Michael Kasper thought he was ahead of the game when he sat down to do his taxes this year. It was a Friday in February, more than two months before the mid-April filing deadline, and snow still covered the front lawn of his home in Poughkeepsie, in upstate New York. “I had all the papers,” he recalled. “I had the W2 and the 1099s stacked up, and I typed them all in.”
But a few hours after he tried to submit his tax return online, he got an email saying it had already been filed—a week earlier.
The story of Kasper’s tax return would eventually turn out to involve a bank account in rural Pennsylvania, a go-between on Craigslist, and a Western Union wire transfer to Nigeria. He was almost certainly one of the more than 330,000 Americans who fell victim to an audacious hack of the Internal Revenue Service (IRS), which was disclosed earlier this year. And the hackers didn’t use sophisticated malware or social engineering tactics—the hallmarks of many recent data breaches. Instead, they walked in through the front door of the IRS website, pretending to be regular people filing their taxes, and walked out with millions of dollars in fraudulent refunds.
The IRS has divulged few details about the data breach, but thanks to some amateur sleuthing by Kasper, who is a software engineer with a specialty in computer security, we’re able to fill in some of the blanks.
Protecting taxpayers from themselves
The Monday after trying to…