Cybersecurity Issues

Tax Return Identity Theft

Honest Americans file carefully prepared and well-documented tax returns every year, often wondering if they will be caught by some minor mistake and hauled in front of an audit. Because of the volume of returns handled by the IRS, the chance of one particular tax return being selected for extra scrutiny is a long shot. The Internal Revenue Service projects that by 2018, 253.5 million returns will be filed, with 159,761,200 of them filed electronically—an increase of 2.5% each year while paper returns will continue to dwindle. (http://www.irs.gov/pub/irs-soi/12rswinbulreturnfilings.pdf). Whether or not tax returns are filed electronically or on paper, thieves are becoming more adept at stealing the identities of taxpayers and using that information to file fraudulent returns. The IRS estimates that 404,000 taxpayers were victimized between 2009-2011 and they expect the problem to get worse. The IRS is making efforts to stem the tide and has doubled the number of agents handling identity theft to 3,000—doubling in number from 2011 to 2012. The IRS has also taken other steps to combat ID theft, such as by testing a program in Florida in which victims can authorize the IRS to share tax information with law enforcement, by expanding the Identity Protection Personal Identification Number program, which offers another layer of protection to victimized tax payers, and by conducting ID theft sweeps, which have led to 298 indictments in January 2013.

Fraudulent tax return identity theft can originate from many sources: social security numbers and other data are skimmed from medical databases, automobile dealerships and other businesses. Thieves simply use that data to create their fake returns, get a debit card to have the refunds sent to, and walk away with the cash. Since the IRS doesn’t verify the refund until after the check is cut, the thieves are long gone and the money spent before any investigation can begin. In addition to data thieves, the criminal element uses websites that purport to be tax preparers, but are people simply gathering data freely sent to them. Alarmingly, another source of fraudulent tax returns originate from inside prison walls. Prisoners, with the help of crooked tax preparers and family on the outside, work together to steal data, prepare false returns and route the filings through family on the outside. Once the refund is received, the proceeds are split amongst the partners (Ellis, 2013).

As frightening as the high numbers of thefts are, let’s examine what happens to the individual victimized by fraud. The problem is not just that they have been compromised and robbed, but now the burden is upon the victim to prove that they are who they say they are, produce supporting documentation, file forms, spend hours on the phone with IRS agents, and sometimes endure several years of help from the government to untangle their financial mess. In addition, the victims become red flags for IRS audits. In one case, the victim submitted ten years’ worth of returns to the IRS to prove their identity only to result in an audit—and a $900 fee from the IRS (Linn, 2012).

The problem will continue to grow, and as the IRS and taxpayers develop more safeguards, the thieves will find even more ways to exploit them. In 2012, the IRS issued refunds totaling $4 billion to ID thieves and other fraudsters. As much as the IRS touts its efforts in fighting tax fraud, it’s amazing that just last year, the IRS sent 655 tax refunds to a single address—in Lithuania—and didn’t realize it. (Associated Press, 2013) Cybersecurity safeguards are one defense, educating taxpayers in ways to protect their identities is another, but simple human vigilance and creative thinking is the best defense against those who make a living out of staying one step ahead of honest citizens.

 

Internet of Things

The Internet has evolved from bulletin board services and static websites accessible via phone lines to interactive sites, mobile sites, social sites, and streaming sites. We are now at the point where the Internet interacts with not only humans, but also the tools that they use. This new phase of the digital evolutionary process is known as the Internet of Things (IoT). Technology evolves haphazardly. Unlike the “Internet of the Internet,” which developed with communications standards before its wide release, the IoT is being developed by the private sector, company by company, increasing the likelihood of vulnerabilities. (Proffitt, 2013). As the IoT becomes more useful it will naturally lead to more commerce. Brian Proffitt, writing for ReadWrite.com, coins the term, “The Internet of Getting Things.” This will lead to the integration payment solutions, such as PayPal, opening the door for further fraud.

Another interesting, and maybe overlooked, aspect of the Internet of Things is that it is made up of physical parts. Stealing data is something that can be accomplished from afar and doesn’t take up space. However, with the Internet of Things, the actual device is vulnerable. Like a part of a great machine, not only is the data and the forms of communication it employs vulnerable, but a person could break in and walk out with your “Internet.” This also makes the data at rest more easily accessible. This may now allow the thief to control the data in transit as well. (Hess, 2014)

How big of a problem could this be? According to Gartner, by 2020, there will be 7.3 billion smartphone/tablet/PC units. There will be 26 billion IoT units. (Barker, 2013).

IoT is not simply machines connected to the Internet, but devices that have the ability to do something on their own. For example, an IoT device that can monitor its maintenance needs, order the needed replacements, notify a human to replenish it via email or text, and deliver a final product, all without the commands of humans. This certainly isn’t a new concept. The Internet of Things has been envisioned for decades. One example is “The Brain Center at Whipple’s,” a 1964 episode of The Twilight Zone, in which a factory owner replaces his employees with automation, until he, himself is replaced. When we give up control, we give up freedom. (Internet Movie Database, n.d.) Criminals are just getting starting in their exploitation of IoT. We may reach a point where we expect our devices to “just figure it out on their own.”

The Security-as-Service company, ProofPoint, issued a report stating that more than 750,000 malicious emails were sent out by more than 100,000 consumer devices—including a refrigerator. The attacks occurred between December 23, 2013 and January 6, 2014, and are purported to be the largest—and first—widespread use of the IoT to launch cyber attacks. (ProofPoint, 2014).

The Internet of Things opens up a new realm where cybersecurity professionals can employ their skills and knowledge to thwart attacks launched by devices. Informing the public about the need to secure their devices will be a difficult task. Even after two decades of the Internet being a part of daily life, many people have no interest in taking even basic precautions to protect their data. It will be even harder to convince them that their toaster is at risk of being remotely controlled for evil as a mechanical “Manchurian Candidate.”

 

Changing School Grades and Test Scores

Years ago it was an easy matter to change school grades. A report card would come in the mail, the student would find a pen with matching ink color and turn that D into a B before mom and dad got home. It’s not that easy now. Grades are recorded electronically and stored securely right at school. Or, are they? One case in point: a dozen students at Corona del Mar High School in California discovered a way to change their grades. The students used a keystroke logger supplied to them by a private tutor (whereabouts unknown) who even instructed the students on its use. With this device, they were able to gain access to grades and to tests. Bad behavior for sure, but does society view them as such? Apparently not. A fellow student was impressed with their resourcefulness: “I think it’s pretty cool. I know Bill Gates, I believe, used to hack into classes and put himself in the class with the most women in it when he was in high school. So I think it takes a lot of aptitude to be able to get into the system.” (Lustig, 2013)

The students are still facing the possibility of expulsion, according to statements made by Orange County school officials. (Fry, 2014)

The problem isn’t new, and the schools haven’t learned from their mistakes. Potomac, Maryland’s Churchill High School was the victim of grade changers in 2010. In that case, students allegedly used a computer program to capture passwords. With access, they were able to change their grades —and even offered other students the opportunity to improve their academic standing. (Bimbaum and Johnson, 2010).

Maybe the problem isn’t simply the evil intent on the part of the students, but how acceptable the practice is. As quoted above, some people think it’s perfectly acceptable to “pull one over on the man.” Indeed, there are even instructions online as to how to accomplish the deed. (Wikihow, “How to Hack Into a School Computer.”) The underlying problem in school grade data breaches is a matter of societal acceptance. Some would see this a method of righting a perceived wrong, or giving power to the people. However, theft of data, like any theft, is a crime, and the perpetrators should be held accountable for their actions and the institutions should learn from these examples and build in better safeguards.

 

Rent-A-Hacker

The Internet is a great place to find those hard-to-find items. eBay began as a source to find Pez dispensers, and of course, Craigslist is great for used furniture, bicycles, and hitmen. It also seems the Internet is a good resource for finding hackers for hire. People with necessary skills to uncover lost data, get the goods on adulterers, or plant malicious data, are in great demand. A blog poster on MakeUseOf.com asks the question: “Where can I find a hacker to erase my criminal record?” The responses reasonably suggested reputation management methods and even certain places to avoid looking (HackForums, go4experts). There are 75 hackers for hire on PeoplePerHire.com. They tout themselves as “ethical hackers,” “penetration testers,” and even “copywriters.” (Rich, 2011). What else could a rent-a-hacker be used for? NeighborhoodHacker sells their service as hacking for good. If data has been compromised, then NeighborhoodHacker can come to the rescue. Not all hackers are working for the public good, however. (NeighborhoodHacker, n.d.)

Just like fake tax preparers, fake “good hackers” are ready for you to walk right in. It’s very easy for a bad hacker to gain access to computer systems simply because they were invited to do so. This leads to the problem of securing security. Unfortunately, many people and companies have no clue how to do this and are even less interested in finding out. Once they feel they are compromised and hire outside help they open themselves up to further trouble and even industrial espionage. (Graff, n.d.)

Rent-A-Hackers are not isolated to America. In 2010, “Operation Hangover,” a cyber espionage campaign “franchised” and attacked industrial entities around the world. After forensic examinations, it was determined that the attacks originated in India.

Operation Hangover employed freelance programmers to write code for the malicious software. As some of these attempts show signs of success, it gives impetus to careers in hacking in developing nations. (Raza, 2013).

Companies need to be very careful when considering hiring hackers. Even if a black hat hacker has served time and returns reformed, can they be sure that he is? Can one be sure that if he is reformed in one area of bad hacking that he wouldn’t be tempted to engage in other forms? Some would consider this analogous to hiring a pedophile to audit a day care center. Hiring a hacker requires vigilance on the part of the party doing the hiring. The hacker must be monitored constantly and held legally accountable. This could be more effort than many companies are willing to make. (Schinder, 2010)

 

Cyber Plagiarism

Not unlike the theft of data, or the theft of money or possessions, theft of one’s ideas is criminal as well. Plagiarism is an art that has been practiced for years. Revelations of plagiarism have tarnished the reputations of many people. One of the most famous cases was that of then-Senator Joe Biden, during his 1988 presidential run. Senator Biden admitted to plagiarizing at Syracuse Law School—and also in a speech, in which he lifted words from British Labour Party leader, Neil Kinnock. (Dionne, 1987). Fast-forward to today. Senator Biden relied on videotape and printed books in order to commit his acts of plagiarism, but Senator Rand Paul (R-KY) simply used the Internet and copied some information from Wikipedia, cited a passage from the movie, Gattaca. (Eddlem, 2013).

Cyber plagiarism vigilantes are always on the lookout for misuse from politicians and other celebrities. Simply entering a suspected phrase in Google will oftentimes reveal evidence of plagiarism, enabling political adversaries to easily catch their opponent in a “gotcha moment.”

Cyber plagiarism goes beyond the theft of words. With the aid of digital technology, it is an easy matter to steal photos, videos, audio, design, and even basic computer code. The copyright-watching blog, Myows, cites numerous examples of cyber plagiarism. One of the most common forms of cyber plagiarism is lifting images off of Google. (Guedy, 2013).

I have personal experience with this. As a freelance web and print designer, I have often been asked to “grab something off of Google.” For example, I developed a website for a marine repair company. I asked the client to send me photos of his work. I received several great-looking photos and asked him how he took such good photos. “I grabbed some images from the Google. They look good don’t they,” was his response. I explained to him that I would not use those photos and he would have to send his own work or work that he had permission to use. He did so, the site was completed, but the images were not as good as the professional shots found on Google.

Stealing images off of Google is so easy and pervasive; it is nearly impossible to track it. However, there’s an app for that. Tineye (www.tineye.com) is one online service that allows users to upload an image that Tineye then checks for other uses, other resolutions, etc. Termed a “reverse search engine,” Tineye can be used by photographers and designers to find out where their images have been used. (Guedy, 2013)

Shepard Fairey, a New York artist was convicted of copyright infringement and fined $25,000 when it was discovered that he created his famous Obama “Hope” poster by basing it on a 2006 photo belonging to the Associated Press. (Ng, 2012). Fairey fought hard against the suit, claiming artistic fair-use freedom, but the AP prevailed.

Plagiarism even gets down to the binary level. In 2013, two stock traders were arrested for stealing—and emailing each other—computer code containing secret algorithms, belonging to their previous employer, Flow Traders. However, the Manhattan District Attorney’s office admits that current laws are outdated and haven’t kept up with crimes committed on the digital frontier. They are working to change that. (Matthews, 2013).

Cyber plagiarism and copyright infringement is a growing problem that many people just do not understand, nor do they care to. Because of the ease and the perceived anonymity of using the Internet, many people believe it is quite acceptable to just “grab something from the Google,” or lift a few paragraphs from Wikipedia. Current laws are slow to keep pace with new forms of cyber crime, but the private sector is working on many methods, such as Tineye, that will aid prosecutors and those who fear they have been plagiarized. On the flip side, a writer can check his own work to make sure he is not violating the law, even by accident. In fact, I checked this paper on Grammarly (www.grammarly.com) and it verified its originality.

By Jeffrey P. Macharyas, January 18, 2014

 

References

Ellis, B. (2013, January 31). Prisoners rake in millions from tax fraud. CNNMoney. Com. Retrieved January 15, 2014 from http://money.cnn.com/2013/01/17/pf/taxes/prisoner-tax-fraud/index.html?iid=EL
Linn, A. (2012, March 21). For identity theft victims, paying taxes is a nightmare. Today.com. Retrieved January 15, 2014 from http://www.today.com/money/identity-theft-victims-paying-taxes-nightmare-505672
Internal Revenue Service (2013, March). IRS Combats Identity Theft and Refund Fraud on Many Fronts. irs.gov. Retrieved January 16, 2014 from http://www.irs.gov/uac/Newsroom/IRS-Combats-Identity-Theft-and-Refund-Fraud-on-Many-Fronts
Associated Press (2013, November 7). Report: IRS Refunded $4 Billion to Identity Thieves. MoneyNews.com. Retrieved January 17, 2014 from http://www.moneynews.com/StreetTalk/IRS-Identity-Theft-Refund/2013/11/07/id/535441
Proffitt, B. (2013, December 27). ReadWrite.com. The Internet of Things In 2014: Steady As It Goes. Retrieved January 17, 2014 from http://readwrite.com/2013/12/27/2014-will-see-small-moves-towards-internet-of-things#feed=/tag/internet-of-things&awesm=~otcGGfFBEfRwL1
Hess, K. (2014, January 16). ZDNet.com. Machine to Machine Communications and the Security of Things. Retrieved January 17, 2014 from http://www.zdnet.com/machine-to-machine-communications-and-the-security-of-things-7000025228/
Barker, C. (2013, December 13). ZDNet.com. Internet of Things Will Dwarf Number of PCs, Tablets and Smartphones. Retrieved January 17, 2014 from http://www.zdnet.com/internet-of-things-devices-will-dwarf-number-of-pcs-tablets-and-smartphones-7000024229/
Internet Movie Database. (n.d.) The Brain Center at Whipple’s (15 May 1964). imdb.com. Retrieved January 17, 2014 from http://www.imdb.com/title/tt0734633/
Proofpoint, Inc. (2014, January 16). ProofPoint Uncovers Internet of Things (IoT) Cyberattack. Proofpoint.com. Retrieved January 17, 2014 from http://www.proofpoint.com/about-us/press-releases/01162014.php
Lustig, J. (2013, December 19). Calif. Students Allegedly Hacked Into School Computers to Change Grades. Latimes.com. Retrieved January 17, 2014 from http://abcnews.go.com/blogs/headlines/2013/12/calif-students-allegedly-hacked-into-school-computers-to-change-grades/
Birnbaum, M & Johnson, J. (2010, January 29). Students at Potomac School Hack Into Computers; Grades Feared Changed. Washingtonpost.com. Retrieved January 17, 2014 from http://www.washingtonpost.com/wp-dyn/content/article/2010/01/28/AR2010012803494.html
Wikihow (n.d.). How to Hack Into a School Computer. Wikihow.com. Retrieved January 17, 2014 from http://www.wikihow.com/Hack-Into-a-School-Computer
Fry, H. (2014, January 15). O.C. Students Accused of Hacking, Changing Grades Face Expulsion. Latimes.com. Retrieved January 17, 2014 from http://www.latimes.com/local/lanow/la-me-ln-school-hacking-20140115,0,7060713.story – axzz2qhbIXZGX
Rich. (2011, August 28). Where Can I Find a Hacker to Erase My Criminal Record? Makeuseof.com. Retrieved January 17, 2014 from http://www.makeuseof.com/answers/find-hacker-erase-criminal-record/
NeighborhoodHacker (n.d.). Hackers For Hire—Online Hacker For Hire Protection. Neighborhoodhacker.com. Retrieved January 17, 2014 from http://neighborhoodhacker.com/
Graff, M. (n.d.) Don’t Hire Hackers. Please. Markgraff.com. Retrieved January 17, 2014 from http://www.markgraff.com/mg_writings/NoHackers.pdf
Raza, A. (2013, July). Espionage-For-Hire Operation Hangover Unveils New Indian Cyber Threats. Hacksurfer.com. Retrieved January 17, 2014 from http://www.hacksurfer.com/articles/espionage-for-hire-operation-hangover-unveils-new-indian-cyber-threats
Schinder, D. (2010, August 10). Hiring Hackers: The Good, the Bad, and the Ugly. Techrepublic.com. Retireved January 17, 2014 from http://www.techrepublic.com/blog/it-security/hiring-hackers-the-good-the-bad-and-the-ugly/#.
Dionne, Jr., E. (1987, September 18). Biden Admits Plagiarism in School But Says It Was Not ‘Malevolent’. Nytimes.com. Retrieved January 17 2014 from http://www.nytimes.com/1987/09/18/us/biden-admits-plagiarism-in-school-but-says-it-was-not-malevolent.html?pagewanted=all&src=pm
Eddlem, T. (2013, November 13). Rand Paul’s Plagiarism Scandal Explained. Thenewrepublic.ocm. Retrieved January 17, 2014 from http://www.thenewamerican.com/usnews/politics/item/16933-rand-paul-s-plagiarism-scandal-explained
Guedy, M. (2013, March 28). Don’t Steal Images Off Google. Myows.com. Retrieved January 17, 2014 from http://myows.com/blog/dont-steal-images-off-google/
Ng, D. (2012, September 8). Shepard Fairey Sentenced to Probation, fine in Obama ‘Hope’ Case. Latimes.com. Retrieved January 17, 2014 from http://articles.latimes.com/2012/sep/08/entertainment/la-et-cm-shepard-fairey-20120908
Matthews, C. (2013, Ocrober 7). Three Men Indicted in Computer-Code Theft Probe. wsj.com. Retrieved from http://online.wsj.com/news/articles/SB10001424052702303442004579121673480053850