An excellent guest column by Brian Garst in the Cayman Financial Review reports on the US Government’s “atrocious” mishandling of its citizens’ private information and how inevitable breaches of poorly designed and managed IRS and OECD reporting systems will soon unleash a global torrent of unsecured personal identification and financial data:
Here’s an excerpt:
The IRS itself has been accused by government watchdogs of having serious vulnerabilities, and of moving too slowly to fix them.
Every year since 2008, the Government Accounting Office has identified 100 cybersecurity weaknesses at the agency. Specifically, the IRS has been faulted for routinely failing to encrypt data or for using weak methods for doing so, allowing greater access to data than workers require to perform their duties, permitting user passwords that are easily guessed, and being dangerously slow to install crucial software updates and security patches.
This record alone is enough to question the ability of the IRS to secure and protect the sheer breadth of financial records it will receive due to FATCA, but serious concerns are already being raised about IDES’ specific security protocols.
The system’s rules for encryption recommend use of Electronic Codebook (ECB) as its encryption mode. ECB is widely faulted by cryptography experts as being incredibly weak, as it encrypts blocks one at a time and it thus does a poor job of hiding data patterns. Upon discovering the IDES recommendation of ECB in its protocols, prominent security expert Bruce Schneier incredulously asked, “Are they serious?”
Apparently they are not about protecting taxpayer information.
And make sure you wipe your asses with any FATCA forms and then send them in.
You can bet your ass there will be more than a few brown-tainted forms coming from me.
@Fred – If a bank wants my SS number it will be as follows:
Let the IRS work at getting it right.
@Alward J Broadman. Thanks for the morning giggles!
I’d like to keep up on the idea of a site for ISB in Europe. Please email me off-list.
It’s really strange that as we are debating here the possible theft of data sent to the IRS I have discovered this morning that my credit card has about €2000 of fraudulent use over the past 5 days, despite various safeguards and prudent use. This sort of drives home the fact, quite personally, that my data needs to be protected. I will therefore not give all identifying details of my accounts through FinCEN. That’s that.
@Don: hey! that’s my SSN too!
@seniorexpat: nothing happening yet…
We had our identity stolen some years ago. We found out that we had someone living in Californian with an apartment in our name and our credit card details. They had an apartment, electricity and gas accounts all in our name, I believe that it all stemmed from giving my SS number for the first time to the medical board of Ca (SS number was never required before for re registration.) It took us years to sort out the problems.
We now give out no information to anyone, or if required slip in some bugs.
One of the biggest risk comes when hiring a car in the USA, they have your name, address DOB from your driving license and then your credit card with the 3 digit security code on the back (I cover mine with sticky tape! Why does the USA not go to chip and pin like the rest of the world rather than a signature that can be forged?. Have all hotel, car rental and sales clerks been given a 101 in signature recognition?
@Fred it is not a debate, it is a wide awake nightmare
The IRS is a data sieve, several billions of $$$ in fraudulent refunds every year from identity theft
the place is a hacker’s delight. The computers are several generations old, the programs are written in COBOL or Fortran77 possibly with lots of inline assembler that only retired programmers would understand
data transfers from FFI may not be machine or personnel secure
@Bubblebustin April 26, 2015 at 9:26 pm.
Yeah, those suits. They would make the politicians way more colorful (not to mention a dose of truth-in-advertising)!
IRS says thieves stole tax info from 100,000
AP is reporting that the number of taxpayers who had their data stolen is now thought to be 334,000, up from 100,000 reported in May:
Those responsible at Treasury for FATCA and FBAR data bases, such as Robert Stack, Mark Mazur and Jennifer Calvery, should expect that overseas Americans may hold them personally accountable for data breaches that result in death and injury to family members.
This is the AP article on the IRS data breach:
Yesterday a commentator on Bloomberg, Pimm Fox, said that he was annoyed by the IRS data breach because the taxpayers were doing everything right and the IRS was not doing its part to secure the data. He speculated that the $5.8 billion in fraudulent refunds may have exceeded the cost savings gained by requiring taxpayers to file electronically.
The IRS lost our cheque for 2014 taxes owed and now insist we send them a new one with interest. For an organization whose whole existence is to collect revenue, how is it they can lose a cheque?
This is a new and added absurdity for your family, right?
How can any of us think it is sane to go along with these fools year and year after year?
As a result of the data breach of the Ashley Madison website, data on its 37 million users are now available on the internet. Corey Nachreiner, CTO, WatchGuard is quoted as saying this: “The reality is, information stolen could lead to any number of hackers extorting money and blackmailing users for the rest of their lives.”
Treasury’s Robert Stack, Mark Mazur and Jennifer Calvery should be aware of the risk that collecting overseas Americans bank account data presents and ensure that this data is tightly controlled so that US citizens abroad are not extorted or otherwise harmed. Americans abroad may chose to hold these individuals personally accountable for a data breach.
As I mentioned on another site, regarding the “security” layer the IRS has for its IDES portal (you know, the one that all the banks and national revenue departments worldwide are supposed to use to upload YOUR financial information):
Unlike the IRS’ poor and indifferent security, Ashley Madison did protect users’ passwords with sophisticated encryption, according to Wired:
“Passwords released in the data dump appear to have been hashed using the bcrypt algorithm for PHP, but Robert Graham, CEO of Erratasec, says that despite this being one of the most secure ways to store passwords, “hackers are still likely to be able to ‘crack’ many of these hashes in order to discover the account holder’s original password.” If the accounts are still online, this means hackers will be able to grab any private correspondence associated with the account.
It’s notable, however, that the cheating site, in using the secure hashing algorithm, surpassed many other victims of breaches we’ve seen over the years who never bothered to encrypt customer passwords.
“We’re so used to seeing cleartext and MD5 hashes,” Graham says. “It’s refreshing to see bcrypt actually being used.” ”
The passwords protect the user accounts’ personal correspondence with friends and lovers, which would be highly sensitive. Wired indicated that the data that was in the open and stolen included: “The data released by the hackers includes names, addresses and phone numbers submitted by users of the site, though it’s unclear if members provided legitimate details. A sampling of the data indicates that users likely provided random numbers and addresses, but files containing credit card transactions will yield real names and addresses, unless members of the site used anonymous pre-paid cards.”
The CIA often stations its agents in embassies and consulates under fictitious names and titles. Peter Smith, CIA agent, becomes John Johnson, agricultural attaché at the US embassy in Beijing. The CIA obtains a real passport for the fictitious John Johnson and, with it, John Johnson rents an apartment and opens a bank account at 1st Bank of China.
This is where it becomes murky. Would Peter Smith file a US tax return and FBAR under his real name and social security number or under his fictitious John Johnson name? Since he would be required to complete a W-9 under his assumed name by the Chinese bank and his bank account data would be sent to the IRS under this name, it would seem that he would want to file his tax return and FBAR under the fictitious name so that there would be a match against IRS data.
On the other hand, if Peter Smith filed the tax return and FBAR under his real name with the correct bank account number at the Chinese bank, he would be at risk of exposing himself to Chinese government hackers who could match John Johnson’s bank account details, obtained under FATCA or outside of it, to Peter Smith’s FBAR data.
I don’t know how CIA spooks file tax returns and FBARs but if they are filed under their real names, the CIA might also be interested in having tax filing and FBAR data securely locked down. Irate overseas US citizens might be the least of FinCEN’s problems if FBAR data were stolen.
Your tax preparer has to protect your confidential info. IRS, not so much.
‘A comment by Patricia (appears to work for IRS): “These scammers are now also spoofing valid IRS telephone numbers. Use caution, and remember that an IRS employee will never threaten you, or berate you.”’
Unfortunately I write notes by hand instead of taping phone calls with IRS employees. Taping would be good. IRS employees do threaten and berate over the phone.
Some IRS employees cut me off when they discovered I was writing notes by hand. They’re only supposed to do that when they discover they’re being taped.
By the way, even when humans are the ones dialling IRS phone numbers, we can still get tricked. When the IRS changes phone numbers they let scammers take over the old numbers.
‘Due to a major FUBAR by the Home Office, tens of thousands of foreign residents’ passports were being stored in broom closets inside a parking garage in Croydon, while their new computer system was unable to process visa renewals, with up to a year’s wait to retrieve one’s passport, hence stranding all of us in the UK.’
Wow, a year. The IRS only holds passports a few months while rejecting (or approving) ITIN applications, and the Social Security Administration only holds passports a few months before returning them without either rejecting or approving. I vaguely recall the IRS reporting to Congress that people who need ITINs don’t even dare to apply because it takes months to get their passports back.
“The IRS lost our cheque for 2014 taxes owed and now insist we send them a new one with interest. For an organization whose whole existence is to collect revenue, how is it they can lose a cheque?”
TIGTA reported to Congress that IRS employees steal mail from IRS mail rooms, including mail containing cheques.
Some other instances that demonstrate that the IRS cannot be entrusted with securing and protecting the data it demands and collects:
February 18, 2016
Flawed Authentication May Have Exposed E-File PINs
by Luca Gattoni-Celli
Joseph Henchman, Letter to IRS Commissioner Re IRS Website Data Vulnerability