One Year After Hack, IRS Debuts Updated Get Transcript Service

More than a year after hackers managed to manipulate the system the Internal Revenue Service has reinstated its Get Transcript service.

The Internal Revenue Service has reinstated its Get Transcript service, more than a year after hackers managed to manipulate settings in the system in order to steal information on more than 720,000 U.S. taxpayers.

The IRS suspended the service – which gives citizens a way to look up line-by-line tax return, wage and income information for a given year – last May after it was discovered attackers had been accessing sensitive information via the platform. From February 2015 to May 2015 attackers were able to use personal information, such as individuals’ Social Security numbers, dates of birth, and tax filing statuses, to beat the service’s security checks.

In a press release issued earlier this month, the revenue service maintained that the service has been retooled and bolstered by what its calling an enhanced authentication process.

To use the service going forward users will be required to have a Social Security number, an email address, a mobile phone with their name on the account, and specific financial account information, such as a credit card or loan number. Users will then have to go through a multifactor authentication process in order to gain access to their information, the IRS claims.

According to the agency’s announcement, it may send users looking to get into their account up to three different types of codes – verification, activation, or security – by email and text. The IRS is hoping another new feature, one that allows users to see the last date and time their Get Transcript page was accessed, will help provide users with an extra layer of security as well.

Users who either don’t have a mobile phone, or prefer to collect information the old fashioned way, can order their transcripts over the phone, or by mail, which takes five to 10 days.

The IRS acknowledges that while Get Transcript may not be perfect, it insists it’s an upgrade over the previous iteration.

“The incident with Get Transcript Online illustrates a wider truth about identity theft in general, which is that there are no perfect systems,” IRS Commissioner John Koskinen said, “No one, either in the public or private sector, can give an absolute guarantee that a system will never be compromised. For that reason, we continue our comprehensive efforts to update the security of our systems, protect taxpayers and their data and investigate crimes related to stolen identity refund fraud.”

The agency worked with the United States Digital Service, an arm of the White House launched in 2014, on the authentication platform. The agency claims the technology it wound up using in the system reflects standards set by both the National Institute of Standards and Technology, along with the OMB.

According to a How To published by the IRS about the service, the agency plans on deploying similar technology for its Identity Protection PIN service–six-digit numbers it assigns to taxpayers to prevent misuse–later this year. Until then, citing a lack of security around the tool, it will remain unavailable.

Even up until this past spring, the number of taxpayers implicated by the Get Transcript incident was in flux. Initially it was reported that information on 100,000 individuals had been accessed. Three months later, in August, the IRS tweaked those figures and claimed there were 220,000 additional instances of “possible or potential access to ‘Get Transcript’ taxpayer account information.” That ballooned the total number of victims to 330,000 taxpayers.

In February, following a supplementary, nine-month investigation, the IRS updated that figure, claiming 390,000 additional accounts were potentially accessed, bringing the total to 720,000 users.

Fraudsters used a technique similar to the one used against Get Transcript when they managed to infiltrate a service provided by payroll company ADP last month. Attackers used personally identifiable information that was already in the wild to access individuals’ portals on ADP.com. From there they gained access to users’ W2s at a handful of companies.

Suggested articles

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.