Why the IRS Hack Wasn’t all the IRS’s Fault

Goofy looking man
This taxpayer helped crooks download his tax return

The people that broke into the IRS website last week and downloaded the 100,000 returns had help from their victims.

The IRS had set up questions designed to ensure that only the taxpayer obtained access to the stored tax form. Some of the information the IRS asked for (birth date, street address) can be gathered from other government sites. In addition, the IRS says it asked, “several personal identity verification questions that typically are only known by the taxpayer.” (See the IRS statement)

Posts to social media may have given the hackers some of these answers (such as marital status). Other answers could be guessed or copied from other web sites the bad guys had gotten into.

The IRS has not released the list of additional validation tests it made, but we have two immediate suggestions:

  1. Review the information you’ve posted about yourself on Facebook, Twitter, and other social media sites.  Think like a crook. Have you published enough information for a evil doer to be able to answer the security questions websites typically ask for when you’re asking to reset your password?

    If so, remove some of the information or change who can see all of your information.

  2. When a website asks for your favorite color, food, or first pet’s name, don’t tell the truth!  Make up a nonsense answer like “Swablar”  that you will remember but cannot be guessed or found associated with you anywhere online.

We’ve read articles saying that those validation questions asked by sites are dangerous because so many of the responses (pet’s name, high school, first boy/girlfriend) can be either found on Facebook or on other public sites.

Other answers are so common that thieves can get authenticated by simply typing in the most popular responses. We’ve seen articles that said “pizza” is the favorite food of a majority of Americans, so even if pizza is your favorite food, answer “Swablar”.  I don’t even know if a “Swablar” is edible, but it’s not likely to be guessed by a crook!

In addition, when you participate in a meme on Facebook or another site that says it’s going to tell you what city you should live in, what religion you should be, or what celebrity you are like, be careful!  Are you typing answers to any of your security questions on another site?  Who is running the meme anyway?

Finally, although this week’s IRS hack doesn’t seem to involve weak passwords, please consider switching to a password vault application like Lastpass.  These apps remember your passwords and will generate difficult-to-crack gibberish passwords which will keep you safe(r).  (For more on Lastpass, read a posting made after the 2014 Kickstarter hack.)