Nothing is Certain Except Death and Taxes (and Data Breaches)

June 16, 2015 |
Text In this World nothing is certain but death and taxes

When Benjamin Franklin coined that phrase, “Nothing is Certain Except Death and Taxes” in 1789, the world was a much different place. Today, I’m tempted to add to the phrase:

“Nothing is Certain Except Death, Taxes and Data Breaches”.

With the IRS breach announced in the last few weeks, we’ve witnessed a sophisticated multi-step process used by cybercriminals to systematically attain personal information that they then in turn used to authenticate to a now suspended online application offered by the IRS called “Get Transcript.” According to Lisa Rein’s May 29th article in The Washington Post, “hackers used information stolen from previous breaches — including Social Security numbers, birth dates, street addresses and passwords — to complete a complex authentication process and request tax returns and other filings.”

Get Transcript provided cybercriminals with enough information to file a new return, carefully crafted to generate a nice healthy tax refund. In this most recent breach, 104,000 taxpayers are reported to have been affected, to the tune of over $50 million. According to the Washington Post, “officials estimate that the government has lost billions of dollars in recent years to fraudulent refunds filed by hackers who steal personal information on tax returns, then use it to claim a refund in a taxpayer’s name before he or she files,” according to Ms. Rein’s article.

As Jada Smith points out in her New York Times article “after recent breaches at the health insurer Anthem and Home Depot, security experts note that users’ personal information is now widely available to hackers, who can buy it from criminal websites.” So, one attack begets another, more serious attack. This is the new world we live in.

What can be done to prevent future attacks?

Perhaps among other things, “the IRS has temporarily shut down the Get Transcript online service. Individuals who need past tax-return information for uses such as applying for loans can request a transcript, which includes line-by-line tax-return information, through the free Get Transcript by Mail service,” according to Karen Damato, in an article in the Wall Street Journal.

According to Ms. Smith in her New York Times article, “security experts however have criticized the agency for not adding more context to the authentication questions, or using a so-called multifactor system that sends users a second password via their mobile phone. Experts also criticized the agency for not deploying technology that looks for suspicious activity, such as multiple sign-in attempts from the same device, or encrypting sensitive information.”

How about a bolder approach? How about a new model that eliminates the notion of the perimeter and does not assume anyone, at any time, is a trusted user. One that understands contextual information such as “where is the user?”, “what device is he/she using to connect?”, and “at what time of day?”. Had the IRS known device location and time of day, among other contextual information, outcomes may have been very different.

A user’s complete “digital identity” needs to be assessed and then used to generate context-specific access rules to limit access to resources to better protect from inside and outside threats. Cryptzone is delivering just that with AppGate. AppGate enables organizations to adopt a software defined perimeter approach for granular security control. With AppGate, the full security posture—including device, location, time, group, configuration and more—are used by the policy engine to dynamically define access to applications. We are delivering the next generation of security for today’s global and distributed businesses, without requiring a huge investment to achieve scalable, one-to-many security.

Find out more about AppGate’s context aware, dynamic approach to secure access to protect your organization against today’s advanced cyberattacks.

Back to Blog Home

Philip Marshall

As Cryptzone’s Director of Product Marketing, Phil Marshall brings over 14 years of experience in both product and services marketing as well as 10 + years experience in the high-tech publishing space with publications including Dr. Dobb’s Journal and Byte magazine. Prior to joining Cryptzone, Phil worked at security firms Rapid7, Positive Technologies and RSA. He also was a Senior Product Marketing Manager at Black Duck, the leading open source governance and management firm.

A speaker at recent (ISC)2 conferences and ISACA, he’s participated in numerous webinars, in panel discussions and presented on topics including Identity Security, Application Security and Open Source Governance and Management.

Marshall earned a BA at Bates College and an MBA, cum laude, at the F.W. Olin Graduate School of Business at Babson College.

Leave a Reply

Your email address will not be published. Required fields are marked *