The method the Internal Revenue Service used to authenticate users, which failed to keep sophisticated hackers from breaching a taxpayer-facing system, has been widely criticized by cybersecurity experts.
The IRS used knowledge-based authentication, or KBA, to authenticate the identity of users who accessed its "Get Transcript" application, which the agency earlier this week revealed was breached, exposing the records of more than 100,000 taxpayers (see IRS: 100,000 Taxpayer Accounts Breached).
Although the IRS has not identified who breached the system, several media outlets, citing anonymous sources, have reported that the hackers were likely part of a Russian criminal gang. The FBI is joining the IRS's criminal division and the Treasury Department's inspector general for tax administration in investigating the breach, according to news reports.
The IRS says it employed a dynamic version of KBA, which poses personal knowledge questions for users to answer in order to verify their identity. The answers to the questions are based on public and private information the IRS gathers, such as marketing data, credit reports and transaction history.
The IRS said the hackers obtained personally identifiable information about taxpayers from non-IRS sources that allowed them to accurately answer KBA questions, which gave them access to taxpayer accounts. The IRS did not identify which third-party sources the hackers used, although some cybersecurity experts surmise the PII might have come from information pilfered from other breaches.
"Knowledge-based authentication is a tired technology that has been compromised with the ubiquity of personal information available in social media," Robert Siciliano, online safety expert with Intel Security, says in an interview with Information Security Media Group. "Any entity that's solely relying on knowledge-based authentication is in the dark ages."
In an audio report, Siciliano and Zebryx Consulting's Scott Dueweke, formerly with Booz Allen Hamilton, discuss:
- How knowledge-based authentication, or KBA, works; and
- The security technologies the IRS could have employed to supplement KBA;
The report also describes the warnings the IRS had received from the American Institute of CPAs and National Institute of Standards and Technology regarding the weaknesses of KBA.
The IRS, in a statement, said it noticed last week unusual activity occurring on the Get Transcript application, suggesting that unauthorized individuals had access to some accounts on the transcript application. The tax agency said the breach started in February and continued until mid-May.