Thoughts on the 'Get Transcript' Incident
The IRS ‘Get Transcript’ incident is a classic example of how your application can be abused when you simply assume everyone using it is who they say they are.
In this particular case, it comes down to traditional multi-factor authentication theory.
Everything you needed to get at those transcripts was a 'something you know'.
Problem is, when you start to suggest multi-factor authentication to people, they panic because of the perceived complexity and cost.
This is largely down to the association of multi-factor with the old school hardware token or keyfob, which have about as much place in modern society as a VCR, or Piers Morgan.
Hardware fobs are costly and often highly impractical for applications such as 'Get Transcript'.
Owners of sensitive data need to get creative when it comes to smarter authentication. You can find a second factor without actually having to do an awful lot of work.
In this instance, the IRS could infer a second factor from the data they already have - look at the ZIP code on the tax return, look at the geo-location of the IP requesting the transcript. Are they roughly the same? Yes, here's your transcript. No, we’re going to need to talk to you first.
It’s not perfect, slightly annoying if your IP pops out too far from where you actually live, but could be coded in about 10 minutes, for minimal cost, and for most folks the slight inconvenience would be better than the alternative.
Integration Solutions Architect at CrowdStrike | We Stop Breaches
8yI agree with Mike, you don't need to necessarily dole out key fobs to everyone, even the slightest amount of due diligence can be beneficial. I have been testing a trigger that parses both the username and the client ip address instantly off the wire then doing a restful push or syslog to a back end intelligence system. I know that the Netscaler can do what is called an HTTP Callout to an external geolocation database. I am certain it can reference where the client is coming from as well. At ExtraHop we recently busted a phishing ring, basically providing real-time reporting of non-standard referrers and looking at their GEO locations. The next step would be to couple the userID passed from the phishing referrer site and immediately start the incident response within minutes of it happening. Anymore, I look at the expiration date on my debit card and think to myself "yeah right" Great article Mike!!
Data Analyst 2, OI Payer Analytics at Optum
8yThis is an old problem: How do I balance security with customer convenience? I don't think there's a good way to shore up authentication to prevent something like this from happening. Make the verification questions tougher and you'll make it harder for valid customers to get their information. IP locations can be easily spoofed, and if someone's logging in from a work network, it could show a location halfway across the country. There may be some work that the IRS could do on the back end to be able to detect this sort of activity quicker and more reliably, but the thieves knew what they were doing by attempting this now rather than in September or October. The 'Get Transcript' volume is likely higher around this time every year.
Director of Product Marketing at Eclypsium
8yLove the idea of using transaction data such as the client IP to help verify users.