
IRS Awards Equifax $7.25M Contract to Help 'Verify Taxpayer Identities' - esalazar
https://gizmodo.com/irs-awards-equifax-7-25-million-no-bid-contract-to-hel-1819119424
======
vasco
How incredible it is that a Federal Agency needs a private company to identify
its own citizens. You guys really should get smart ID cards like every other
sane country. They have a certificate on them and you can even buy a card
reader to use the chip and identify yourself in state-ran online services.
Come join us in 2017, it's cool here.

~~~
thomascgalvin
You're implying that the US is sane. If we tried smart ID cards here, half the
population would have a meltdown over the Mark of the Beast of 1984 or
"papers, please" or something.

~~~
JPKab
Let's not forget the other half of the population that would scream how
discriminatory the ID card requirement is against certain populations who
can't easily get to the offices where they are given out. We have this debate
currently with requirements for ID at polling stations.

~~~
yahna
Except that debate is dishonest because if the republicans actually cared
about voter security the obvious response to "minorities don't have access to
ID" is "okay, lets fund a program to get everyone ID".

Of course the democrats fall for the trap every time, because using security
as an excuse for taking away rights is almost as good as using child porn as
an excuse for censorship and monitoring. People go "oh yeah, that sounds
reasonable"

------
willvarfar
> "the IRS has determined Equifax is the only business capable of providing
> this service."

Equifax and capable in the same sentence? Oh IRS...

The hackers should incorporate! Then two businesses would be capable of
providing the service.

Would it be 'ethical hacking' if you hacked companies like Equifax so you
could offer their data to tax-payer-funded clients for cheaper than companies
like Equifax do?

</silliness>

------
thephyber
The important part of the reply:

> As noted in public records, the short-term contract was awarded to Equifax
> to prevent a lapse in service during a protest on another contract. The
> service relates to assisting in ongoing identity validation needs of the
> IRS. Equifax provided these identity proofing services to the IRS under a
> previous contract.

~~~
lawnchair_larry
Well that's an obvious problem, because it means that whoever stole the
equifax data, and whoever they sell it to, basically has the answer key to the
IRS's identity verification questions.

~~~
20after4
yep, also the answer to questions asked when applying for a birth certificate
from any US state, among other identity verification services provided by the
credit agencies.

And this: [https://krebsonsecurity.com/2017/10/usps-informed-
delivery-i...](https://krebsonsecurity.com/2017/10/usps-informed-delivery-is-
stalkers-dream/)

~~~
strictnein
This is just mind boggling to me:

> "Perhaps this wouldn’t be such a big deal if the USPS notified residents by
> snail mail when someone signs up for the service at their address, but it
> doesn’t."

That should be part of the authentication to enable the service (enter a code
on the mailer to finalize setup). The fact that it doesn't send anything is
just mind boggling.

------
KekDemaga
"The no-bid contract, which pays $7.25 million, is listed as a “sole source”
acquisition, meaning the IRS has determined Equifax is the only business
capable of providing this service."

If they are the only business capable why not make them bid anyway just in
case?

~~~
rblatz
Seriously? They are the only ones? What about Lexis Nexis, experian,
transunion?

~~~
dismantlethesun
Clearly only Equifax has the level of competence sorely needed by government
sponsored work.

Surely, if anything goes wrong---it will at least be the things the government
wants to go wrong.

------
IncRnd
> _a contract to assist the IRS in verifying “taxpayer identities”_

I'm guessing they will use the last 6 digits of the SSN for verification
purposes.

> _the IRS has determined Equifax is the only business capable of providing
> this service_

We all know that isn't true. There is something very rotten with this.

Anyone in possession of the Equifax breach data can get validated as 143
million different individuals.

~~~
VLM
Presumably the 143 million identities are valid. Would be an epic troll if 99%
were salt/fake only to detect and track use.

Authentication is verifying someone is the person represented by a valid ID

Authorization in this case is some authenticated person having the legal
authority to look at or fill out someone's tax paperwork, not necessarily the
same as the person under discussion, consider my accountant or my wife's PoA
over her elderly uncle, doing taxes and financial things.

You can be super black pilled about the IRS or perhaps slightly more white
pilled that they're only doing validation... if I live at 221B Baker Street
and I type in 2218 Baker Street it would be nice if that could be caught and
fixed. Yeah, yeah, I know, reality is probably some fuzzy location in between.

Although it sounds weird for a company based on gatekeeping "secret" data
(which hasn't been secret in a long time) to allow its secret data to leak,
its an old business model to create a problem which surprisingly enough you
also have a profitable solution. Its highly likely in a year or two we'll all
have Equifax smart chip ID cards. Like a military CAC card but with 100 times
more users.

~~~
IncRnd
> _Presumably the 143 million identities are valid. Would be an epic troll if
> 99% were salt /fake only to detect and track use._

The 143 million PII records likely represent almost every adult taxpayer in
the US. These records didn't need to be released purposefully. Even if stolen,
nothing but the possession of those records may be needed to authenticate as
almost any one of the adult taxpayers in the US.

> _Authentication is verifying someone is the person represented by a valid
> ID_

Why do you believe that auth in this context requires validity of ID or even
an ID of any kind?

> _Its highly likely in a year or two we 'll all have Equifax smart chip ID
> cards._

I'm not convinced this is a highly likely scenario.

------
IceyEC
So, why didn't the IRS just download their leak and do the verification in
house?

/snark

------
craftyguy
[https://news.ycombinator.com/item?id=15395639](https://news.ycombinator.com/item?id=15395639)

------
dforrestwilson
2017 has been the most bizarre year of my life so far.

~~~
dingo_bat
Your life will probably keep getting weirder and weirder:
[https://www.tor.com/2010/08/05/divided-by-
infinity/](https://www.tor.com/2010/08/05/divided-by-infinity/)

~~~
xapata
That was an excellent read. Thank you for the link.

------
Koldark
We need to remember that this process probably started months ago before the
hack. Also, remember that Equifax (while not really loved) was not really
thought about as being a really bad company.

------
tickerticker
Now they can crowd source this project.

------
sly010
Clearly only Equifax has the level of incompetence needed by government
sponsored work.

------
emodendroket
Awful time to be a satirist. How can you even parody this stuff?

------
fractal618
Nuts

