discussion has been archived. No new comments can be posted.

IRS Gets Hacked Again, Forced To Scrap Their Entire PIN System

Comments Filter:
  • Changing a system that's insecure seems like a good thing to do.

    Nice to see the IRS doing something smart, contrary to all stereotypes and expectations.

  • by Anonymous Coward

    Wouldn't filing dozens/hundreds of fraudulent returns with the wrong PIN be pretty easy to spot? While attackers may be able to mask their location/identity through various means they can't mask which account they're trying to penetrate, just lock down an account if too many wrong PINS are used with a decent amount of other information that is correct (SSN, name, etc). This should prevent fraudulent access while limiting the ability of attackers to try to lock-down the entire system by spamming it.

    • by raymorris ( 2726007 ) on Sunday June 26, 2016 @11:07AM (#52393309) Journal

      > Just lock down an account if too many wrong PINS are used

      The bad guys don't care which account they access. Suppose you limit it to four tries at a PIN. The bad guys try 250 accounts with four PINs each, not one account with a thousand PINs.

      Locking out the account rather than the attacker is just DOSing yourself. I like to call this the Broken MS Windows fallacy, because Windows does it.

    • by guruevi ( 827432 )

      You have a quarter billion (more if you include business) tax returns, most PIN being the birth year of the individual (common practice amongst accountants) or something equally stupid (1234, 0000). Since it is only used once a year, most people don't use a custom PIN like a bank card.

      • most PIN being the birth year of the individual ... or something equally stupid (1234, 0000)

        I was not given an option to select a PIN. It was randomly generated by the IRS. And it was five digits, not four.

        Obvious solution: Since the numbers are random, people are going to record them anyway, so just add extra digits. Make it 10 digits instead of 5, and the problem is basically solved.

        • I was not given an option to select a PIN. It was randomly generated by the IRS.

          Interesting. When I've filed electronically the last five years or so, I've been instructed to self-select a PIN. For most of those years I was using TaxAct.com - but even this year, when I used freefillableforms.com, I also selected my own PIN.

  • All this crap... (Score:5, Insightful)

    by Ecuador ( 740021 ) on Sunday June 26, 2016 @10:49AM (#52393203) Homepage

    All this crap just because tax preparation companies throw lobbying money to keep the current system. Most Americans would not need to actually file for taxes, the IRS already has all the data it needs, but noooo we have to keep an obsolete industry going no matter the cost...

    • Trump's tax plan (Score:4, Insightful)

      by Okian Warrior ( 537106 ) on Sunday June 26, 2016 @12:23PM (#52393685) Homepage Journal

      All this crap just because tax preparation companies throw lobbying money to keep the current system. Most Americans would not need to actually file for taxes, the IRS already has all the data it needs, but noooo we have to keep an obsolete industry going no matter the cost...

      Donald Trump's position on tax reform [donaldjtrump.com] eliminates much of the paperwork. If you're single and earn less than $25,000 or jointly earn less than $50,000 you pay no tax. Send in a single-page form and you're done.

      There's not a lot of federal income to be had from low wage earners, so it makes perfect sense to eliminate the extra work on both sides. Also, poor people don't have to spend money on tax filing services (H&R Block, et al).

      Poor people get to keep more of their money, the IRS has a lot less work to do (estimated 75 million households), and the federal government gets just as much revenue.

      Hillary Clinton doesn't have a unified plan to reform tax reporting (posted on her website).

      If you think this issue is important, elect Hillary and nothing will change.

      • by gtall ( 79522 )

        Yes, because Americans wouldn't think twice about hiding their income to get under the $50,000. The already skip out on about $450 Billion a year they should be paying, Bam-Bam and his pseudo-policy isn't going to change that.

        • by LynnwoodRooster ( 966895 ) on Sunday June 26, 2016 @01:41PM (#52394017) Journal
          The simpler the code, the harder it is to hide income. Eliminate 99% of the tax code (seriously, if it's more than a few hundred pages it's too complex), eliminate 99% of all deductions, and you will have a hard time hiding income - unless you operate an all-cash business (which, in itself, draws a lot of attention with the reporting of structured deposits, etc.)
      • Donald Trump's position on tax reform [donaldjtrump.com] eliminates much of the paperwork. If you're single and earn less than $25,000 or jointly earn less than $50,000 you pay no tax. Send in a single-page form and you're done.

        So they pretty much still have to file, basically ("send in a single-page form").

        Plus you neglect to mention that he's getting rid of the Earned Income Tax Credit - that'll save the government a bunch of money as well, at the expense of the poorest of the poor.

    • Re: (Score:3, Insightful)

      by gtall ( 79522 )

      You are blaming the wrong party, Einstein. Congress created the Swiss cheese that is the U.S. tax code. And the latest estimate is the sainted American people are skipping out on about $450 Billion in taxes they should be paying. That's enough to cover the yearly deficit.

      By the way, the IRS does not have all the data they need and they don't even have enough compute power to process what they do get. Congress has seen fit to starve them for the same idiot reasons you think they are to be held to account. If

      • Re:All this crap... (Score:4, Informative)

        by LynnwoodRooster ( 966895 ) on Sunday June 26, 2016 @01:46PM (#52394045) Journal

        You are blaming the wrong party, Einstein. Congress created the Swiss cheese that is the U.S. tax code. And the latest estimate is the sainted American people are skipping out on about $450 Billion in taxes they should be paying. That's enough to cover the yearly deficit.

        Not quite. The US Debt as of 10/1/2015 (start of FY2016) was $18.15 trillion. It's now $19.26 trillion [treasurydirect.gov]. So that's about $1.1 trillion added in 9 months, or about $1.46 trillion annually. About 4 times your estimate of uncollected taxes. That $450 billion would help, but would get nowhere NEAR to eliminating the actual annual deficit (not the fake, "on budget" number that's reported).

        • by Anonymous Coward

          Incorrect: http://www.usgovernmentspending.com/federal_deficit_chart.html $450B comes pretty close. And stop conflating deficit with gross debt, it's more complicated than just adding the deficit to that debt.

          Btw, you know the difference between the public portion ($11.6T) and total debt ($19.3T), right?

          • What do we owe, as a country? According to the Treasury department, it's $19.3 trillion - that's our outstanding debt. Trying to say "but some of that is owed to our own people!" and that is true - but it's still a debt because it's money that needs to be paid. You do understand that, don't you?
        • "should be paying" != "congress/president spending like a drunken sailor on shore leave"

          Most of us realize that we should spend less or equal to our income. Ideally, less so we can save for large purchases or retirement.

          Of course, there are some that live on credit cards (or refinancing their homes at the height of the bubble and withdrawing cash to spend spend spend) but they get "caught up" eventually - usually by declaring bankruptcy.

          • Yep. And for the Federal Government they only talk about the "on budget" deficit, and ignore all the restof the debt that racks up (over 3 times the "official" on-budget deficit). It's like declaring your mortgage payment is no longer on-budget, so if you stop paying it, you can take that money and pay off other debt and reduce your spending! All the while debt continues to accumulate - but it's not "on budget" so it doesn't matter...
    • It's not just tax preparation companies. EVERY company with employees uses this system to pay employment taxes (unless they pay a tax preparer to pay it on their behalf, then pay the tax preparer). About a decade ago, the IRS got rid of mailed employment tax payments. Companies must pay their 940 and 941 taxes (and a variety of other taxes) online via electronic funds transfer, either monthly or (if your payroll is big enough) semi-weekly. To login to the system, you need your EIN, your password, and a
  • The checks have to delivered somewhere.

  • by CaptainDork ( 3678879 ) on Sunday June 26, 2016 @11:10AM (#52393325)

    This time, the IRS detected "automated attacks taking place at an increasing frequency" thanks to the additional defenses it added after that initial hack...

    The IRS is not alone in this. After entities get hacked, they implement tighter detecting tools and sigh with the false comfort that they "are on top of things."

    Look ...

    If your storage building is being ransacked and you put up security cameras that show people breaking in, you have not actually SOLVED anything if the thefts continue.

    It's not hard, folks: Get a goddam lock.

  • Why can't I just submit the public key from one of my PIV tokens(say with a copy of my passport or some other ID and maybe a notarization) and use that to sign stuff I want to submit to the IRS? That seems like a simple solution.
    • Re:Easy solution PIV (Score:5, Interesting)

      by markus ( 2264 ) on Sunday June 26, 2016 @11:33AM (#52393447) Homepage

      There are plenty of great second factor solutions. The better ones are really easy to use and provide a lot more security. But providers don't want roll out fancy new technology, and users are blissfully unaware of how security works, so they want the same thing that they have had for the last couple of decades.

      The upshot is that even when second factors are rolled out, we essentially end up with something no more secure than password and pin, whereas there are beautiful solutions such as FIDO U2F that are ignored.

      • Makes sense. The only reason I thought PIV would be easier is it's a US government standard in use at most or all federal agencies and works on Linux/Mac/Windows out of the box. Very likely the IRS agents and staff use PIV cards to authenticate to IRS systems and obtain physical access to IRS buildings.
      • Comment removed based on user account deletion

No spitting on the Bus! Thank you, The Mgt.

Working...