Journal of Financial Planning: March 2016
Cybercriminals continue to steal extensive amounts of personal data with alarming regularity. In testimony to the Senate Finance Committee on June 2, 2015, IRS Commissioner John Koskinen indicated that cyber thieves have access to “substantial volumes of data on millions of people.”1
If the plunder from several reported breaches was accumulated into one database, a sampling of its data could include:
- information about immediate family, personal, and business acquaintances; educational, health, criminal, financial, and romantic history; drug use; eye color, and fingerprints (U.S. Office of Personnel Management, 21.5 million people affected, including fingerprint records of 5.6 million people2);
- names, addresses, telephone numbers, Social Security numbers, birth dates, employment data, member identification numbers, and email addresses (Anthem, 80 million records breached);
- usernames and encrypted passwords (eBay, 145 million records breached);
- bank account information (Court Ventures, 200 million records breached);
- credit card information (Home Depot, 56 million records breached).3
Stolen data is often sold on the Internet “darknet.” Criminals monetize the stolen data by making unauthorized credit card purchases and filing false tax returns to acquire refunds. Thieves fraudulently obtain medical care, equipment, and prescription drugs, and the victims are billed and spend countless hours restoring their identity.
Last year’s cyberattack on the IRS “Get Transcript” site represents a step change in sophistication. IRS officials speculate that it was perpetrated to acquire personal and financial data for future attacks. While the breach involved only 610,000 taxpayers4, it indicates the potential to impact millions more and extend far beyond the IRS, because cybercriminals penetrated a security protocol common in the financial services industry. Personal investments appear to be a future target. When that occurs, victims are unlikely to recover their assets.
This article (1) explains the nature and significance of the IRS breach and the reason for immediate concern; (2) illustrates the ease with which relevant personal data can be found in cyberspace; (3) discusses the implications of theft of personal assets; and (4) recommends steps for creating more effective responses to security questions. Financial planners are ideally positioned to communicate these recommendations to their clients.
The IRS “Get Transcript” Breach
Individuals use an authentication process to access financial information from a financial institution. To enter a website from a non-authenticated computer, one step requests a pre-established username and password followed by a security question (for example, what is your mother’s maiden name?). To access by phone, one often enters a Social Security number and answers a security question asked by a representative.
Per IRS Commissioner Koskinen’s testimony, the IRS’ Get Transcript website permitted a taxpayer to acquire prior-year tax information, or transcript, by entering their Social Security number, birth date, tax filing status, home address, and email address. The IRS then sent a confirmation code via email that was required to access the site and request a transcript. However, before the request was processed, the taxpayer had to answer several “out-of-wallet” questions—the answers would not be found in a stolen wallet—designed to elicit information normally known to only the taxpayer, for example, the amount of a monthly mortgage payment.
From November 2014 through mid-May 2015, approximately 610,000 suspicious attempts were made to access information on the Get Transcript site, and 330,000 were successful5, a 54 percent success rate. Commissioner Koskinen emphasized that the unauthorized attempts were “complex and sophisticated” and used personal information obtained from sources outside the IRS (including answers to out-of-wallet questions). Criminals breached the IRS’ extra layer of protection. Equally troubling is that in his June 2, 2015 written testimony, Koskinen said the Get Transcript application’s authentication process of using out-of-wallet questions is standard within the financial services industry.
An Experiment in Security
What are these out-of-wallet security questions, and are they safe? We located sample questions from academic literature, non-copyrighted websites, and sites that granted the use of questions without citation. Most questions could be classified into eight categories. Here are the categories followed by an example question:
Relatives’ names: What is your mother’s maiden name?
Non-relative names: What is your current best friend’s name?
Addresses: In what city did your parents meet?
Dates: In what year was your mother born?
Education-related: What was the name of your elementary school?
Favorites: What is your favorite sports team?
Firsts: Who was your first employer?
Miscellaneous: What is your library card number?
To evaluate the efficacy of these types of questions, we selected the name of a known person and sought to uncover the answers to 75 randomly selected security questions about that individual from online information. The subject had no online social media presence, including Facebook.
In about 10 hours of searching the web without data mining software, the answers to 17 questions were located, and the answers to four questions were deduced. All 21 correct answers (28 percent of the questions) were corroborated by the subject. If the subject used social media, the detection rate would have likely been higher.
As this experiment illustrates, the answers for many out-of-wallet questions are available in cyberspace from such common sources as genealogy, classmates and real estate sites; Census data; obituaries; and the Social Security Death Index.
Implications to Financial Institution Customers
If these security questions are representative of those used by financial institutions, an individual’s personal assets—IRAs, 401(k)s, brokerage accounts, etc.—are becoming more vulnerable to cyber theft.
Generally, financial institutions are not liable for a customer’s financial loss if an account is breached by criminals. The customer bears responsibility for secure authentication data.
For example, Vanguard promises to “reimburse the assets taken from your account in an unauthorized transaction” only if you followed at least nine security requirements, and emphasizes “you are fully responsible for all activities occurring under your accounts, username, logins, passwords, and security questions and answers that result from your negligence, carelessness, misconduct, or failure to use or maintain appropriate security measures. …Vanguard will not be liable for any loss… .”6
And T. Rowe Price’s customer agreement states: “You will not hold T. Rowe Price responsible for any loss … even if an unauthorized person is able to access your account … (for example, if someone learns your identifying information). You agree to accept responsibility for protecting the confidentiality of your username, password, and other information necessary to access your account.” If an unauthorized disbursement occurs, their goal will be to recover the funds, and each situation is handled on a case-by-case basis, and “in the event that the funds cannot be recovered in full, potential responsibility will be evaluated by T. Rowe Price based on the circumstances… .”7
Media reports indicate that stolen assets are often wired to foreign countries, including Russia and China; thus, recovery may be doubtful.
Usually the complexity of passwords (a required number of characters, uppercase and lowercase letters, numbers, and symbols) offers better authentication defense than a one-word answer to a security question. Because the second line of defense is weaker than the first line of defense, the selection of a question—with its related answer—requires careful consideration.
Generally, security experts contend that the best questions are those whose answers contain most of these characteristics:
- Easy to remember
- Don’t change over time
- Have many possible answers
- Are difficult to locate by data mining (for example: where were you when you had your first kiss?)
Less secure questions and answers contain fewer of these characteristics—for example: what is your mother’s maiden name? And many experts agree that even the “best” security question and answer is penetrable. So how can individuals improve their online security? Initial actions include:
Rethink your cyber-footprint. Should you cleanse your personal data from the Internet, for example, Facebook?
Review your financial institution’s user agreements. If advice is provided about selecting and answering security questions and answers, comply with it.
Review your existing security questions and answers. Do they contain a sufficient number of “good” characteristics?
Avoid using questions about your family. The answers to these questions may be easy to uncover using publicly available information.
Are these actions sufficient? In his written testimony, IRS Commissioner Koskinen warned: “As criminals obtain more personal information, authentication protocols need to become more sophisticated moving beyond information that used to be known only to individuals but now, in many cases, is readily available to criminal organizations from various sources.”
This begs the question: should security questions be answered correctly? It appears ill-advised to do so. Rather, answer a question with an inaccurate response. For example, if a question asks for the street of your childhood home, select a street that does not exist in that city. If asked for the name of your elementary school, answer with the name of a school in a far-away state that you did not attend.
Because passwords are seen as more secure than security questions and answers, should security questions be answered with a password-type response? Consider these actions:
Create a memorable non-existent name (for example, “KdiepQizThe16th”) to respond to a “name” question.
Create a password to answer any question in a specific category. For example, if a question deals with an address (a street, city, or state) a password may contain elements of all three, such as “1856-Staf-Hatb-Kent-28262,” which is the first four letters and zip code of the fictitious address, 1856 Stafford Street, Hatboro, Kentucky 28262.
Test your new password. Google the password to ensure it is random and unique. Criminals employ software that attempts many passwords and searches for dictionary words or common number sequences.
Never use the same password or security question for any other site.
Revise these password-type responses routinely.
The security question and answer protection offered to customers differs by financial institution. Some accommodate the use of a limited number of characters; others accept more. Some forbid the use of numbers or symbols or require accurate answers. Evaluate your financial institution’s commitment to customer security, and consider a change in institutions if necessary.
Consider maintaining an offline security log to document your security actions. It may provide evidence of your ongoing security commitment and diminish a future allegation of lax security.
This article focuses on only one weakened element of authentication security. Many security measures are offered by financial institutions. Consider using all of them. If not, will it be de facto evidence of a failure to maintain adequate security? Savvy financial planners and their clients will recognize an escalating threat to their financial accounts and take immediate actions to improve security.
Alan R. Sumutka, CPA, CGMA, is an associate professor of accounting at Rider University in Lawrenceville, N.J.
Andrew M. Sumutka, Ph.D., is an associate professor of decision sciences at York College of Pennsylvania in York, Penn.
- See “Written Testimony of Commissioner Koskinen on Unauthorized Attempts to Access Taxpayer Data before Senate Finance Committee,” at www.irs.gov/uac/Written-Testimony-of-Commissioner-Koskinen-on-Unauthorized-Attempts-to-Access-Taxpayer-Data-before-Senate-Finance-Committee.
- See “Government Personnel Cyber Breach Worse than Previously Thought,” by Damian Paletta published September 24, 2015 in The Wall Street Journal.
- See infographic of the world’s biggest data breaches compiled by Information Is Beautiful from various sources at www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks.
- See “Additional IRS Statement on the ‘Get Transcript’ Incident,” posted August 17, 2015 at www.irs.gov/uac/Newsroom/Additional-IRS-Statement-on-the-Get-Transcript-Incident.
- See “IRS Says Cyberattacks More Extensive than Previously Reported,” by John D. McKinnon and Laura Saunders published August 18, 2015 in The Wall Street Journal.
- See Vanguard’s online fraud policy at: https://personal.vanguard.com/us/help/SecurityOnlineFraudPledgeContent.jsp, and “Your Account” information at: https://personal.vanguard.com.
- See the customer agreement in the T. Rowe Price help center at: http://individual.troweprice.com/public/Retail/hUtility/Policies-&-Security/Customer-Agreement?callsource=RPS_Part.
Editor's Note: On February 26, 2016, the IRS revised prior statistics on this incident and reported that from January 2014 through May 2015, hackers attempted to access 1.3 million taxpayer accounts and were successful in breaching 724,000 accounts (see "IRS Statement On 'Get Transcript'" at www.irs.gov/uac/Newsroom/IRS-Statement-On-Get-Transcript).