Search This Blog

Wednesday, May 27, 2015

IRS Data Breach Unfortunate in Many Ways - PIN?

The IRS news release that its "Get Transcript" web tool was hacked is distressing in many ways.  First, of course, is the exposure of highly sensitive taxpayer data - apparently of about 100,000 taxpayers, with attempts on about 200,000 accounts.  Additional concern is the the possibility of modernizing tax compliance is harmed.  I have often suggested that tax compliance for many taxpayers (with fairly straightforward tax computations), should be as easy as buying something from (for example, see my 5/14/15 post).  

Sounds like greater security hardware and software is needed.  Why not use of a PIN as is used to access bank data and use credit cards?  Would that help?

Are stricter laws needed to punish hackers?

What do you think?

IRS News Release of 5/26/15.

1 comment:

Anonymous said...

There's a very good news article on this topic here:

Since this particular attack apparently originated in Russia, it's doubtful that harsher legal penalties would help.

Congratulations to the IRS IT staff for noticing the increased traffic and shutting down the service. 100K names is probably small compared to the possible amount.

As a former software engineer, I have to wonder how much security analysis was done on the design of this web site by security professionals. In mechanical engineering, the failures (collapse) of iron bridges led to more stringent engineering standards and rigorous certification of professional engineers. Software engineering (a loose usage of "engineering") has few similarities to older engineering professions. Be assured that the hackers are learning from their mistakes.

At least one group in the Federal government has expertise in the design of secure web sites. Sign up on the Treasury Direct web site and you'll see a very secure design for authentication.

But, we'll muddle along until the software industry and/or world governments develop practical standards and mechanisms for people's digital identities. Similarly, we'll be stuck with e-mail spam for a long time. Perhaps when my daughter is my age, she can look back on the wild west era of the world wide web with amusement, thinking about PINs and security questions, just as I reminisce about using a typewriter, slide rule, and LP records.