Today was Tax Day in the United States, when we file our federal income tax returns. This has been an odd tax season in America for reasons that aren’t at all clear, but I am developing a theory that cybersecurity failures may shortly bring certain aspects of the U.S. economy to its knees.
I have been writing about data security and hacking and malware and identity theft since the late 1990s. It is a raft of problems that taken together amount to tens of billions of dollars each year in lost funds, defensive IT spending, and law enforcement expenditures. Now with a 2014 U.S. Gross Domestic Product of $17.42 trillion, a few tens of billions are an annoyance at most. Say the total hit is $50 billion per year, well that’s just under three tenths of one percent. If the hit is $100 billion that’s still under one percent. These kinds of numbers are why we tolerate such crimes.
One summer when I was in college I worked in the display department of a Sears store, helping a Latvian carpenter named Joe Deliba. When we needed more nails Joe sent me to take them from the hardware department. We stole as many of our materials as we could from the store, which chalked the losses up to shoplifting even though they were really going into a new display in Ladies Dresses. The store expected a certain level of losses, I was told, and as long as they stayed under about five percent it didn’t matter. I suspect that five percent number shows up in a lot of financial statements at places like banks and credit card companies where it is considered just a cost of doing business.
When PayPal was getting started back in the Peter Thiel and Max Levchin era the company had to absorb a significant amount of theft losses as they figured out their payment business, which ultimately came to be a huge security software suite with some money attached. At one point I was told PayPal had absorbed $100 million in losses, which for a company bankrolled by Sand Hill Road is a lot of moolah. But they figured it out and made it through.
The question I have today is whether we as a nation are at risk of not figuring it out or not making it through?
The past 12 months have been brutal in terms of personal and corporate financial information losses in America. There have been so many hacking cases — from Anthem to Target and a hundred others in between — that their names no longer matter. What matters to me is in the past year I have had to replace half a dozen credit or debit cards and received four offers of identity theft protection services paid for by affected companies or government agencies. Government agencies!!!
Now factor into this what we’ve learned so far from Edward Snowden — that our own government also takes our information and their methods of controlling access to it are pretty pathetic.
We know from all these hacking cases a lot more than we used to about when and how our data can be taken. We still don’t know much about the extent of actual financial damage because to date it’s been beneath that five percent limit set down at the Sears store. Banks are presumably losing billions every year but that’s okay, I guess, because they are making even more billions. It makes me wonder, though, how easy it might be to say something was a theft when it’s really some banker’s second home in the Hamptons. It’s just a thought.
There is definitely something going on that’s different this year. It’s not just the increased number of ID thefts reported (two million I’m told — just since February 15th!).
The Sony hack showed the sophistication of these attacks is well beyond the technical skills of most companies and government agencies. Cyber criminals can purchase the code and assistance they need over the Internet. The currency of choice is Bitcoin, because it is anonymous. These are significant — and disturbing — changes. But there’s more.
I get an inkling of it in my own dealings with the Internal Revenue Service. It’s not just that Congress has so cut the IRS budget that they can’t effectively enforce the tax laws anymore: I think the game has changed or started to change and the feds are scared shitless as a result. Here’s the least of it from a credible source: “It now seems very possible they stole data directly from the IRS and/or Social Security Administration. This attack appears to be huge. We could all be getting new tax ID numbers this year and next year we may all be filing our taxes by mail again. ”
But wait, there’s even more! The traditional cyber theft mechanisms are hacking the system to steal minute amounts from many transactions; using identity theft to get false credit cards or file bogus tax returns with refunds, or; gaining account numbers and passwords and simply draining bank accounts. The techniques for all these are well known and the loss thresholds have evidently been acceptable to the government and the financial system — again below five percent.
It’s simply too difficult to do enough of these thefts to exceed five percent before being detected and shut down. And so the system has long had an awkward equilibrium.
Willie Sutton, the famous bank robber, said he robbed banks because “that’s where the money is.” For the most part cyber theft to this point hasn’t been where the money is. It has involved relatively complex frauds involving not very big amounts of money.
What if that has somehow changed?
One fear I heard expressed many times last year was that this year we’d see a tsunami of fraudulent tax returns in January, but the IRS claims that hasn’t happened. But something else has happened, I assure, you, because people I talk to in this area on a pretty regular basis are suddenly even more paranoid than usual.
At this point certain readers will come to the conclusion that I don’t know what’s happening, that possibly nothing is happening, that I’ve jumped the shark and it’s time to stop reading old Cringely. Maybe so. But all that I can say in defense is that Snowden showed we have an extensive and fairly incompetent cyber security bureaucracy dedicated as much to keeping us in the dark as keeping us safe as a people. If something were going terribly wrong — if something is going terribly wrong — would they tell us?
No.
Forget about bad tax returns and fake credit cards. What if what’s been compromised are the real keys to the kingdom — literally the accounting records of banks, sovereign funds, and even governments? A criminal could steal money, I suppose, or they could simply threaten to destroy the accounting data as it stands, casting into doubts all claims of wealth. What makes Bill Gates richer than you or me, after all, but some database entries?
I have reason to believe that the game has been compromised and significant change has to follow. Whatever tools we use today to determine who owns what and owes what are probably in danger which means new tools are coming. And with those new tools the financial system and the financial regulatory system and the data security system will probably change overnight.
I tell you it’s happening. I’m sure there are readers here who know about this. Please speak up.
This is more extreme than usual. I’m curious to see other’s comments as well…
Well, I got hacked. My electronic tax filing was rejected due to an identity fraud problem and I’m filing (late) by mail.
Furthermore, I’ve been called multiple times by a fraud team saying (in very bad English) that they are the IRS and I owe them money.
IRS got its budget cut because they were willingly used as tools to suppress the political liberty of conservative groups. They got what they deserved.
We as a country would be much better off if they did not exist and tax payment was purely voluntary. Then those who cared for the programs could take responsibility for them and PAY for them.
So I’m not crying for the IRS
I love watching conservatives try their hand at thinking logically …
I agree that a purely voluntary tax makes no sense at all. But as ridiculous as it is, it still makes more sense than “from each according to his abilities and to each according to his needs”, which ignores the role of incentives in life.
Instead of trying to take the money out of politics (or pretending to), let’s make it all about money. You get one vote for every dollar of federal income tax you actually pay. Then you can make it voluntary, no problem.
What’s hilarious is how the IRS managed to lose emails from 7 separate hard drives, thereby preventing Lois Lerner’s correspondence from seeing the light of day. This from the same government which (at the point of a gun) demands businesses archive their emails in the name of compliance (all the better to subpoena later).
Credibility makes a difference. Whining about budget cuts doesn’t change the integrity problem, and without integrity it’s really hard to stomach increasing their budget.
Re: “emails from 7 separate hard drives”. The news stories I read refer to her “hard drive” in the singular. No back-up-tape copies were available due to the 6-month retention schedule: https://www.politico.com/story/2014/07/irs-lois-lerner-scandal-e-mails-backup-109182.html
“Then those who cared for the programs could take responsibility for them and PAY for them.”
Sounds like “charity” to me. Which, I understand, is far more effective and efficient than government entitlements. But … charities don’t lead to voting blocks that can be relied upon to establish / keep a given person / party in power. So where’s the fun in that?
@F3sticks: The IRS was not picking on conservatives. They were picking on 501(c)(3) entities (tax exempt status because they are strictly engaged in education, religion, scientific research or charity purposes), that “somehow” got side tracked into political activities that belie their non-tax purposes. They did this equally to a lot of 501(c)(3) entities on both the right and the left. They were later vindicated by a congressional investigation. The IRS are not engaged in politics by taxation. It is not in their interests to do so. Their job is too important. You want a dozen super-aircraft carriers that can strike anywhere in the world, you need the ability to pay for them.
.
Studies have shown, that people who watch Fox News are less informed than people who watch or listen to no news. You are one example of this. Thus stuff inside your head confirms you prejudices but is not consistent with reality.
Re: “Studies have shown, that people who watch Fox News are less informed than people who watch or listen to no news.” Yes they are less informed about the liberal agenda that permeates most Hollywood-based entertainment media, including OTA network news, MSNBC, and CNN. By watching conservative programming, they’ve learned to ignore the liberal agenda, hence becoming less informed about it.
“I’ve been called multiple times by a fraud team saying (in very bad English) that they are the IRS and I owe them money.”
Maybe the calls from abroad were real. Perhaps the budget cuts at IRS forced them to sub out some tasks to an Indian phone center. Clearly not what you like to see, but at least it shows some cost sensitivity, which is nice.
Re: “Maybe the calls from abroad were real.” I wouldn’t trust even a local call with excellent English speakers. Government agencies usually use the mail with verifiable addresses and phone numbers. You can talk to them or call back an unknown number, just say you can’t give them any confidential info by phone unless you can call back to a verifiable number.
Corporations want huge fines and remuneration for their “losses” from hackers.
Do these same “losses” show up in their stock market reports? I don’t think so…. I think they are “paper losses” designed to extract tax-free money from hackers. “Impaired goodwill” — that’s a whopper if I ever heard one.
Anyone? Bueller?
I have no idea what is going on behind the scenes. But maybe it takes some big hacker intrusion to knock those idiot CEOs and lesser Os in the head so they start worrying about security for a change, instead of watching how great their stock options are doing or deciding how to spend or invest their enormous and mostly undeserved salaries.
.
Maybe the days of “It’s not what you know but who you know” will finally come to an end.
There are other indications that the system is failing. My company has a phone number – it used to be that customers and people interested in our products and services would call us for information but those days are long past. These days 99% of the calls are fraudulent – no longer are they trying to ship us photocopier toner and bill us for it (that was in the 90’s) – nowadays most of the callers are offering loans but need our banking information, or telling us that our credit card terminals need a security upgrade … all blatant hack attempts.
And the police are not at all interested in this type of crime – they completely lack the ability to deal with it, possibly because all the money thrown at most law enforcement operations in recent years has gone on “terrorism” related expenditures – guns, mrap vehicles and swat training.
And our governments solution to this is – budget cuts.
Re: “most of the callers are offering loans but need our banking information, or telling us that our credit card terminals need a security upgrade … all blatant hack attempts.” If they are blatant, just ignore them. I have a huge black list of callers who can’t ring my phone again simply because the first time they called, they failed to leave a message, or if they did, it was unsolicited. Of course, a business has to answer, but it doesn’t have to provide information without checking credentials first.
All the more reason to cut the irs budget and or abolish it completely. With a flat tax there’s no tax returns to steal and no bureaucrats who hold the keys and destroy organizations based on their political affiliation. All organizations have been hacked or just don’t know it yet, or the hackers just don’t know they compiled their info yet. How is this shocking or news?
> With a flat tax there’s no tax returns to steal
Or, if the tax were on property, instead of the ghostly “income”, the bits on those databases could be automatically garnished with no further ado.
But that would collect tax from the truly rich, which is poorly received.
I’d only agree to flat tax if there was guaranteed basic income
Flat tax on everything means those of lower income pay more of a percentage to tax than those of higher simu due to them having the same required expenses. With guaranteed income you’d get rid of social security tanf food stamps and all that because necessities would be covered. Lots of overhead would be dropped due to it going to everyone, min wage wouldn’t be required, people would work for want instead of need.
But I want what I need and need what I want. Who decides who needs what?
You can’t eat an iPad.
If you’re implying food is a necessity, is it sufficient to be nutritious or must it also taste good? If you’re overweight, it may not be as much of a necessity.
” possibly because all the money thrown at most law enforcement operations in recent years has gone on “terrorism” related expenditures – guns, mrap vehicles and swat training.”
.
Terrorism, i think not, you dont need that sort of kit to fight terrorism. Controlling civil unrest once the system collapses is more likely
At least once a year I get a call from BofA asking “Did you just make a purchase of $X at location Y?”. To which I reply “No”. Followed a couple weeks later by a new credit card arriving in the mail. I haven’t used my debit card anywhere other than an ATM for years.
Once a year is way to often. What I would do is say, “I may have, need to check my records”, since I may have purchased something I did not recognize from the credit card listing. I may even decide to wait to see if it happens again before jumping to the conclusion that my card was hacked. The last time an unauthorized purchase happened on my card was when someone guessed my password at Walmart.com to make a purchase for store-pickup, and Walmart.com’s policy was to save credit card data from a previous purchase, for “your convenience”. But that was not a credit card breach it was a weak password coupled with a stupid company policy of accepting purchases for pickup at a store while saving credit card data from a previous purchase. Even then, I did not need a new card, since my card data isn’t visible on the site even to me. All I needed was a better password. I also complained to Walmart.com that if I delete my card data they should not simply use data saved from a previous purchase. If they need to change your card again, you might consider using a different bank.
“… would they tell us? – No.”
reminds me…
I can still see the newspaper headline when Greenspan said there was froth, tiny bubbles in the market. Pop!
When an American files his or her taxes electronically, it goes through a process of trust first – issue refund – verify later. If I know someone’s social security number and date of birth I can create a tax return in their name and have the refund deposited in my bank. (Anyone can find address, phone number, etc on the Internet.) In this return I can create some phony W2’s. There are websites that will calculate the precise FICA deductions that should be on those W2’s. To the casual observer the tax return will look authentic. With a few clicks in my favorite tax preparation software I can prepare the return, file it electronically, and in a few days money will appear in my bank account. That return won’t be checked by the IRS for months. Remember the first step of the IRS process is “trust first.” They assume all returns are legitimate.
.
Now imagine doing this on the scale of millions! That is exactly what has been happening this year.
.
The number of ID thefts being used to file fake tax returns is astronomical this year. Mine too. One of the steps of the process is to file a police report. When I did I found out how many others in my community also files ID theft reports — over 40,000, about 4% of our county.
.
Another little tidbit: In the letter from the IRS informing me of an identity theft, they mentioned they were using the credit check agencies to verify tax returns. Think about that! One would think the IRS would have excellent data on us. They don’t. The commercial credit checking agencies have more and better data on us than the IRS. So do the credit card companies. If you haven’t noticed they’ve become very adept at spotting fraud quickly. Compared to them the IRS is in the stone age.
.
The biggest cyber crime on 2015 will probably be against the USA Treasury.
“Now imagine doing this on the scale of millions! That is exactly what has been happening this year.” – please elaborate.
Brian Krebs has been reporting on it. Starting here:
http://krebsonsecurity.com/2014/02/file-your-taxes-before-the-fraudsters-do/
Before last year I never knew of any friend or relative who had their identity stolen. This year, I know of about 5 or 6 people who had tax returns filed in their names. Anecdotal, sure, but it seems to be corroborated in a lot of reports I have heard, including here.
I work at a state level government agency in the West. A little over 20% of the people working here had false federal tax returns filed against their SS numbers this year. Scary.
Remember that Intuit spends a lot of money lobbying to make sure that remains the case. First World countries *do* already know what you owe them, or have a pretty good idea, and will more or less just send you the invoice to pay or amend.
Private business makes nothing but work. Why are Americans so excited to chase such degrading situations and counterproductive expenditures of effort?
Re:”Why are Americans so excited to chase such degrading situations and counterproductive expenditures of effort?” Sorry, I don’t understand. Which Americans? What situations or counterproductive efforts? How are they “chasing”.
Well, even third world countries know this information. In Mexico you only need to login in the equivalent of the IRS and confirm the information (by law all the purchases and payroll payments must be backed by electronic invoices that are cryptographic signed by the issuer and the government in real time). So yes, the U.S. It’s well behind in this matter …
Social Security also uses private credit reporting agencies to verify information.
I also find this puzzling as the Feds have been able to amass huge amounts of data on each citizen.
I wrote a while back about what I call Ostrich Security. This is when a company DOESN’T WANT TO KNOW if it’s being hacked. The US government – by law- requires that you inform them if you detect hacking – and then they FINE YOU for every record hacked. Companies also sign agreements with their business customers that say that they agree to inform them if you detect hacking (intrusions).
So if you are hacked, then the fallout of you disclosing it could literally ruin your business. So WHY DISCLOSE IT? Or better yet, apply the principle of plausible deniability – if you don’t KNOW you’re being hacked, then you don’t need to report anything. I had a security engineer show me logfiles of attacks that continue over and over and then just stop – not because they gave up, but because they got in. He was muzzled – kept out of security meetings, had all of his actions micromanaged (he wrote the corporate security newsletter and then had to submit it for review before he sent it out to the company), prevented from “looking around” on his own, and when he spotted that activity I described earlier he brought it up to his superiors – only to have them ignore it. Needless to say, he left out of frustration and the company took their sweet time replacing him (he was the ONLY security person here at our datacenter).
Ostrich Security – WHAT security problem?
“One fear I heard expressed many times last year was that this year we’d see a tsunami of fraudulent tax returns in January, but the IRS claims that hasn’t happened.”
I personally know not one, but TWO, people who were victims of false tax return filings this year.
Maybe I’m an outlier. But if that is anything near typical, then it is a full-on tsunami of IRS fraud this year.
There are so many reasons why the income tax needs to be abolished and replaced with excise taxes and/or consumption taxes…but the fact that the Federal Government is so cluelessly incompetent is just one great reason. Bureaucracies by their very nature are sclerotic, unresponsive, and incompetent; but monopolistic bureaucracies like the IRS are the pinnacle of fraud, waste, and abuse.
But then again, now that I think about it, which is better– having hundreds of billions of dollars in the hands of the Federal Government, or in the hands of identity thieves? Frankly, the identity thieves couldn’t do much worse.
Glad to see you are getting back to basics – and money is about as basic as you can get.
But people’s attitude toward money is even more basic. And it seems to be “Grab it while you can! And let other clever people grab some for themselves too. Those who are not so clever, get took.Too bad for them.”
This is not just immoral – but immoral on a scale never seen before.
Seems the same scale we’ve seen across human history, not sure there’s anything new in mentality, only in technology. I’m not sure what period in history has been significantly different.
I am one of those people who had a fraudulent tax return filed in my name. I was lucky, the crook wasn’t very smart, they didn’t get the routing number correct and I got a cashiers check in the mail for over $7000.00 (Did NOT CASH IT in case your wondering). But it did mean that I had to paper file my return, and now need to fill out a bunch of other forms. 🙁
Clearly someone got ahold of my SS number and tried to file a return with an earned income tax credit.
I think things are going to get worse before they get better. It in some ways reminds me of 2002-2008 in the Windows world. Today Windows computers are relatively secure, but it took a shit storm of hacks to force MS to secure its OS and Browser.
Two things need to happen in order for the situation to improve. 1. We need to remove the blanket protection that companies now have for what amounts to defective software. 2. We need to change the culture of IT. Right now the common refrain is, “We can’t build software that can’t be hacked. Any software can be hacked.” I don’t see structural engineers saying, “We can’t build buildings that don’t fall down.” I don’t see aeronautical engineers saying, “We can’t build planes that don’t fall out of the sky.”
The sad reality is that software engineering needs to grow up. Institute standards similar to other engineering fields and create processes that assure a quality product. Just a few days ago, MS patched a decades old flaw in the embedded version of Windows Xp.
https://www.dailytech.com/Appalling+Negligence+DecadeOld+Windows+XPe+Holes+Led+to+Home+Depot+Hack/article36517.htm
Regards,
Joe Dokes
Very well said, I think you nailed it. Ultimately, the problem is us: we have been so eager, as consumers, to rush after every new shiny thing without concern, we happily set this situation up. Until we say “enough” it won’t change, and I tend to question whether it will ever be to the point we’ll say “enough,” given the power of modern capitalism (as practiced) to socialize loss while privatizing gain.
I agree with your first point about assigning/assuming responsibility, but the second point based on a comparison between “real” engineering and software “engineering” is totally invalid. There are no limiting laws of physics/chemistry/etc applicable to logic, and that is all that software development is about in the final analysis. I learned that in COBOL coding back in the 70’s, and have not seen any real change in that underlying basis since then in other languages or application development tools. Read Bob’s recent column about Big Data, and see how even Google does not have a complete handle on its own BD creation as its AI component seems to be evolving on its own.
Certainly more rigorous logic in design, coding, and testing can be applied with some benefit, but there is not much obvious in the code itself if that does not happen due to a host of human factors such as trying to meet unrealistic deadlines and cutting corners in software budgets, and for retaining and training super programmers/designers when the fresh college grads and/or offshore coding shops and H1-B visa candidates seem “good enough”.
Programming is an art, not a science.
Did you even read the article he linked to?
Its time to stop using Social Security numbers for anything other than applying/recieveing Social Security & Medicare ( which I understand has an extremely low fruad rate ).
I believe the underlying problem is that for some crazy reason we have taken an account number and decided to use that number as proof of identification instead of as a tracking number. If someone were to propose assigning a national password that is based upon the place that an individual was born, they would be laughed out of the room, yet somehow we consider this normal. If instead of saying SSNs should only be used for a very limited purpose, we used them as the governmental account number for everything, things would be a lot simpler. It should be on my passport, drivers license, voter ID card, checks, etc.. If a company uses knowledge of someone’s SSN as proof of identity then they should be liable for all expenses incurred due to their negligence.
Software engineering and data security are quite grown up, thank you. But there’s only so much they can do when the law allows or even mandates that a company retain customer information, allows sharing private customer data between companies, and mandates that backdoors are baked into software or other sorts of unimpeded access. It’s a culture of zero customer protection compounded by outdated payment technology.
But the government and corporations are not the only ones at fault. We, the public, actually enjoy playing fast and loose, “money now, check later”. Would you be willing to give up credit in favor of debit? To give up almost instant credit checks in favor of a process that might take months? To give up paying with cheques? To use a Government-issued ID card?
Does anyone else here find the entire premise behind the above-linked article as disgusting as I do?
https://www.dailytech.com/Appalling+Negligence+DecadeOld+Windows+XPe+Holes+Led+to+Home+Depot+Hack/article36517.htm If that’s the link to which you refer, it’s old news from 7 months ago. What is the “premise behind it” that you find disgusting?
The basic idea that, having been screwed over by using insecure and not fit-for-purpose Microsoft products to begin with, you should continue that madness by purchasing even MORE of those products, even if they are “updated”. History has shown that any improvements here in the Microsoft world are only temporary, at best, and these updated products will no doubt eventually turn out to be just as insecure as the earlier products, or almost so.
.
Frankly, it simply astonishes me that “kids these days” can’t seem to think outside of the Wintel box! But throwing good money after bad (which is really what they’re saying in the article) isn’t anything new, I guess.
.
Re: “History has shown that any improvements here in the Microsoft world are only temporary” I’d agree, if we replace “Microsoft” with ” “. That applies to everything, hardware, software, biological, or physical.
Your engineering examples are good but not as you state. Many buildings have collapsed. Many earth quakes have demonstrated that we cannot build an earthquake proof building. We can build a building that will withstand a specific level of stress.
Many years ago, watch manufacturers advertised Waterproof watches. Today they are water resistant to a specific depth. Water is used to cut steel.
To anyone who thinks connected computer systems can be “secure” I answer “RSA’s secure network was hacked”. (RSA is a leader in secure networks.
All security weather it is structural integrity, facility security or anything else is rated to some level of threat. For network security this measure is – how long it takes a motivated skilled hacker to gain access.
I live in a community of 5,400 residences. So far this year we have had 2 police reports related to identity theft – both for federal income tax returns filed fraudulently by imposters. Over the next couple of months there may be an increase in those type of reports – but, so far it does not seems not to be a huge problem.
Example of police report:
Officers were dispatched to Police Department headquarters in reference to a case of identity theft. Upon the officer’s arrival, the victim stated an unknown person(s) used her personal identifying information to file a fictitious IRS income tax return.
.
another:
.
At 10:01 pm, an officer was dispatched to Police Department headquarters in regards to a case of identity theft. The victim(s) stated she received a call from her accountant stating that her and/or her husband’s social security number was used to file a fictitious income tax return.
.
another example:
.
At 3:38 pm, an officer was dispatched to Police Department headquarters in regards to a case of identity theft. The victim stated he received a rejection notification from the internal revenue service IRS informing him that they received more than one tax return using his social security number.
.
another!!!!!
.
An officer was dispatched to the xxxx block of Xxxxxx to see the complainant in regard to personal identifying information being used to file a fraudulent federal tax return on their behalf. The complainant was made aware this date, as they prepared to file a return with the IRS, through their certified public accountant.
another:
.
At 12:23 pm, an officer was dispatched to a residence in the xxxx block of Xxxxxx in reference to a report of identity theft. Upon the officer’s arrival, the victim stated an unknown person(s) used his personal identifying information to file a fictitious income tax return.
.
So… in this week’s report there were 5 instances of fake income tax returns in a community of 5,400 homes.
We don’t need “readers” to speak up, we need these shadowy experts whom you’re paraphrasing to speak up. So far, this is all useless anecdotes, so I hope some journalism will prevail and useful sources found.
I’m more concerned re “At this point certain readers will come to the conclusion that I don’t know what’s happening, that possibly nothing is happening, that I’ve jumped the shark and it’s time to stop reading old Cringely,” by your – of all people – insistence “Snowden” showed us something when Snowden only filled in a relatively minor 20% of the picture that was/is already known (and which is why Snowden’s “revelations’ are good media hype but have not actually made a significant change on America’s divided opinion and ultimate toleration of government surveillance programs).
Why do Americans need some authority figure to tell then what they’re seeing? Can you answer a simple question for me: “Why would anyone in power say anything that would diminish their own status when their power protects them from having to do so?” Can’t you people grow up, put down your flashing screen toys and join the real world already instead of avoiding it?
Re: “Why do Americans need some authority figure to tell then what they’re seeing? ” Because the anecdotal experience of a few people is not proof. That’s why we have credentialed specialists within dedicated disciplines.
Are you still sore about that Treaty of Paris thing?
That’s how movements like the anti-vaxxers movement get going. Correlation != causation.
“Identity theft” is a lie. There is no such thing as “identity theft”, it’s all fraud. The term “identity theft” was created to put the burden back on the consumer, away from financial institutions. The actual problem is that the cost of actually verifying identity is higher than financial institutions want to bear. Most of the cost would be in missed loan opportunities. Financial institutions don’t want to bear the cost of verifying identity so they experience fraud (surprise!) and then tell us that somehow we have to protect our identity. It’s insane.
If it was legally required that you appear in a bank with an ID to get a loan or a credit card, imagine what would happen to “identity theft”. There’s nothing wrong with filing electronically, but how about having people come to the post office, with ID and a thumb drive, show ID and sign a log, then file from there?
You hit the nail on the head. By piggybacking on the SSN, never designed to be secure, the financial people got a free ride to identity and a way too maximize profit at the cost of individual consumers. If we spent one half of what I’d lost on fraud to developing private sector IDs and using those instead we’d be much more secure and see fraud levels drop. But t right now the cost of fraud is a cost of doing business and they are OK to live with it.
Thinking about SSNs,; I taught college for a couple of years way-back-when, and in the attic somewhere I have my gradebooks, with all of the students’ names and ID numbers, which back then, were their SSNs.
I probably should dig them out and burn them…
Someone filed a fraudulent return using my SSN this year.
In learning more about this, I found the IRS has a site where you can request transcripts of past returns online. Yes, someone had created an account there using my SSN as well. If you have a SSN and some minimal information the IRS verifies your identity asking questions that can be easily searched online. “what year was your house built? etc.”
You may want to create your account before someone does it for you.
https://www.irs.gov/Individuals/Get-Transcript
About once a month I get a notice that some site is adding verification questions “to improve security.” This is a laughable premise, only adding another attack vector. So now some criminal can look up some public information about me and easily social-engineer his way into my account – thanks!
The extra thing going on at the IRS is the Obamacare mess. They rewrote the rules they themselves had issued so they could hand out more subsidies, and interpreted eligibility ignoring the law that was actually passed.
Estimated only 4% got the correct subsidy, and the IRS has to deal with the differences, in both directions.
I humbly propose a corollary to Godwin’s Law : as an online discussion grows longer, the probability of comparison to Obamacare approaches 1.0. Or at least 0.58 raised to the nth power where n is the number of commenters.
You probably mean elevated to the -nth power.
That would make the probably greater than 1, which makes no sense. But this would work : “1-.58exp(n)”
That was very funny. Perhaps a corollary that includes “flat tax”?
This is hilarious. I love it. 🙂
“It now seems very possible they stole data directly from the IRS and/or Social Security Administration. This attack appears to be huge.”
I spent several minutes trying to understand what this passage means. Who are “they”? Which attack? My final best guess is that the speaker was trying to say someone has done something big and bad, and *the government has kept it secret*. If we believe this, it is definitely a big deal. Is your source really that credible? Have I misunderstood the quote?
You should write something about Facebook’s real name policy, which even affects people using their real names just because FB staff won’t recognize them as real.
Three people where I work (a 4-yr Univ) have contacted the Information Security Office in the past month because their tax return’s were fraudulently filed and some crook got their tax return. Three isn’t a lot among 1,200 employees but I know tax fraud IS happening and those SSN’s didn’t just magically appear. Someone hacked them at some point and is now cashing in.
“…people I talk to in this area on a pretty regular basis are suddenly even more paranoid than usual.”
These people are not paranoid because they know something we don’t. They are paranoid because they are afraid of what they don’t know. Target, Sony, Home Depot, Anthem, these are major players who should have been able to protect themselves, but couldn’t. Now everyone is rightfully terrified of being the next Anthem, and they have no idea how to prevent or even detect it.
Here is something I stumbled on the other day that ties in to what you are writing about.
http://keepamericaatwork.com/i-now-know-for-a-fact-why-i-cant-get-hired-at-the-veterans-administration-h-1b/
Apparently millions of names and their data was breached, yet I’ve heard little about it
What if you could hack every bank acount and take 1cent every week or month? Nobody would care or even look. Easy money! Sheesh, thats scary!
Rog
I find this funny, because a bank has already done this for out of country credit card buys and then using the wrong exchange rate. They lost the class action lawsuit.
I got a Citibank VISA a couple of months ago. Before the card even arrived they were already calling me to verify charges. They actually ended up sending more replacement cards than billing statements before I’d had enough and closed the account.
In my whole life I’ve only ever had one other card hacked. I can’t chime in on the IRS but Citibank is p0wn3d!
We had a similar situation recently involving driver’s licenses. It turns out that the printing centers had been compromised, such that your DL could have been used for identity theft before you even received it – or shortly thereafter – because fake duplicates were being printed. Eventually everything was gutted, centralized, and locked down hard. I understand that at least some of the current credit card issues have a like cause, so now those facilities are having to submit to a whole new range of much tougher security measures.
A few years ago, as a favor to a friend who had moved back to Nigeria, I did her income tax. When I tried to E-File the return was rejected by the IRS because someone had already submitted a fake return in her name. The ultimate irony is that her late father was a prince of his tribe of half a million people. No, I am not making this up.
My coworker had someone obtain a $10K tax refund using her name/SSN. Her accountant claims that she has seen hundreds of these this year. Hundreds. For one accountant.
The accountant was previously told that Uncle Sam would supply a PIN for those with compromised SSN. They don’t even bother issuing PINS anymore as they were also compromised.
I think Cringley has found something big about to break open!
Another anecdotal datapoint: A relative had a fraudulent federal return filed in her name this year. First time for anyone in my circle of acquaintances. She has always had her taxes done by a paid preparer, never a DIY efile.
Bob, re: “I have had to replace half a dozen credit or debit cards”. You realize, if you only had one, you could lower the number of replacements significantly. Try using a credit freeze, at the 3 agencies.
Paychex was hacked. About 20-30 people at my company alone had fradulent returns submitted. Basically anyone who received a refund and efiled last year was hacked. This was about 30% of people in our office. So yeah, I’d say it is pretty bad. We are moving from Paychex to ADP. Incidentally, I’ve heard almost nothing about it in PAYX stock news.
Paychex allows companies to send SSN#s in e-mail. ADP will not do this, requiring a separate ADP number for each employee. This makes things more difficult for automated processing, but is more secure.
In the case of SSN theft, prompt notification to the victim would help.
qsys.us/ssnalert
Bob, in your old stomping grounds (Ohio) we’re seeing the other side. The state is verifying some returns before issuing refunds. Two of my co-workers had to jump through hoops before they could get their refunds. The requirements are reported to include thing like “send page 2 of the booklet you used to prepare your taxes.”
What’s the downside if tax agencies stopped doing direct deposit? Pay a pittance of the cost of properly verifying returns to ship paper and put the burden on the postal service.
Yep, one of my children and myself each received the “verify who you are” from Ohio. Actually I got two of them for myself due to School Income taxes.
I figured it means we were the second filing for the same refund…. but who knows.
I was later told that 10% were being verified (not sure where that came from though).
Maybe as far as refunds go, just try to stay near 0 on the refund may help, maybe not if them make up enough deductions to get an exaggerated refund.
As far as the actual problem, we are all so screwed. How do you prove you own something these days? I suppose the copies of paperwork we all stuff in a drawer may help.
Will anyone bother to read the paperwork you have when the bank systems clearly shows that someone else owns YOUR home?
A large part of the problem is direct deposit and the lack of banking security – mailing checks to the recipients would solve half of this problem and making real verified banking services to everyone would solve the other half of the problem.
What would be the point of filing a fraudulent return if all you got was a paper check that you could not turn into cash?
So, solving the problem and preventing fraud is quite easy – but it will not happen because too many corporations are making too much money from the existing system.
Re: “What would be the point of filing a fraudulent return if all you got was a paper check that you could not turn into cash?” Perhaps I’m missing something, but in order for a fraudulent return to work, the fraudster has to impersonate the taxpayer well enough to convince the IRS to use the fraudster’s account number, which has a different name associated with it than that of the taxpayer. The bank and the IRS would have to ignore this red flag. If the fraudster used his own address in the case of a mailed check, all he has to do is sign the back of it matching the taxpayer’s name, which turns it into cash. Then he would mail it to his bank for deposit to his own account. If his bank questions him he can say the taxpayer turned over his refund check as partial payment of a debt. Either way, red flags would have to be ignored.
Intuit returned my electronic tax filing this year because either my (primary) SSN had been used as joint on another filing or my wife’s (joint) SSN had been used as primary on a return. I as told the only option was to file paper (PAPER!) and let the IRS reject it again as no other information is available. Clearly no one has the tools to resolve this and Jonathan Q Consumer ends up taking the brunt of it. Per Bob’s article it wouldn’t surprise me in the least if entire databases were corrupted or brought into question. Bad credit data alone could bring lending to a grinding halt.
Tools are available, but the IRS has no money in the budget to use them effectively.
.
Which would be great if people want to kill off the IRS, but those same people are also the ones who want to send the military overseas, make sure potholes and interstate repairs are completed, and get help when the next hurricane/tornado/earthquake show up in their neighborhood. You can’t have it both ways.
Re: “I was told the only option was to file paper (PAPER!) and let the IRS reject it again”. Who told you that? I’d at least consult a few tax attorneys or CPAs first. (If this problem were widespread, it would at least make the evening news.)
Yesterday, my wife and I received an IRS refund for $15,000. Not ours. Apparently the thieves made a mistake. The IRS noted that they had tried to deposit electronically, but the bank refused. So they sent a paper check.
.
The hackers have our names, address, birthdates, and both Social Security numbers. Both sets of personal information could have been found together at only three places: Wells Fargo, Charles Schwab, or the government.
.
Therefore, most probably, some big database has been hacked, and millions of us are affected.
Now, where is the layoffs, or were?
There are those who take security seriously, do their best and are still breached. Then you have these idiots.
I was called out to a local Physicians Group to look things over.
Half of the computers had no anti-virus (all Win 7 boxes, w/ expired Norton), and half are XP machines.
When I tell them they need to replace the XP machines due to security concerns and HIPPA, their response? “We’ll wait for them to fine us.”
They don’t give a rats tush about your security.
So if you’re in Central California, beware of a certain Ob/Gyn…
Re: Half of the computers had no anti-virus (all Win 7 boxes, w/ expired Norton). Microsoft fixed that issue in Windows 8 since their free antivirus comes installed by default. (This is a reply to a previous post on the same date.)
Bob, are you writing a treatment for a remake of Sneakers?
If you want a high quality government service, then you must pay for it! Look at Singapore: they get the brightest and best to go into government by offering government employees high salaries and then reviewing their performance and pushing them to achieve and checking that they do not get any income from corruption. It has been done before America – just look outside your borders for once.
Understanding human nature tells us that corruption cannot be eliminated. Now Singapore’s policy of severe punishments like 100 lashes with a cane or death for corruption might achieve some results compared the US version of allowing the corrupt to attain high office.
Looks like Singapore is accompanied by Afghanistan, Malaysia, and Taiwan http://en.wikipedia.org/wiki/Caning_in_Singapore . The article also lists several “Objections to corporal punishment”, so it’s clearly left over from the 19th century, and uncommon on a global scale. It may be the least expensive form of discipline, depending upon who pays the medical bills. 🙂
In Nobel Laureate and Economic Historian Douglas C. North’s “Structure and Change in Economic History” he tells the story of the collapse of Rome (pages 100-115). Accordingly, the Roman Legion still held the tactical edge of all the barbarian invaders, but the edge had thinned, which meant that Rome needed more and larger armies. However, wealth and power had become highly concentrated. 6 senators, alone, owned half of North Africa. The wealthy and powerful used their influence to avoid paying taxes. The empire, at the time when it controlled ALL the resources of Western Civilization, when that included Turkey, the Levant, Egypt and North Africa along with the better part of Europe, lacked the political will to raise enough money to defend itself.
.
Shortly after this, I watched on the History channel a documentary where they showed hieroglyphics from Egypt that say the same sort of thing brought down Ancient Egypt’s New Kingdom. I’ve read a book on Islamic history that says the rise of Islam was in part a reaction to the concentration of wealth in Mecca. I took a class on Japanese law and learned that the same thing that happened in Rome happened in medieval Japan. Since it was an Island state there was no invasion, just a collapse into chaos, a two century dark age followed by a warring states period. I found a used book on the collapse of Byzantium that basically said the rich took over management of the country, confiscated property from farmers who’s property right was in exchange for military service, and instead depended upon cheap mercenary hires. The first great test of this system, the battle of Manzikert in 1071 lost them all of Anatolia, which lead to them begging for help from the Pope and the Crusades, but never ever recovering Anatolia, their heartland. I later read that similar dynamics lead to the collapse of Hapsburg Spain, Bourbon France, and Romanov Russia. Taxes are a fundamentally necessary component for civilization. You may not like the rate your are charged, but it is shear lunacy and greed that resents its existence outright, and the outcome of that has repeated itself down through history. Seems to me there is a fine line between being arch-conservativism and a fetish for destruction.
I’ve been expecting ecommerce to become untenable for some time now. It can’t be made secure. The internet was never designed to be what commercial interests have tried to make it. Demanding it be a financial platform will destroy it for everyone. The possibilities are not “endless”. Not everything should be on the internet.
Re: “Not everything should be on the internet.” From a bandwidth standpoint, short financial transactions are ideal for the internet. Security is challenging, but not impossible, and definitely worth the effort. What makes less sense is the current internet video model of streaming separately to each and every device at the exact instant that the video is viewed. That’s extremely wasteful of bandwidth compared to the OTA or cable TV model where everyone turns on their viewing or recording device to tap in to a single stream of data.
Where the Money Is is excellent http://havef.com , eat properly and money
What do you think of this ratchet effect on CEO pay?
https://www.aei.org/publication/a-ceo-explains-why-ceos-make-so-much-money/
Oh, look at this….
Thieves steal tax data for 100,000 from an IRS website
The Internal Revenue Service is warning that intruders stole tax data for 100,000 people between February and May by taking advantage of a flaw in the agency’s transcript website.
https://www.engadget.com/2015/05/26/thieves-steal-irs-tax-data/
And today the AP is reporting that hackers stole Social Security numbers of “every federal employee”. Cringely was right, something very big was going on.
I was not sure of getting a legit loan lender online because of the scams story i hear some years back. But when i could not face my Debt any more and my son was on hospital bed for surgery that involve huge money then i have to seeks for Assistance from friends and when there was no hope any more i decide to go online to seek a loan and i find Marian Lawson Loan company (marianlawson@outlook.com) with 2% interest Rate and applied immediately with my details as directed. Within seven Days of my application She wired my loan amount with No hidden charges to pay $500 monthly and i could take care of my son medical bills and pay off my debt. I will advice every loan seeker to contact Marian Loan Company with marianlawson@outlook.com and Google Her name (Marian Lawson Loan Firm) For easy and safe transaction.
Thanks for this useful article