Italy charges Bulgari luxury jewelry heirs with tax evasion
Five 529 plan facts to celebrate 529 Day

IRS security breach highlights need to rethink online privacy

After learning that cyber criminals had accessed more than 100,000 tax return transcripts, I joked to the hubby that we're OK. As soon as they crooks saw that we never get tax refunds, they tossed our info.

I wish my humorous take on this very serious situation were true.

Unfortunately, identity thieves will use any piece of personal information, good or bad, to their advantage.

That's the fear that 104,000 taxpayers are facing now that crooks, thought to be a part of a sophisticated Russian crime syndicate, have their hands on the filers' Social Security numbers, birth dates, home addresses and recent tax return information.

Identity theft online computer

Tax transcripts taken: As I noted over at Bankrate Taxes Blog, the crooks got the Social Security numbers and other personal data from outside sources. They then used that info to download their tax transcripts using the Internal Revenue Service's Get Transcript online tool.

Tax return transcripts are text versions of your annual filings. They contain all you employment, income, dependents, etc. data and are thorough enough that they are accepted for other financial transactions, such as applying for a mortgage.

That's also plenty of data for someone to take over your financial life.

Beating the verification system: The big question for the IRS is how in the heck did these crooks convince the agency's online system that they were the legitimate taxpayers?

The Get Transcript application requires answers to questions that only you, the taxpayer, should know, such as your high school mascot or your first pet's name.

Nowadays, though, this personal information is not so personal. And it's our fault. We've all to some degree shared details of our lives to broader audiences.

It's not just me telling personal tales here on the ol' blog. It's lots of folks who are discussing things on social media that then can be used to answer online identity verification questions or at least figure out those answers.

Too much over-sharing: Before the Internet, such challenge questions were, for the most part, known only to the individuals in question (or spouses; I know the hubby's Social Security number, his mother's maiden name and his favorite high school teacher).

No longer.

"Where you went to high school, grew up, your spouse's information, your dog's name; a lot of people are posting this on Facebook," says Bill Ho, CEO of Biscom, a Chelmsford, Massachusetts, company that specializes in secure document delivery solutions. "When you can get this information, you can build a profile."

Now neither Ho nor I are picking on Facebook. As he notes, lots of info that could be used in ID theft schemes is found on similar websites.

", LinkedIn. Just Google your name," says Ho. The material gleaned there, he says, can be used by cyber criminals to try to impersonate you. That, apparently, is what the IRS Get Transcript crooks did.

And while 104,000 accounts in the grand scheme of 140 million or so overall tax filers is not many, Ho points out that the criminals actually were quite successful.

Overall, the IRS says 200,000 attempts were made to download taxpayer tax return transcripts. The criminal efforts were rewarded in more than half those instances, notes Ho.

Corporate online security steps: So what can we and companies do to protect ourselves from future ID theft attempts, tax and otherwise?

On the corporate side, dump the verification questions. Most are rudimentary and, as we've seen, they are easily determined.

Two-factor authorization needs to become the norm. This is where when you log in, you must get a second verification number or word, typically sent by text message, to gain entry to the site or account. The added step with a new number/word issued each time to another device in your possession will make it harder for crooks to pretend to be you.

"It's a good way to increase the veracity of the person," says Ho, "but it does take a little effort."

And while such increased online security measures might be annoying, Ho expects to see such enhancements become more common.

Some people definitely won't like it and don't want the hassle, says Ho, but security breaches at banks, insurance companies and retail stores have put millions of consumers at risk for identity theft and other financial crimes. Something must be done.

Just as we've become more or less accepting of airport security checkpoints, Ho expects to see similar security upgrades in the online space as well.

Avoiding ID theft individually: Then there are all of us potential ID theft victims. We must stop making it easy for the crooks. That means more care and discretion in sharing online.

Yes, everyone is incredibly interested in every little thing you or your kids or your pets do. Tough. They'll just have to learn to live without so much endearing entertainment.

Plus, tighten up your security rules for your online accounts. I know Facebook's settings are difficult to decipher, but give it a shot and make sure only people you know, like, and trust, aka real friends, can see your information.

Bankrate Taxes Blog logoIn the meantime, if you're a tax transcript victim, be on the lookout for a letter from the IRS. The agency, as I noted this last week at my other tax blog, is sending out instructions to those whose accounts were accessed, as well as to those where the crooks weren't able to get in, as to what steps to take next.

Also at Bankrate Taxes: In addition to discussing the IRS security issue over at, I also looked at how state taxes and fees affect fuel prices. It's something to keep in mind as the summer vacation driving season gets underway.

I usually post my additional tax thoughts over at that personal finance website on Tuesdays and Thursdays. This week, the breaking news of the stolen IRS transcripts bumped things up a day.

Regardless of when I post over at that personal finance website, you can also find highlights and links here the following weekend or sooner if the issues warrant.

You also might find these items of interest:


Feed You can follow this conversation by subscribing to the comment feed for this post.

The comments to this entry are closed.