Nothing is Certain Except Death and Taxes (and Data Breaches)
When Benjamin Franklin coined that phrase, “Nothing is Certain Except Death and Taxes” in 1789, the world was a much different place. Today, I’m tempted to add to the phrase:
“Nothing is Certain Except Death, Taxes and Data Breaches”.
With the IRS breach announced in the last few weeks, we’ve witnessed a sophisticated multi-step process used by cybercriminals to systematically attain personal information that they then in turn used to authenticate to a now suspended online application offered by the IRS called “Get Transcript.” According to Lisa Rein’s May 29th article in The Washington Post, “hackers used information stolen from previous breaches — including Social Security numbers, birth dates, street addresses and passwords — to complete a complex authentication process and request tax returns and other filings.”
Get Transcript provided cybercriminals with enough information to file a new return, carefully crafted to generate a nice healthy tax refund. In this most recent breach, 104,000 taxpayers are reported to have been affected, to the tune of over $50 million. According to the Washington Post, “officials estimate that the government has lost billions of dollars in recent years to fraudulent refunds filed by hackers who steal personal information on tax returns, then use it to claim a refund in a taxpayer’s name before he or she files,” according to Ms. Rein’s article.
As Jada Smith points out in her New York Times article “after recent breaches at the health insurer Anthem and Home Depot, security experts note that users’ personal information is now widely available to hackers, who can buy it from criminal websites.” So, one attack begets another, more serious attack. This is the new world we live in.
What can be done to prevent future attacks?
Perhaps among other things, “the IRS has temporarily shut down the Get Transcript online service. Individuals who need past tax-return information for uses such as applying for loans can request a transcript, which includes line-by-line tax-return information, through the free Get Transcript by Mail service,” according to Karen Damato, in an article in the Wall Street Journal.
According to Ms. Smith in her New York Times article, “security experts however have criticized the agency for not adding more context to the authentication questions, or using a so-called multifactor system that sends users a second password via their mobile phone. Experts also criticized the agency for not deploying technology that looks for suspicious activity, such as multiple sign-in attempts from the same device, or encrypting sensitive information.”
How about a bolder approach? How about a new model that eliminates the notion of the perimeter and does not assume anyone, at any time, is a trusted user. One that understands contextual information such as “where is the user?”, “what device is he/she using to connect?”, and “at what time of day?”. Had the IRS known device location and time of day, among other contextual information, outcomes may have been very different.
A user’s complete “digital identity” needs to be assessed and then used to generate context-specific access rules to limit access to resources to better protect from inside and outside threats. Cryptzone is delivering just that with AppGate. AppGate enables organizations to adopt a software defined perimeter approach for granular security control. With AppGate, the full security posture—including device, location, time, group, configuration and more—are used by the policy engine to dynamically define access to applications. We are delivering the next generation of security for today’s global and distributed businesses, without requiring a huge investment to achieve scalable, one-to-many security.
Find out more about AppGate’s context aware, dynamic approach to secure access to protect your organization against today’s advanced cyberattacks.