Perhaps you read about the recent data breach of the Internal Revenue Service's Get Transcript website. And perhaps you mentally filed that information away with a long list of other data breaches that have made headlines over the past couple of years.
The story is always the same; only the names change. Cybercriminals manage to plant some form of malware on a server. That malware then harvests data from the server and ships it off via the Internet to some under-policed part of the world. There it's typically sold—or as in the case of the Sony breach, it can simply be used to embarrass someone.
Except that's not at all what happened with the IRS. Technically speaking, the IRS server was not hacked. In fact, in this particular instance, the Get Transcript service was used exactly as intended; it just wasn't used by the legitimate, intended taxpayers.
How can that be?
New users accessing the Get Transcript service are required to answer a number of security questions—questions that the IRS believed only the legitimate taxpayer would have the answers to. The perpetrators of this breach made about 200,000 attempts to access the system in this manner, and they were successful about half the time. In other words, the perpetrators thought they had collected enough personal information on 200,000 taxpayers to make it through the security question gauntlet, and they were correct with 100,000 of them.
Looked at yet another way, the IRS breach was actually step 2 in this crime. Step 1 was collecting enough personal information on tens of thousands of taxpayers to execute the breach. Exactly how or where that data was collected has yet to be determined, but consider this example:
Mother's maiden name has been a common security question for decades. How easy is it to figure out someone's mother's maiden name?
Suppose for a moment that you have a Facebook account. And suppose for a moment that you've identified a particular Facebook “friend” as your mother. And suppose for a moment that to make it easier for childhood friends to find her on Facebook, your mother has included her maiden name in her Facebook profile. And finally, assume for a moment that neither you nor your mother has adjusted the Facebook security settings so that currently anyone subscribed to Facebook can see both profiles.
That would mean that your mother's maiden name is just a couple of mouse clicks away for anyone with any interest in finding it.
Whether or not the perpetrators of the IRS breach used this particular technique to harvest data remains to be seen. However, it's fairly certain that all of this started with taxpayers who were sloppy with the protection of their personal information in one way or another.
No matter how innocuous the information seems, when matched up with many other equally innocuous data points, a cybercriminal can create a significant and damaging profile of any credit union member. As your members' trusted financial partner, you have a responsibility to keep those members informed and educated to help them avoid such situations.
The odd thing about crime prevention is that there's no real way to know what you've actually prevented. You may be helping your members in ways they'll never really know.
Complete your profile to continue reading and get FREE access to CUTimes.com, part of your ALM digital membership.
Your access to unlimited CUTimes.com content isn’t changing.
Once you are an ALM digital member, you’ll receive:
- Breaking credit union news and analysis, on-site and via our newsletters and custom alerts
- Weekly Shared Accounts podcast featuring exclusive interviews with industry leaders
- Educational webcasts, white papers, and ebooks from industry thought leaders
- Critical coverage of the commercial real estate and financial advisory markets on our other ALM sites, GlobeSt.com and ThinkAdvisor.com
Already have an account? Sign In Now
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.