The complexity of cyber security is demonstrated by the recent disclosure of the Internal Revenue Service that 100,000 taxpayers had their tax returns accessed by criminals. This incident was different from previous high-profile breaches of cyber security, such as the hacking of credit card numbers at Target or Home Depot. The criminals technically did not hack the IRS systems at all.
Instead, they used information they obtain elsewhere to gain access to taxpayer tax return information in a manner identical to how the taxpayer would access the system. The IRS, like many entities, uses a “knowledge-based” system to authenticate authority to access information on their systems.
This knowledge typically involves personal information that only a taxpayer would know, such as their favorite pet, their grade school or their mother’s maiden name. This information is usually so random or obscure that no one could guess the information in a timely manner.
To the criminals rescue comes Facebook and other social media sites. Much of this random, obscure information is posted there, often for all the world to see. Armed with this information, criminals can enter the IRS, healthcare or financial systems, without triggering any obvious signs of hacking.
For anyone with information on social media sites, the clear warning is that if it is ever used on your Facebook page, you have to presume a criminal could find it and it should not be used as authentication answers used to access confidential information, no matter the type.
It also means it will be more challenging to protect that information, as criminal data mining becomes more sophisticated and ubiquitous.
Source: foxbusiness.com, “Taxpayers Need to Protect Themselves When IRS Can’t,” Dunstan Prial, May 27, 2015