A Bulgarian hacker admitted on Monday his involvement in a $6 million tax fraud scheme using personally identifiable information stolen from the networks of several accounting firms.
Vanyo Minkov, 32, pleaded guilty in the US District Court of New Jersey to one count of conspiring to file false and fraudulent tax returns.
According to the FBI and the US Attorney for New Jersey, Minkov and others broke into the networks of at least four (unnamed) accounting firms and stole the 2011 tax forms of 1000 of the firms’ clients.
The hackers then used the stolen information to file fraudulent returns with the US Internal Revenue Service (IRS) for the 2012 tax year, or sold the information to others for the same purpose.
Minkov was extradited from Bulgaria to the US back in September 2013, after he was indicted by the FBI on charges that he orchestrated two international conspiracies involving computer crime and fraud.
In addition to the tax fraud scheme, Minkov allegedly obtained and sold payment card information from 100,000 accounts between July 2011 and April 2013, with total damages from the scheme estimated at $50 million.
The conspiracy to commit tax fraud charge that Minkov pleaded guilty to carries a maximum fine of 10 years in prison and fines up to $250,000 or twice the gross gain from the offense.
However, the original indictment charged Minkov with four counts of crimes carrying a maximum penalty of up to 30 years in prison.
It’s not clear if the US Attorney intends to press ahead with the other charges against Minkov in the credit card fraud scheme.
In one sense, the tax fraud scheme was worse than the payment card fraud offense – your bank or credit card company can freeze your accounts and cancel your cards.
But tax forms contain personally identifiable information (PII) like income, address, and Social Security number, that could be used by crooks to commit fraud in multiple ways – such as opening new credit card accounts.
The sensitive nature of PII held by the IRS, and the potential for tax fraud at a minimum, means the IRS has a duty to protect taxpayer information from hackers and fraudsters.
The IRS tax filing system is highly susceptible to fraud, as we discovered in May 2015, when hackers used stolen PII to log in to the IRS’s online filing system to download historical tax filings for 100,000 victims.
Because the filing system, known as “Get Transcript,” allows users to log in with a weak form of verification based on their PII, the hackers were able to bypass the website’s security easily with stolen information.
As Naked Security writer Paul Ducklin noted, the IRS has a stronger form of authentication that requires an “Identity Protection PIN” (IP PIN).
The IP PIN, a six-digit number sent to taxpayers through the postal service, is a form of two-factor authentication (2FA) which makes it much harder for hackers to access taxpayer accounts.
However, the IRS hasn’t made the IP PIN system available to all taxpayers.
In a poll we conducted after the IRS compromise, 96% of respondents said “yes” to our question of whether the IRS should make IP PIN available throughout the US to any taxpayer who requests it.
Let’s hope the IRS has learned a solid lesson and gets going on implementing better anti-fraud measures before next tax season.
If you’d like to know more about IRS scams, you can listen to our podcast on the issue using the audio player below.