12 March 2016

The IP PIN is an effective means to solve the identity theft problem that caused the IRS data breach in 2015. An IP PIN is not as good as a physical second factor, e.g. a FIDO security key or a grid card, but better than easy to break identity verification questions. Moreover, IP PINs are easy to rollout by mail, and the effort for implementation is moderate.

Unfortunately, sometimes they get lost and must be recovered. This means that we need a method for the unambiguous identification of a person. For this the IRS uses easy-to-guess identity verification questions. On Krebs on Security we read:

‘The problem, as Wittrock’s case made clear, is that IRS allows IP PIN recipients to retrieve their PIN via the agency’s Web site, after supplying the answers to four easy-to-guess questions from consumer credit bureau Equifax. These so-called knowledge-based authentication (KBA) or “out-of-wallet” questions focus on things such as previous address, loan amounts and dates and can be successfully enumerated with random guessing. In many cases, the answers can be found by consulting free online services, such as Zillow and Facebook.’

One could get crazy!

Dear IRS,

the White House wants YOU to #TurnOn2FA! For more details, please see the Cybersecurity National Action Plan published on 9 February 2016:

‘Empower Americans to secure their online accounts by moving beyond just passwords and adding an extra layer of security.  By judiciously combining a strong password with additional factors, such as a fingerprint or a single use code delivered in a text message, Americans can make their accounts even more secure.’

Have a good weekend.