May 18, 2017

Identity thieves who specialize in tax refund fraud had big help this past tax year from Equifax, one of the nation’s largest consumer data brokers and credit bureaus. The trouble stems from TALX, an Equifax subsidiary that provides online payroll, HR and tax services. Equifax says crooks were able to reset the 4-digit PIN given to customer employees as a password and then steal W-2 tax data after successfully answering personal questions about those employees.

In a boilerplate text sent to several affected customers, Equifax said the unauthorized access to customers’ employee tax records happened between April 17, 2016 and March 29, 2017.

Beyond that, the extent of the fraud perpetrated with the help of hacked TALX accounts is unclear, and Equifax refused requests to say how many consumers or payroll service customers may have been impacted by the authentication weaknesses.

Equifax's TALX -- now called Equifax Workforce Solutions -- aided tax thieves by relying on outdated and insufficient consumer authentication methods.

Equifax’s subsidiary TALX — now called Equifax Workforce Solutions — aided tax thieves by relying on outdated and insufficient consumer authentication methods.

Thanks to data breach notification laws in nearly all U.S. states now, we know that so far at least five organizations have received letters from Equifax about a series of incidents over the past year, including defense contractor giant Northrop Grumman; staffing firm Allegis Group; Saint-Gobain Corp.; Erickson Living; and the University of Louisville.

A snippet from TALX’s letter to the New Hampshire attorney general (PDF) offers some insight into the level of security offered by this wholly-owned subsidiary of Equifax. In it, lawyers for TALX downplay the scope of the breach even as they admit the company wasn’t able to tell exactly how much unauthorized access to tax records may have occurred.

“TALX believes that the unauthorized third-party(ies) gained access to the accounts primarily by successfully answering personal questions about the affected employees in order to reset the employees’ pins (the password to the online account portal),” wrote Nicholas A. Oldham, an attorney representing TALX. “Because the accesses generally appear legitimate (e.g., successful use of login credentials), TALX cannot confirm forensically exactly which accounts were, in fact, accessed without authorization, although TALX believes that only a small percentage of these potentially affected accounts were actually affected.”

ANALYSIS

Generally. Forensically. Exactly. Potentially. Actually. Lots of hand-waving from the TALX/Equifax suits. But Equifax should have known better than to rely on a simple PIN for a password, says Avivah Litan, a fraud analyst with Gartner Inc.

“That’s so 1990s,” Litan said. “It’s pretty unbelievable that a company like Equifax would only protect such sensitive data with just a PIN.”

Litan said TALX should have required customers to use stronger two-factor authentication options, such as one-time tokens sent to an email address or mobile device (as Equifax now says TALX is doing — at least with those we know were notified about possible employee account abuse).

The big consumer credit bureaus like Equifax, Experian, Innovis and Trans Union are all regulated by the Fair Credit Reporting Act (FCRA), which strives to promote accuracy, fairness and privacy for data used by consumer reporting agencies.  But Litan said there are no federal requirements that credit bureaus use stronger authentication for access to consumer data — such as two-factor authentication.

“There’s about 500 percent more protection for credit card data right now than there is for identity data,” Litan said. “And yet I don’t know of one document from the federal government that spells out how these credit bureaus and other companies have to protect PII (personally identifiable information).”

Then there is the small matter of the questions that ID thieves were able to successfully answer about their victims via TALX’s online portal. Security experts have been warning for years about the waning effectiveness of using so-called “knowledge-based authentication questions” (KBA) — such as details about the consumer’s historic location and financial activity — for online authentication.

The problem with relying on KBA questions to authenticate consumers online is that so much of the information needed to successfully guess the answers to those multiple-choice questions is now indexed or exposed by search engines, social networks and third-party services online — both criminal and commercial.

What’s more, many of the companies that provide and resell these types of KBA challenge/response questions have been hacked in the past by criminals that run their own identity theft services.

“Whenever I’m faced with KBA-type questions I find that database tools like Spokeo, Zillow, etc are my friend because they are more likely to know the answers for me than I am,” said Nicholas Weaver, a senior researcher in networking and security for the International Computer Science Institute (ICSI).

In short: The crooks broadly have access to the data needed to reliably answer KBA questions on most consumers.

Litan said the key is reducing reliance on static data – much of which is PII data that has been compromised by the crooks – and increasing reliance on dynamic data, like reputation, behavior and relationships between non-PII data elements.

Identity thieves prize the W-2 and payroll data held by companies like TALX because they can use it to file fraudulent tax refund requests with the IRS and the states on behalf of victim consumers. According to the Internal Revenue Service, some 787,000 Americans reported being victimized by tax refund fraud last year.

Extra security and screening precautions by the states and the IRS brought last year’s victim numbers down 50 percent from 2015. But even the IRS has struggled with its own tax fraud-related security foibles tied to weak consumer authentication. In 2015, it issued more than $490 million in fraudulent refunds requested on behalf of hundreds of thousands of Americans who were victimized by data stolen directly from the “Get Transcript” feature of the IRS’s own Web site.

It’s worth noting that – as with the TALX incidents — the IRS’s Get Transcript fiasco also failed because it relied primarily on KBA questions asked by Equifax.

Tax-related identity theft occurs when someone uses a Social Security number (SSN) — either a client’s, a spouse’s, or dependent’s — to file a tax return claiming a fraudulent refund. Thieves may also use a stolen Employer Identification Number (EIN) from a business client to create false Forms W-2 to support refund fraud schemes. Increasingly, fraudsters are simply phishing W-2 data in large quantities from human resource professionals at a variety of organizations.

Victims usually first learn of the crime after having their returns rejected because scammers beat them to it. Even those who are not required to file a return can be victims of refund fraud, as can those who are not actually due a refund from the IRS.

“If the federal government is smart, they will consider suing Equifax for false returns filed using W2 information stolen from TALX customers, since this is exactly the sort of mass scale attack that even the most basic SMS-based 2-factor would block,” the ICSI’s Weaver said.

It’s high time for consumers to come face-to-face with the reality that the basic data needed to open new lines of credit on them or file taxes in their name is broadly available for sale in the cybercrime underground. What little consumer data that cannot be found in the bowels of the Dark Web can be coaxed out of countless poorly-secured and automated services like TALX that hold extremely sensitive consumer data and yet safeguard it with antiquated and insufficient authentication measures.

In light of the above, the sobering reality is that we have no business using these static identifiers (SSN, DOB, address, previous address, income, mother’s maiden name) for authentication, and yet this practice remains rampant across vast sectors of the American economy today, including consumer banking, higher education and government services.

Predictably, Equifax is offering identity theft detection services (for two years) to employees of TALX customers. Loyal readers here know where I come down on these credit monitoring services, because nobody should confuse these services with a reliable method to block identity theft. The most consumers can hope for out of a credit monitoring service is that it alerts you when ID thieves hijack your data; these services generally don’t prevent ID theft. Also, they can be useful for helping to clean up after a confirmed ID theft incident.

The consumer’s best weapon against new account fraud and other forms of identity theft is the security freeze, also known as a credit freeze. I explain more about the benefits of the freeze as well as other options in multiple posts on this blog. I should note, however, that a security freeze will do nothing to stop fraudsters from filing phony tax refunds in your name with the IRS. For tips on avoiding tax refund fraud, check out this post.


31 thoughts on “Fraudsters Exploited Lax Security at Equifax’s TALX Payroll Division

  1. Jack Wagon

    Credit Reporting Agencies are subject to GLBA. Someone with Litan’s credentials, background and experience should know this.

    1. Dave F

      The problem with GLBA and the Fair Credit Reporting Act is that they are designed to protect the credit reporting agencies, not the individual. We have the best government that money can buy.

    2. Avivah Litan

      You’re right Jack but I was referring to regulations that specifically mandate and enforce strong authentication of the individual who is accessing their records.

      1. Tim Rohrbaugh

        Avivah, to be more specific there are two actions (ID Verfication and Authentication) that should be addressed and at least at one of the bureaus does define this formally … The distinction between the two actions I mentioned is important. The first time someone arrives you must verify who the person is (ID Verfication) before you agree how to authenticate e.g two factors. KBA is important for ID verification but no for authentication.

        1. Avivah Litan

          Thanks Tim, right I get that re verification vs. authentication. Good to know one of the bureaus has strong verification and authentication policies. Is that enforced by the bureau across its network? Also which bureau is that? Just curious 🙂

  2. IRS iTunes Card

    The below is 100 percent true, because I’ve tested this statement out a few times, and succeeded .

    “The problem with relying on KBA questions to authenticate consumers online is that so much of the information needed to successfully guess the answers to those multiple-choice questions is now indexed or exposed by search engines, social networks and third-party services online — both criminal and commercial.”

    1. Wayne

      When a fairly trivial web site wants me to answer questions like this, I go off-the-wall. The first car that I had? Ferrari. Mother’s maiden name? Ozymandius. Then I log them in MSecure on my iPhone, which is encrypted.

      I find KBA questions at aggregators to be almost impossible for me to answer because of the inaccurate information they have on me.

  3. PIE - Personal Information Exposed

    Well I had the pleasant experience in being affected by this. The previous year I had the pleasure of someone filing taxes for me (unauthorized), so this year I had a separate PIN so they could not file for me this year. I got an email to my corporate account informing me that I had changed my pin and by the time I got through to a person that understood what I was talking about it was over an hour later. With the OMB breach all of my data is out there anyhow. Oh and they generously provided me the credit monitoring (on top of the ones I already had for previous breaches). When are the companies (especially ones like this that are trusted with handling tons of consumer data) going to be found liable? I did immediately freeze my credit so I got that going for me which is nice … lol.

  4. SeymourB

    I almost feel like hiring a crook to figure out the KBA questions since so far I’ve been stymied at answering them.

    On the other hand since I’m one of the few people who doesn’t document his entire life on social media I think the crook would have an equally hard time with them.

    1. Acarolenensis

      Agreed. On annualcreditreport.com I always end up always having to make a written request because KBA questions are so ambiguous. Answer what is literally true? Guess what they think the answer is? Because of the credit agencies’ incomplete, missing and/or misinterpreted info I never get in.

    2. Michelle

      I know what you mean! I’ve been trying off and on for about 2-3 weeks to use USPS Informed Delivery service. I am trying to verify my identity online so I can use the service, but I’ve failed 4x so far in trying to verify it is me! After each failed attempt, I have to wait another 48 or 72 hours until I can try again. Some of the questions are unbelievable as they are so “out there” or asking about something that is no longer relevant (outdated information) such as what year my is. I haven’t had the vehicle in over 10 years. I was able to use Zillow and some other googling for help, but there is always 1-2 questions that I can’t seem to answer correctly.

      1. Michelle

        That was supposed to say “asking about something that is no longer relevant…what year my (vehicle) is.”

      2. vb

        I’m having the same trouble with USPS KBA question. They keep asking me for my nickname. I have no clue what they think my nickname is. I don’t have a nickname.

        They asked for the year my house was built. My house is over 100 years old. There is no definitive answer to that question. I used Zillow to find one possible year, that’s the one they probably use.

    3. Notme

      Let me have a shot at it I love games like that one!

  5. vho

    Yes its nice to be faster then crooks or quick to freeze credit.
    but its extra fcking work. If anyone touch my idendenty…
    or doing some funny things,i will find the person and make him pay forever. IM not clown neither im into circus !!

  6. Chris

    I never use real kba data where possible
    I use a password manager to store the site specific kba data that I have created by generating an alpha (alpha numeric where possible) password for the text based kba and memorable words.

    I store that in the notes section of the password manager for use when needed.

    My mother’s maiden name is gtrqckpkja

  7. Steve C

    Why do we feel that a 4 digit pin is so secure? 1 chance in 10,000…..much better than any state lottery yet we insist on using only 4 digit pins to protect our privacy while pouring billion$ into state lottery games of chance.

    1. Derp, Dr. Herp

      Because a $1 lottery ticket costs a lot more than a password guess attempt.

  8. Andrew None Rossetti

    Speaking of using a 4-digit PIN, Intercontinental Hotel Group also uses only a 4-digit PIN for their rewards program login. How any company can use a 4-digit PIN is simply unconscionable in today’s world.

  9. Mel

    The deep problem here is that security is the deadly enemy of business-as-usual, and vice versa.
    A 4-digit PIN is useful because an ordinary user isn’t likely to get it wrong and be locked out of the service. Of course, it’s bad, as we’ve just said, because it gives a criminal user too much of the same advantage. Little facts that are too obscure for criminals to find easily turn out to be too obscure for people to remember. We try to tie secure access to the user’s phone and we find that users legitimately have to change their phones, and if *that* process were to be made too secure (by the phone provider — a 3rd party to all this) then people could be cut out of their phone service.
    In the ’80s I tried to lead some colleagues into using PGP for email, so we could discuss proprietary company issues remotely. Besides the government wanting to make that illegal, the key management and little added rigmarole around using email were more than they wanted to put up with. And so it went.

  10. olx

    Its bs and Circus.all of you play along you are idiots.

  11. BlasterMaster

    The problem you Americans have is that your whole security setup is ages out of date and no one wants to put it right because it costs too much. In the UK we are faced with similar problems, but its much harder due to the fact we are extremely adept at queuing for ages to physically see someone. CC fraud still happens, ID fraud still happens, but honestly, a country that still uses magnetic stripe info on credit cards in today’s age is just begging to be ripped off… and you are being ripped of every second of every minute of every day. In the UK we have Chip and pin, but HAVE to provide BACKWARDS compatibility for American tourists and the like because their credit card companies refuse to foot the bill for the massive upgrade… which incidentally is probably about the same cost of a years worth of fraud…. and how many years has it been easy to clone an american credit card ??? do the math… speak to your senator, march on wall street…. all from the comfort of your armchairs..

  12. Robert Scroggins

    Thanks, Brian, for shining the light of knowledge on another hacking incident caused by negligent security on the part of organizations that should know better.

    Regards,

  13. Peter

    Of course there is a flip side. After all, these static identifiers (SSN, DOB, address, previous address, income, mother’s maiden name) are not so much used for authentication, but also for identification. It is the latter part that is the issue.

    After all, once you have signed up you can use multi factor and other smart mechanisms, but you still need a method to verify a user during initial setup. Stand still for a second and consider what it means if one cannot use static identifiers.

    That’s right, then one would have to use mailed out papers with for instance one-time setup codes!

    Some organisations are already doing that, but it also means that customers cannot sign up quickly and one needs a reliable mailing address. For payroll cases that is likely not an issue, but in consumer oriented situations, the same customers that are now outraged that their data is stolen, will be outraged that signup and password reset will now take a week or so. Plus all the pain when they moved and their address data is outdated, just at the moment they need an urgent password reset.

    Convenience and security here are often at war.

  14. jpa

    I use a random answer for personal questions that will be used to authenticate me. I save the questions and answers for each website in a secure file. Its a pain, but I’m not worried about someone guessing that my first boss’ name was vissoOORNgi7.fir4 and even if they managed to for that site, its a different random answer for the next one.

  15. Regret

    The misspelling of “hand-waiving” is unintentionally funny.

  16. Dee

    After so long of reading these reports I have come to a conclusion…I don’t think the corporations or the government give a flying flip about anybody or their data. In my opinion I think someone should go in…especially the credit bureaus and just erase ALL the data. Just erase it. Give everyone a clean slate. And give a BIG FU to them all.

    1. Derp, Dr. Herp

      A more evolved society than ours would recognize a constitutional right to the use of pseudonyms.

  17. Derp, Dr. Herp

    > There’s about 500 percent more protection for credit card data right now than there is for identity data

    Um, duh — you can refuse to provide your credit card to people who ask for it, but you often aren’t allowed to refuse to identify yourself.

  18. John Kelly

    Some months ago I came across a set of news stories about a web site familytreenow.com. It claims to be a genealogy web site. Find all possible people with your family name for free. When I searched for myself, it did a very good job of finding all my family members, as well as every place I lived at. All for FREE. I flipped out since I know those are standard security questions for all the credit reporting companies. That information combined with info on my resumes was just too much information. I used the obfuscated opt-out feature to remove my name as well as every single family members’.
    The news stories I read was that law enforcement is concerned that their co-workers can be targeted because the site includes current addresses. Since the site is free, there is no need to register or be tracked by a payment requirement.

  19. ghos

    People? You want to get rid off cynercrimes and fraud ??
    If you kill the snake you need to cut of the head !!
    Thats the only way to do it right way !!
    Rabbit hole goes deeep..

Comments are closed.