With the beginning of 2021 comes the start of 2020 tax season as well. While some people may wait until the middle of April to prepare their tax returns, cybercriminals are already gearing up to start targeting this sensitive data. Securing your tax data requires an understanding of the potential threats and best practices for protecting it.

The Value of Tax Return Data

Tax returns provide a wealth of valuable information for a cybercriminal. Obviously, access to a tax return from a previous year makes it possible to perform tax fraud for the current year. However, tax returns also contain a wealth of other data that can be used for fraudulent purposes, such as:

• Personal Data: A tax return contains your full name, address, social security number (SSN), and similar personal data. This information is enough to perform tax fraud or to open up a credit card or bank account.

• Spouse and Dependents: As part of filing joint taxes or claiming dependents, it is necessary to provide similar data for them as well. This potentially exposes them to the same tax and financial fraud. Additionally, this information can be used for spear phishing attacks or to try to guess your login passwords for online accounts (which hopefully aren’t based on kids’ names, birthdays, etc….)

• Financial Data: A tax return provides an in-depth look at your current financial status. This information could be used to inform ransomware attacks (how much are you able to pay in ransom?) or to help identify the banks that you use so that “you” can call after “forgetting” your password. Many of the answers to your security questions are also included in the return.

• Charitable Donations: Your tax returns may include information regarding charitable donations that you have made this year. This information may be used to impersonate you when communicating and scamming a charity.

The information contained within a tax return is highly sensitive and can be misused in a number of different ways. It is vital to ensure that this data is properly protected against unauthorized access and exposure to cybercriminals.

How Cybercriminals Get Your Tax Returns

The data contained within a tax return is extremely valuable to a cybercriminal. For this reason, they are willing to put in the effort to steal it using a variety of different techniques:

• Phishing Emails: Phishing is the most common type of cyberattack, and it works well for this type of scam. If a phisher impersonating the IRS, your bank, or a similar institution can convince you to hand over login credentials or a copy of your return, then the attacker has everything that they need.

• Vishing: Voice phishing or “vishing” is phishing over the phone. The same techniques apply here as well (and over social media, in person, etc.). The attacker will pretend to be someone in authority and try to talk you into providing sensitive data.

• Malware: Some forms of malware are specifically designed to search for and steal financial data from a computer. These malware can look for copies of tax returns on your computer and send the entire return or extracted high-value data to the attacker.

Anyone who contacts you and tries to get you to provide information about your tax return over the phone. Always verify the authenticity of a request by contacting the alleged requestor through official channels such as the email or phone number listed on an official site (like irs.gov).

Protecting Your Personal Data

Tax season is one of the times of highest activity for cybercriminals and scammers. To keep your data safe, take the following simple steps:

• Watch Out for Scammers: Social engineering (including phishing, vishing, and more) is a common way to steal tax return data. Always verify requests before providing any information.

• Use an Antivirus (AV): A malware infection can allow a cybercriminal to steal your personal data or cause other damage to your computer. Keep your AV up to date and run it regularly to help detect and remove malware from your computer.

• Use a File Encryption Solution: Files stored unencrypted on your computer can be stolen by malware and other means. A file encryption solution like GhostVolt ensures that an attacker can’t use the data in your tax return even if they steal the file.

Credential stuffing and similar attacks are made possible by cybercriminals with access to large lists of common and breached passwords. But how do these cybercriminals get these lists of passwords to try? Two of the main methods are via phishing attacks and data breaches.

Phishing Attacks

Phishing attacks are the easiest way for cybercriminals to gain access to account credentials. If a phishing page tricks you into entering your username and password, then these credentials are sent straight to the attacker. They can then add them to a list of credentials for sale on the Dark Web or keep them for their own personal use.

Inside a Data Breach

Data breaches have become a fact of daily life. In the US alone, 1,473 data breaches were reported in 2019. This averages to 4 breaches and over 450,000 breached records per day.

In many of these breaches, passwords are listed as part of the exposed data. However, most organizations don’t store their users’ passwords. This would make it far too easy for an attacker or a malicious insider to steal the master password file and use it to gain illegitimate access to user accounts.

Instead, when data breaches talk about passwords being breached, they are actually talking about leaked password hashes. Hash functions are cryptographic operations with a few useful properties:

• One-Way Function: It is impossible to calculate the input to a hash function from the corresponding output.

• Collision-Resistance: It is very difficult to find two inputs that produce the same output.

• Deterministic: Hashing the same input always produces the same output.

These properties make hashes an ideal way to store password data. Instead of storing a list of passwords (which can be abused), a list of hashes is stored instead. When verifying users, if the hash of the password that they provide matches the one on file, then they are likely to have provided the correct password. However, if the password hashes are leaked, then an attacker still doesn’t have the original password.

From Password Hashes to Breached Passwords

If password hashes are so secure, then how do data breaches lead to passwords being offered for sale on the Dark Web? This mainly happens when someone has made a mistake.

The less common reason for this is that the breached service is not storing passwords securely. If passwords are not appropriately hashed or are using a broken hash algorithm (like MD5 or SHA1), then an attacker may be able to break the hash and determine the user’s credentials. This isn’t the most common reason that passwords get broken, but it does happen.

More commonly, the fault is on the side of the user. An attacker can take a “guess and check” approach to breaking passwords by hashing potential passwords and comparing them to breached password hashes. If the hashes match, then the attacker has found the right password.

This is what makes the use of weak and reused passwords so dangerous. If a password is easily guessable (based off of a word, pattern, etc.), then password cracking tools will easily be able to identify it in a list of breached password hashes. Once this occurs, the attacker is able to sell the breached password rather than just the hash.

How The Good Guys Are Fighting Back

Most people don’t know when they’ve been the victim of a data breach. For this reason, many online services have incorporated breach notifications. This means that, if you try to log into an account that has been breached or using a breached password, the service will notify you and help you reset the password. In most cases, these breach notifications are driven by HaveIBeenPwned, a site that collates this data and allows people to determine if their data has been breached.

These services work because they use the same tools and techniques as malicious attackers. Cybersecurity researchers search the Dark Web for lists of credentials that have been publicly posted or offered for sale. Any password hashes that they collected can then be subjected to password cracking to determine whether or not they are likely to be broken by attackers. This is where the lists of the “most commonly used passwords” come from.

Applications like GhostVolt also use HaveIBeenPwned to help protect people from reusing breached passwords. When setting a password on GhostVolt, the password is automatically checked against HaveIBeenPwned’s list of breached passwords. If a match is found, GhostVolt will not allow the use of this weak password. While this may seem inconvenient, it is essential to protecting the security of your GhostVolt account.

Protecting Your Online Accounts

If you are notified about a breach of one of your online accounts, it is vital to change the affected password immediately. However, this may be too little too late since a breached account means that attackers already may have access to your account.

Being proactive about password security is a much better idea. Instead of waiting for passwords to be breached, replace any weak and reused passwords with unique, strong ones and store them in a password manager. This dramatically decreases the risk of cybercriminals compromising your account if an online service is breached and password hashes are leaked.

The Growing Threat of Breaches

Companies are collecting and storing ever-increasing amounts of customer’s personal data. While some organizations are doing so to perform mass-scale data mining, the average business is collecting data simply to perform their core business practices. It’s pretty difficult to keep track of a user’s account without an email address or send a parcel without a shipping address.

Unfortunately, the troves of sensitive data that companies are collecting are a major target for hackers. An individual’s personal data can be used for a variety of malicious purposes (identity theft, spear phishing, and blackmail to name a few), so this information can fetch a pretty good price on the black market. The collections of sensitive data held by businesses are a treasure trove to any hacker who can access them.

As a result, data breaches are becoming increasingly common. In 2018, 5 billion records (or individual customers’ data collected by a business) were stolen by hackers. Since the cost of a data breach to the organization is often proportional to the number of records stolen, the impact of these breaches on the global economy is significant.

Hidden Costs of Data Breaches

Data breaches are expensive for the attacked organization. Some costs are directly related to managing the impacts of the breach (investigating the incident, paying fines, etc.), while some are more indirect. In 2019, a data breach costs a company an average of $8.19 million. These costs are spread over a variety of different impacts.

Investigation and Remediation

After a data breach has occurred, the organization needs to perform an investigation to determine the scope of the breach and remove any traces of the attacker from the network. This can be a complicated and expensive proposition since:

1. Many organizations don’t have the expertise in-house to investigate.

2. Attackers cover their tracks to make investigation more difficult.

Once the incident investigation has been completed, the organization needs to pay the costs of remediation. This not only includes the price of implementing all of the cybersecurity protections that were lacking in the first place (allowing the breach to occur) but also the price of fixing any damage caused by the attacker while they had access to the system. The need to perform these investigations and mitigations quickly can also add to the price tag.

Reputational Damage

One of the hardest costs of a breach to quantify is the damage to an organization’s reputation after a breach. Their customers have trusted them to properly protect the sensitive data entrusted to them and the organization has failed to do so. After a breach, an organization has to endure numerous news reports and articles dissecting what they did wrong and how their security processes were inadequate.

A great example of the impact of reputational damage to a company due to a breach is the general feelings of the American public towards Equifax. The Equifax breach was over a year ago, yet people are still annoyed with the company. The Equifax breach may be an extreme case since no-one gave their data directly to Equifax (so they’re not happy with it being lost) and the breach was caused by gross negligence by the company (failure to patch a vulnerability that was being actively exploited for months before the breach), but the current ill feelings toward the company demonstrate how an organization’s reputation can suffer after a breach.

Compliance Reporting and Penalties

In recent years, governments have been increasingly focused on protecting the personal data of their constituents. The EU’s General Data Protection Regulation (GDPR) is the most famous of these, but a variety of different nations and states have passed data privacy regulations to protect their citizens. These new regulations and standards are in addition to those already in effect, including PCI DSS, HIPAA, FISMA, SOX, and others.

As a result, the average organization may be required to achieve, maintain, and demonstrate compliance with several different regulations. In the event of a breach, this involves determining if the breach is reportable, whom to report it to, and how the report needs to be performed. Once a report is filed, the organization needs to cooperate with regulators and may be fined for negligence as a result of the breach. The manpower and fines associated with this can dramatically increase the cost of a breach. British Airways was fined $230 million by GDPR regulators for a 2018 data breach.

Notification and Compensations

After a data breach has occurred, the breach organization may be compelled to notify affected parties and provide compensation. While commonly these notifications are performed by email and have minimal cost to the organization, determining who needs to be notified can require significant effort.

Compensation costs can also be significant to an organization. Commonly breached businesses offer identity monitoring, but it is not uncommon for affected parties to file lawsuits against the organization for damages. The costs of litigation, settling, and/or any damages can be a significant cost to the organization.

Loss of Future Revenue

The impacts of a breach in terms of lost future revenue are difficult to determine. Multiple surveys have found that as many as 70% of customers will stop buying from a company after a breach. However, the fact that the #deletefacebook movement fizzled despite all of the missteps that Facebook has made regarding properly using and protecting customer data demonstrates that this may not be the case. If customers have no viable alternative, they may stick with a breached company, but many organizations will see a drop off in sales after reporting a breach.

Protecting Against a Breach

The simplest way to prevent data breaches is to ensure that the organization’s defenses are never breached by a hacker. However, this expectation is unrealistic. Every company is likely to suffer at least one successful cyberattack, and most companies will be the victim of several.

Protecting against data breaches requires ensuring that, even if a hacker can breach the organization’s defenses, that they can’t steal any valuable data. The best way to accomplish this is by encrypting data at rest.

The annual RSA Conference in San Francisco, which typically draws over 50,000 attendees, and 750 exhibitors, is often seen as a chance for vendors to exhibit their solutions to a wide audience.  As a result, The Expo hall (Moscone Center) can be experienced as an overwhelming array of booths, and at peak times, a downright carnival atmosphere can take hold, complete with barkers promising that their product is the solution to all of your cybersecurity problems.

The real heart of the conference however, can be found in the topical sessions and talks taking place off the exhibitor halls, in the meeting rooms. These sessions tell a different story about the real need for a security conference of this size.  A wide array of different security topics are covered including nextgen technologies (blockchain, etc.), threat intelligence (newly discovered APTs and attack vectors, and the human side of cybersecurity.

The human side of security was a major focus at this year's RSA Conference.  An entire Monday track was devoted to the subject as well as numerous standalone talks, labs, and discussion sections.  Across many of these sessions, a theme and a message could be found: in the end security revolves around the human side of the machine. (The archives can be found here).

Securing Humans is a Challenge...

Cybersecurity practitioners and vendors love technology-focused attack vectors.  If a web application has a buffer overflow vulnerability, it can be detected, investigated, patched, and forgotten.  While attackers are constantly looking for new bugs and vulnerabilities to exploit, they operate completely within an environment that a defender can control, making prevention, mitigation, and remediation possible.

Dealing with the human threat surface is...more complicated.  Organizations spend millions of dollars teaching people not to click that link or open that attachment.  Users know the risks but fall for phishing attacks anyway.

The talks during the Monday session on Security, Privacy, and Human Behavior did a great job of explaining some of the reasons why this happens: security folk tales and economic decision-making.

To be perfectly honest, most cybersecurity awareness training is awful.  You have “death by PowerPoint” possibly with a voice over delivered quarterly at best.  Users don't internalize and relate to this information and it takes second place to what “everyone knows” or “Bob told me…”.  The disconnect between official training and “common knowledge” makes people act in ways not in accordance with best practice.

The other main issue is that good security is often hard, inefficient, and unusable.  The volume of emails that the average person receives means that they have to make a decision in seconds or risk falling behind.  However, “being secure” requires running through a complete checklist of possible threats, never clicking links, and verifying all suspicious attachments.  The commitment in time and decision-making is significant, so users fall into bad habits since the cost of being secure is perceived as higher than that of a potential breach.

We Don't Have It Figured Out Yet...

Unlike most of the exhibits on the Expo floor, there was an element of doom and gloom in the human security talks.  As security practitioners, we understand the problem but we don't know how to solve it.

This is apparent when you ask anyone about their cybersecurity awareness program.  People will be happy to brag about their employee security awareness programs but asking if click rates on unsafe communications have dropped to zero yields a universal answer: No.  Even organizations that tie bonuses to click rates still experience incidents.

A common message in the talks was that completely eliminating the threat of the human element is impossible.  People need to use email, share information, etc. in order to do their jobs.  Even skilled cybersecurity practitioners are fooled sometimes because a phishing email is just that convincing.

The main challenges in the industry are establishing good metrics, setting goals for acceptable levels of risk, and meeting those goals.  This is where the industry seems to suffer since management likes to see easily measurable achievements and most programs are evaluated based upon the percentage of employees that have received the training rather than its ability to protect against real-world threats.

But We Have Some Ideas...

While the problem of improving human security is far from solved, it's not for lack of trying.  Across several different talks, there were commonalities in the methods that demonstrated some successes, including making security awareness training accessible, human-centric, and incentivized.

Making training accessible is designed to close that gap between cybersecurity “common knowledge” and the content provided in awareness training.  Research has demonstrated that humans simply can’t absorb the amount of information provided during traditional cybersecurity awareness training in a single sitting.  Also, many cybersecurity awareness programs use scenarios that are so contrived and unrealistic that making the connection between a real-world threat and the training is impossible.  By redesigning training to be bite-sized and relatable, organizations are making progress in influencing user’s understanding of the cybersecurity threat landscape.

A human-centric approach is extremely powerful for cybersecurity awareness and is demonstrated by the fact that many organizations have cybersecurity “ambassador” programs.  These programs are designed to identify people with an interest in cybersecurity and provide them with the information necessary to help their peers.  This greatly extends the reach of the organization’s security team and creates the capability for just-in-time interventions.

Finally, organizations have made significant progress by incentivizing good cybersecurity behavior.  A survey presented at one of the RSA talks demonstrated that the emotion most commonly associated with cybersecurity is fear, which is bad for making good decisions.  Instead of being known only for punishing users who make cybersecurity blunders, awareness programs have made great strides by rewarding and acknowledging those who do the right thing.

Next Steps for Human-Focused Security

The 2019 RSA Conference seemed to consist of two very different worlds.  On one hand, the vendors at the Expo were full of enthusiasm, demonstrating how their product could help solve an organization’s most pressing cybersecurity problems.  On the other, speakers were discussing the difficulties of developing an effective cybersecurity awareness program and how humans can’t be “fixed” with a simple software solution.

While the human behavior tracks of the RSA Conference didn’t provide a solution to the cybersecurity awareness program, they did have some useful nuggets for organizations attempting to solve the human side of security.  By improving the human side of security and raising the bar for social engineers and phishers, we may be able to force hackers back to focusing on the technology side, where finding solutions to problems is easier.