The US Internal Revenue Service (IRS) and Security Summit partners urged tax professionals and taxpayers today to enable multi-factor authentication (MFA) in their tax preparation software products to defend against data theft.
“Already, nearly two dozen tax practitioner firms have reported data thefts to the IRS this year,” the IRS said. “Use of the multi-factor authentication feature is a free and easy way to protect clients and practitioners’ offices from data thefts.”
By enabling MFA on their software products, taxpayers and practitioners will block threat actors that manage to steal their passwords from accessing their accounts without the phones needed to receive the security codes required to log in.
The IRS also reminded tax pros to be aware of phishing attacks used by cybercriminals to take control of their accounts and/or computers, as well as infect their systems with malware that would open the door for further data theft.
“Thieves may claim to be a potential client, a cloud storage provider, a tax software provider or even the IRS in their effort to trick tax professionals to download attachments or open links,” the alert reads.
“These scams often have an urgent message, implying there are issues with the tax professionals’ accounts that need immediate attention.”
Multi-factor authentication for IRS e-Services
IRS allows users to create an Online Services Account and log in to see the money owed, total tax payments for the year, payment history, and various other tax-related info.
When creating an IRS online account, you will be required to provide a U.S.-based and text-enabled mobile number which will be used to send activation and security codes that must be entered when you log in to IRS.gov.
Each time you want to log in, you will receive a security code from the IRS Password Service via text message (from 77958) or phone call (from 202-552-1226).
MFA should be enabled on all online accounts
Multi-factor authentication is now commonly offered as a protection measure for online accounts by a wide range of entities including financial institutions, social media platforms, and email providers.
“Users should always opt for multi-factor authentication when it is offered but especially with tax software products because of the sensitive data held in the software or online accounts,” the IRS concluded.
The US tax collection agency previously reminded professional tax preparers that federal law requires them to have a data security plan with the safeguards needed to protect the sensitive taxpayer data they work from data theft attacks.
The IRS also published security guidance to help taxpayers fight identity theft during November 2019. They can also find out more about identity theft and how to protect themselves by visiting the IRS Identity Theft Central web portal.
Microsoft and Google: MFA is the way to go
“By providing an extra barrier and layer of security that makes it incredibly difficult for attackers to get past, MFA can block over 99.9 percent of account compromise attacks,” Microsoft Security Senior Product Marketing Manager Melanie Maynes explained last year.
“With MFA, knowing or cracking the password won’t be enough to gain access.”
“Ultimately, compromise via database extraction and cracking ends up being similar to guessing, phish, or replay – the attacker must try logging in with the compromised password, and at that point, MFA is your safeguard,” Microsoft Group Program Manager for Identity Security and Protection Alex Weinert also added.
“Your password doesn’t matter, but MFA does! Based on our studies, your account is more than 99.9% less likely to be compromised if you use MFA.”
Google also advised users to add recovery phone numbers to their account and to enable SMS-based MFA to boost their security.
The company said at the time that “simply adding a recovery phone number to your Google Account can block up to 100% of automated bots, 99% of bulk phishing attacks, and 66% of targeted attacks that occurred during our investigation.”