The IRS Get Transcript data leak is evidence of just how complex security at large scales can be. By now I’m sure you’ve heard that at least 100,000 US tax payer’s IRS transcript data has been stolen, and up to 200,000 (possibly many more) were attempted to be stolen. With all the breaches in the news, it’s easy to assume this is just another example of poor security at an organization leading to the bad guys finding a way in. This case isn’t so cut and dry. This time the bad guys didn’t kick down the door or find an unlocked window, they found the spare key we, the users, left under the rock on the path and used it to open the front door wide open.
The key here was called knowledge based authentication. If you’ve clicked that “forgot my password” link on many services, you may have run into this before. Knowledge based authentication is when you ask people questions that you hope only they can answer in order to help them reset a lost password. “What color was your first car?” “What street did you live on as a child?” In a sense, passwords are a form of knowledge based authentication because they’re asking you for something only you should know. Often you are asked to set up the answers to these when you create a new account – answers you (and I) almost immediately forget unless you use the true answers. And that’s where the problem is. A lot of people do use the true answers. Those answers can be found through other means in this digital age, especially if you’re a bad guy who doesn’t mind shopping at illegal clearing houses for stolen data from all over the electronic world.
So imagine you’re the bad guy. You know there is a website with tons of valuable bits of information you can sell, like the IRS Get Transcript site. You poke around at the site and find out it uses this question and answer thing to reset the passwords. You know that almost 300 million US citizens and residents have data there, and you know where to find lots of the answers to the questions they would use to reset their passwords on the site if they were doing it themselves. It’s amazing it took this long for this to happen when you follow the logic.
How does this get fixed? The real fix would be a cooperative effort between us, the users, and the people running the sites. Knowledge based authentication is problematic and if everyone didn’t know that before they do now. Of course, if you’re building a site to serve 300 million people, it’s hard to use anything else. Folks like Google and Apple are now using multi-factor or two factor authentication, where they send a code to your phone when you log in to make sure it’s you. That is a great option, but it would be a massive challenge for an organization like the IRS to use. Maybe they could switch to using Google or Apple as their authentication, but making arrangements like that are tricky when you’re the government and you have to play fair with everyone. What’s the user’s role in all this? All the standard password advice applies here. Make sure it’s complex, don’t use the passwords at multiple sites, etc. When you run into knowledge based authentication, treat the answers you set up like they are passwords, too. Don’t use the real information – too many others can get that stuff. If you can’t remember it all, use a password manager but set a REALLY strong password on that and set up the two factor option for sure. And when it comes to sensitive sites like the IRS, make sure you check in on them every now and then. What you don’t know can hurt you.