Taxpayers Need to Protect Themselves When IRS Can’t

It probably seemed harmless last year to give a big shout out on your Facebook page to your first grade teacher. Unfortunately, cyber-thieves can use that information to steal your identity and break into your online accounts.

That’s what happened to the IRS. The tax agency is the latest target of cyber criminals who used so-called knowledge-based authentication information to illegally access the tax returns of about 100,000 U.S. taxpayers.

The breach at the IRS is particularly onerous because the information included on tax returns is especially detailed and personal – information that includes back account numbers, childrens’ names and ages, health care expenses, addresses of various residences, etc…

Knowledge-based authentication is commonly used by Web sites as an added measure beyond Social Security numbers and dates of birth. Account holders are asked questions such as their mother’s maiden name or the name of their first grade teacher or the account holder’s favorite color. In other words questions whose answers only the account user would know.

“Those are the same questions when resetting a password and they pop up in a variety of places,” said Robert Siciliano, an identity theft expert with

The problem is that much of that information can be gleaned from account user’s social media sites such as Facebook and Instagram, where people tend to post every detail of their life, including their mother’s maiden name, the name of their first grade teacher and their favorite color.

“This is all readily-available data,” said Siciliano. “It’s the simplicity of the questions along with the ubiquity of the answers that make the knowledge-based questions and the sites themselves vulnerable.”

It’s probably too late to scrub all of the personal information that hackers glean from social media sites to break into the personal banking and other financial-related accounts of their victims. But experts say the passwords and security codes of those accounts can – should -- be altered to prevent hackers from illegally gaining access to important accounts.

“The cat’s out of the bag, the horse has left the barn” in terms of information already posted to social media, said Siciliano. But passwords can be changed and new ones created that don’t match up to information readily available on Facebook or Instagram.

Account holders can create codes by using symbols for letters -- @ for a, or 3 for e, for example. Sprinkling those changes into actual words can throw off would-be cyber thieves.

Also, account holders can make up answers to commonly asked questions such as a parent’s maiden name or a recent street address. In addition, account holders can create questions and answers that are too obscure to appear on any social site, such as the lead singer in a popular band.

According to the IRS,  the data theft was primarily designed to steal taxpayers' information to submit fraudulent returns next year. The agency said fewer than 15,000 fraudulent returns were processed as a result of the breach, likely resulting in refunds of less than $50 million.

The IRS security issue follows high-profile cyber breaches at JPMorgan Chase (NYSE:JPM) as well as mega-retailers Target (NYSE:TGT) and Home Depot (NYSE:HD), who have all suffered cyber attacks.

The IRS data theft is different because the criminals did not hack into IRS computers. Instead, the cyber thieves used information they had gathered about individuals, presumably on social media sites, to access the system as it was designed to be used, the IRS said.

The IRS said that from February to May, attackers sought to gain access to personal tax information 200,000 times through the agency's "Get Transcript" online application, which calls up information from previous returns. The unidentified cyber thieves were successful about half the time.