https://krebsonsecurity.com/2022/01/irs-will-soon-require-selfies-for-online-access/ Advertisement [5] Advertisement [7] Krebs on Security Skip to content * Home * About the Author * Advertising/Speaking IRS Will Soon Require Selfies for Online Access January 19, 2022 91 Comments If you created an online account to manage your tax records with the U.S. Internal Revenue Service (IRS), those login credentials will cease to work later this year. The agency says that by the summer of 2022, the only way to log in to irs.gov will be through ID.me, an online identity verification service that requires applicants to submit copies of bills and identity documents, as well as a live video feed of their faces via a mobile device. [irs-idme] The IRS says it will require ID.me for all logins later this summer. McLean, Va.-based ID.me was originally launched in 2010 with the goal of helping e-commerce sites validate the identities of customers who might be eligible for discounts at various retail establishments, such as veterans, teachers, students, nurses and first responders. These days, ID.me is perhaps better known as the online identity verification service that many states now use to help staunch the loss of billions of dollars in unemployment insurance and pandemic assistance stolen each year by identity thieves. The privately-held company says it has approximately 64 million users, and gains roughly 145,000 new users each day. Some 27 states already use ID.me to screen for identity thieves applying for benefits in someone else's name, and now the IRS is joining them. The service requires applicants to supply a great deal more information than typically requested for online verification schemes, such as scans of their driver's license or other government-issued ID, copies of utility or insurance bills, and details about their mobile phone service. When an applicant doesn't have one or more of the above -- or if something about their application triggers potential fraud flags -- ID.me may require a recorded, live video chat with the person applying for benefits. Since my credentials at the IRS will soon no longer work, I opted to create an ID.me account and share the experience here. An important preface to this walk-through is that verifying one's self with Id.me requires one to be able to take a live, video selfie -- either with the camera on a mobile device or a webcam attached to a computer (your webcam must be able to open on the device you're using to apply for the ID.me account). Also, successfully verifying your identity with ID.me may require a significant investment of time, and quite a bit of patience. For example, stepping away from one part of the many-step application process for a little more than five minutes necessitated another login, and then the re-submission of documents I'd previously uploaded. [idm-2fa]After entering an email address and picking a password, you are prompted to confirm your email address by clicking a link sent to that address. After confirmation, ID.me prompts users to choose a multi-factor authentication (MFA) option. The MFA options range from a six-digit code sent via text message or phone call to code generator apps and FIDO Security Keys. ID.me even suggests using its own branded one-time code generating app, which can "push" a prompt to your mobile device for you to approve whenever you log in. I went with and would encourage others to use the strongest MFA option -- a physical Security Key. For more on the benefits of using a Security Key for MFA, see this post. When the MFA option is verified, the system produces a one-time backup code and suggests you save that in a safe place in case your chosen MFA option is unavailable the next time you try to use a service that requires ID.me. Next, applicants are asked to upload images of their driver's license, state-issued ID, or passport -- either via a saved file or by scanning them with a webcam or mobile device. If your documents get accepted, ID.me will then prompt you to take a live selfie with your mobile device or webcam. That took several attempts. When my computer's camera produced an acceptable result, ID.me said it was comparing the output to the images on my driver's license scans. After this, ID.me requires the verification of your phone number, which means they will ask your mobile or landline provider to validate you are indeed an existing, paying customer who can be reached at that number. ID.me says it currently does not accept phone numbers tied to voice-over-IP services like Google Voice and Skype. My application got stuck interminably at the "Confirming Your Phone" stage, which is somewhere near the middle of the entire verification process. An email to ID.me's support people generated a message with a link to complete the verification process via a live video chat. Unfortunately, clicking that link brought up prompts to re-upload all of the information I'd already supplied, and then some. [idm-choosetoadd] Some of the primary and secondary documents requested by ID.me. For example, completing the process requires submitting at least two secondary identification documents, such as as a Social Security card, a birth certificate, health insurance card, W-2 form, electric bill, or financial institution statement. After re-uploading all of this information, ID.me's system prompted me to "Please stay on this screen to join video call." However, the estimated wait time when that message first popped up said "3 hours and 27 minutes." [idme-waittime] I appreciate that ID.me's system relies on real human beings seeking to interview applicants in real-time, and that not all of those representatives can be expected to handle all of these immediately. And I get that slowing things down is an important part of defeating identity fraudsters who are seeking to exploit automated identity verification systems that largely rely on static data about consumers. That said, I started this "Meet an agent" process at around 9:30 in the evening, and I wasn't particularly looking forward to staying up until midnight to complete it. But not long after the message about waiting 3 hours came up, I got a phone call from an ID.me technician who was CC'd on my original email to ID.me's founder. Against my repeated protests that I wanted to wait my turn like everyone else, he said he would handle the process himself. Sure enough, a minute later I was connected with the ID.me support person, who finished the verification in a video phone call. That took about one minute. But for anyone who fails the automated signup, count on spending several hours getting verified. When my application was finally approved, I headed back to irs.gov and proceeded to log in with my new ID.me account. After granting the IRS access to the personal data I'd shared with ID.me, I was looking at my most recent tax data on the IRS website. [authorizeirs] I was somewhat concerned that my ID verification might fail because I have a security freeze on my credit file with the three major consumer credit bureaus. But at no time during my application process did ID.me even mention the need to lift or thaw that security freeze to complete the authentication process. The IRS previously relied upon Equifax for its identity proofing process, and even then anyone with frozen credit files had to lift the freeze to make it through the IRS's legacy authentication system. For several years, the result of that reliance was that ID thieves massively abused the IRS's own website to impersonate taxpayers, view their confidential tax records, and ultimately obtain fraudulent tax refunds in their names. The IRS canceled its "taxpayer identity" contract with Equifax in October 2017, after the credit bureau disclosed that a failure to patch a four-month-old zero-day security flaw led to the theft of Social Security numbers and personal and financial information on 148 million Americans. Perhaps in light of that 2017 megabreach, many readers will be rightfully concerned about being forced to provide so much sensitive information to a relatively unknown private company. KrebsOnSecurity spoke with ID.me founder and CEO Blake Hall in last year's story, How $100 Million in Jobless Claims Went to Inmates. I asked Hall what ID.me does to secure all this sensitive information it collects, which would no doubt serve as an enticing target for hackers and identity thieves. Hall said ID.me is certified against the NIST 800-63-3 digital identity guidelines, employs multiple layers of security, and fully segregates static consumer data tied to a validated identity from a token used to represent that identity. "We take a defense-in-depth approach, with partitioned networks, and use very sophisticated encryption scheme so that when and if there is a breach, this stuff is firewalled," Hall said. "You'd have to compromise the tokens at scale and not just the database. We encrypt all that stuff down to the file level with keys that rotate and expire every 24 hours. And once we've verified you we don't need that data about you on an ongoing basis." ID.me's privacy policy states that if you sign up for ID.me "in connection with legal identity verification or a government agency we will not use your verification information for any type of marketing or promotional purposes." Signing up at ID.me requires users to approve a biometric data policy that states the company will not sell, lease, or trade your biometric data to any third parties or seek to derive any profit from that information. ID.me says users can delete their biometric data at any time, but there was no apparent option to do so when I logged straight into my new account at ID.me. When I asked the support technician who conducted the video interview to remove my biometric data, he sent me a link to a process for deleting one's ID.me account. So, it seems that removing one's data from ID.me post-verification equals deleting one's account, and potentially having to re-register at some point in the future. Over the years, I've tried to stress the importance of creating accounts online tied to your various identity, financial and communications services before identity thieves do it for you. But all of those places where you should "Plant Your Flag" conduct identity verification in an automated fashion, using entirely static data points about consumers that have been breached many times over (SSNs, DoBs, etc). Love it or hate it, ID.me is likely to become one of those places where Americans need to plant their flag and mark their territory, if for no other reason than it will probably be needed at some point to manage your relationship with the federal government and/or your state. And given the potential time investment needed to successfully create an ID.me account, it might be a good idea to do that before you're forced to do so at the last minute (such as waiting until the eleventh hour to pay your quarterly or annual estimated taxes). If you've visited the sign-in page at the U.S. Social Security Administration (SSA) lately, you'll notice that on or around Sept. 18, 2021 the agency stopped allowing new accounts to be created with only a username and password. Anyone seeking to create an account at the SSA is now steered toward either ID.me or Login.gov, a single sign-on solution for U.S. government websites. [ssalogin] This entry was posted on Wednesday 19th of January 2022 12:15 PM A Little Sunshine Tax Refund Fraud Blake Hall Equifax id.me U.S. Internal Revenue Service Post navigation - At Request of U.S., Russia Rounds Up 14 REvil Ransomware Affiliates 91 thoughts on "IRS Will Soon Require Selfies for Online Access" 1. E.M.H. January 19, 2022 "Selfie", not "headshot"?? As in arm's length, puckered up duckface, and flashing a peace sign? (I kid.... although I am laughing at the possibility of the company overflowing with silly selfies as authentication data) Anyway, speaking seriously now: I know there are privacy questions about all this, but the thing that struck me is how un-scalable the notion of individual video calls would be. Yeah, I get that it wouldn't be everybody, but still, 1% of the US population would still be several million people. Even if it were a fraction of that and down to tens of thousands of people, just how many people does ID.me employ for this? And how long a wait? Brian here noted several hours (although he got favored big-time by someone and didn't have to wait), but when this grows, does the average person wait 3 hours? Or that many days? Weeks? Yeah, this doesn't seem like as important a question as privacy, trust, secure storage of info, etc., but my point is that if the process gets overwhelmed, what problems will stem from that? And which of the ways to deal with those down-the-road problems would be insecure? This issue isn't something immediate, but I feel it *is* something that needs to be taken seriously. Reply - 1. JamminJ January 19, 2022 I really laughed at your comment. A pile of selfies being processed would be hilarious. I agree that it would be unscalable to hold individual video calls (no matter how short) to a specific percentage of applicants. But I don't think they will try to do that. Rather, it sounds like it will become a floating "spot check", that depends on the availability of resources. Like the TSA (don't get me started on that), these spot checks might turn out to be "peace of mind" and "security theater" meant only to create a reasonable chance of catching an attacker. This can be of good value though, as hackers (especially foreign ones) are very risk adverse to systems that have a chance of human intervention. They much rather prefer automated and quick. Reply - 2. Chiggy January 19, 2022 This will be a nightmare for disabled people or anyone who has shaky hands when trying to take the "live" photos of the multiple forms of ID and/or the "selfie". I wonder if the disabled lobby will sue about this. I hope so. Reply - 1. JamminJ January 19, 2022 Anyone can sue about anything at any time. But as long as there are reasonable accommodation, they can't really win anything. As long as the US Postal Service works to send scanned documents, and notaries available, there will always be another way. Reply - 1. kat January 19, 2022 I see no description of another way being available. Reply - 1. JamminJ January 19, 2022 https://www.irs.gov/filing/ where-to-file-paper-tax-returns-with-or-without-a-payment Reply - 3. Anon January 19, 2022 This "ID.me" is looking more and more like a front for the Democratic Party.....I'd be very concerned now..... Reply - 1. drone January 19, 2022 Drink your horse paste. Reply - 2. sergi tolstoy January 19, 2022 ?? GOP States voter ID laws Reply - 4. dry-biscuits January 19, 2022 A few significant observations: - The camera and microphone are still recording after you end the live chat identity authentication (the activity light on the camera was still on). It only "seems" to deactivate when the browser window is in the background, so be sure to close the window and revoke site permission to the camera and microphone. - When taking the selfie, you have to turn the brightness of the display up to 100% so that the strobing multi-colors of the display will reflect off your skin. It also means that if you have a USB webcam, you need to center it to the display so that you can get your face perpendicular to the display. - The first automated identity verification seems to be through a credit agency, possibly TransUnion. A credit freeze will fail to verify, which escalates to the live chat. This also means that people without a current US address cannot use the automated identity verification, as there is no option to enter a foreign address. The escalation to live chat allows the entry of a foreign address, but I'm not sure how to fail the automated identity verification in order to escalate to the live chat, if you don't have a US address to fail with in the first place. I guess you'd have to contact their support for manual escalation to live chat by explaining that you have a foreign address. - The first automated identity verification requires a US landline or mobile phone subscription. Foreign numbers and VOIP are not allowed, I assume because they first check the number with the credit agency (which seem to only have US numbers) and then possibly use some technical method to check the registration of the telephone number with the carrier (or maybe send you a text? I failed automated verification so nothing happened to my phone so I wouldn't know). The escalation to live chat allows you to enter a foreign number and VOIP, because I guess it's only used for sending you a link to a smartphone so that you can take the selfie, upload the documents, and launch the live chat window from a mobile browser, if you don't want to do it from a PC browser. - The telephone number that you entered, either through the automated verification method if you passed, or the escalated live chat, gets saved into your profile and is shared with the IRS (according to what the id.me website says about what they share with the IRS). I'm not sure if this is the same number that you select for the 2FA telephone PIN, or if perhaps they would share both numbers if you changed the 2FA number. So be careful of which telephone number you enter, in case it's not a number that you want to share with the IRS. - The countdown to live chat is highly inaccurate and underestimated. The timer continuously went up and down but nowhere near the actual wait time, and ended up taking 4 hours. Reply - 5. John Mac January 19, 2022 As a parent of an adult disabled individual who has need to access SSA and IRS but who is intellectually a child, going to be interesting how to handle this. Need to see how "third parties" are handled, how legal representatives are handled, and someone else can bring up those with legitimate needs but no access to the equipment, tools or time. My son has no phone. Reply - 1. orly January 19, 2022 Serious questions? Does your son have an existing IRS.gov account already? What about a Login.gov account? Reply - 6. Viktor g January 19, 2022 Interesting if any independent scientist reviewed such system from psychological point point of view. Reply - 7. orly January 19, 2022 There seems to be a lot of people misunderstanding and taking this to the extreme. Is there any real "requirement" to have an IRS.gov account? I don't have one, and have been filing taxes just fine. That is not changing. So why are people thinking this is some new thing that will force people to create an account? Is just a big change for the people who already manage tax records with the IRS website directly. While the majority of comments here seem to be people talking about expatriates, retired people, and the disabled. How many of those actually have an IRS.gov login? Reply - 1. Jen Farmer January 19, 2022 You should understand that many people have ported their taxing over to this system, which means they'll have to learn how to use another system or "give in" here. First you create the supply, then you start making changes that the consumer just accepts because they don't know anything else. Humans are lazy, and corporations like IRS take advantage of that. Reply - 1. orly January 19, 2022 E-filing of taxes directly using the IRS website is not the only way to do it. I understand many people started doing it that way, and don't like change. Like anything else with e-commerce, if you don't like the way one system is changing, you're free to go with any of the dozens of other tax prep/filing services and use their weaker/easier authentication schemes. Either way, change is inevitable with online systems, especially to adapt to growing cyber threats. If they don't like change, they are free to "port" their taxing back to the good ol letter in the mailbox system. Reply - 8. Dave Bezaire January 19, 2022 Positive identity authentication is essential to a functioning society, yet none of us wants to trust any private entity sufficiently, so this necessarily should be an essential government-provided function. In fact, our Social Security System provides the same, albeit without proper implementations and controls to make it both safe and trusted. It's way past time that we (a) remove the restrictions that hamper effective use of SSNs (and derivatives as might be necessary) that were implemented to assuage the fears of federalists and individualists, and (b) legislate appropriate controls along the lines that HIPPA does for health information. Until we do so, the massively powerful network of overlapping private systems will continue to make it very easy for the powerful to snoop on everything we do and profit from all the data about us. ID.me is just a small symptom of a huge problem that is most evident in the use of our cell phone numbers as permanent identifiers connecting huge databases of online advertisers, and putting all the power in the hands of the commercial interests with virtually no recourse for us as individuals. Although I'm generally a free-market advocate and quite suspicious of big government, this is a case where the the private alternatives are far scarier. Reply - 1. JamminJ January 19, 2022 Here-Here Reply - 9. FCP January 19, 2022 Just finished the entire process. It took about two hours, most of the time waiting. the video connection on my computer didnt work so clerk called me on phone and we eventually used Zoom on Ipad. Overall a rather easy experience, although as I have posted above, perseverance is required if you are refused acceptance the first tiem. It took me three tries to get thru to the video verification. If only I could verify my deceased mother's account and find out why the IRS hasn't refunded her 2020 taxes. As she died in 2021 we had to send in a paper return with the death certificate. I am sure it is sitting in the pile of 10,000,000 docments they say are waiting to be processed Reply - 1. Paul Gaffney January 19, 2022 Similar situation. Waiting on 2019 refund for a deceased family member. No replies from IRS when I have inquired about the stat I s of the return that was filed. Reply - 10. Mike Lambert January 19, 2022 Can I register more than one yubikey for 2fa at id.me? Reply - 1. Bamford January 19, 2022 Why would 1 user need more than 1 key for 1 site? Reply - 11. Mitchell Hellman January 19, 2022 I just went through this mess last weekend, when ID.me couldn't verify my phone number (I have a VOIP service at home- it would have been nice to know that it would be a problem for them). I waited online for 4 hours Saturday and 10.5 hours on Sunday (ID.me runs the webcall process 24/7); the last three hours, I watched the estimated wait time counter hover between 3 and 6 minutes. I used some of that time to send a nastygram via email to ID.me through their website; surprisingly, I got a voice message on my cell phone later that night providing me with a link separate from the one I had been holding on. I connected, got a human being and the rest of the process took about 5 minutes. Ironically, when I posted my saga on my Facebook page, one of my relatives, a longtime freelancer, told me about eftps.gov, the IRS's Electronic Federal Tax Payment System, which doesn't require all that info plus your firstborn child and a pint of blood. Since all I wanted to do was to pay my quarterly tax, this seemed to be an ideal workaround; the only catch is that I have to wait for a snail mail from EFTPS with a code I'll use online to prove my name and address is valid. Meanwhile, I put a check in the mail. BTW: the office of my US senator provided me with the phone number of someone in the IRS's Taxpayer Advocate Service. Talking with her was like the "yes, but these go to 11" scene in "Spinal Tap"- she didn't see what the fuss was about, but she told me to use http://www.irs.gov/payments and click on the link labeled "Make a Guest Payment from Your Bank Account" ... and no registration is required to use that link. So, even the IRS itself will tell you ways to skip ID.me if you know who to ask and where to look. Sigh. Your tax dollars at work. Reply - 1. Old Timer January 19, 2022 Funny how there is always a quicker and easier way to pay them. But when it comes time for a refund, benefit, or to receive something in return... it's a process. Either way, there has always been a slow alternative for people who don't want to use a computer at all. The IRS will always accept tax return filings through USPS. "Back in my day", before the Internet, filing taxes was an ordeal and a half. Mailing stuff and waiting for mail in return was the way. And that's if you knew enough to prepare your own forms. Can't help be feel that this generation has taken the Internet for granted. So now accustomed to speed and instant gratification. That any new inconvenience is now a travesty and a breach of privacy. Don't like it... you don't need to use the Internet, it's still optional even if you don't like the legacy alternative because you're entitled and spoiled. Reply - 12. PencilSharp January 19, 2022 A heads-up here. For veterans, the procedure is different. Since we already have info in DOD and VA systems, ID.me seems to be pulling intel from those systems to verify identity with a process not nearly as lengthy as this one. Registering with VetTix, for example, one option to verify my service was with ID.me. I did a quick check on the website, and verified VA does use and cooperate with them. That was a few weeks ago, so I can't remember the exact procedure. I did have to verify some stations I was at, along with service start and end dates. Still, it didn't take me more than 15 minutes start to finish. Of course, when I set up my account with the VA, it took considerably longer than THAT to establish my identity. Maybe ID.me considers that an effective screening? Either way, it'll be interesting to see if any other veterans out there had a similar experience... Reply - 13. Sri January 19, 2022 Developing nations like India have moved on to Biometric verification with Multi-Factor Authentication. Do you all think, it is time for America to move in that direction? Ofcourse, there are some privacy concerns but that has been fine-tuned and remediated with the help of innovation and technology. https://en.wikipedia.org/wiki/Aadhaar Reply - 14. Terrie Marcoe January 19, 2022 I already made mine. Yes, it was problematic. The system didn't like my document images, and it seemed nonlogical. I couldn't have made them more clear. I ended up having to have a live session and when the audio want picking up, was given instructions that led to my being cut off. The second live chat also had no audio on my end(yes, I had given permission for it), but the young man was very helpful. Had me stay on the phone for audio while using the camera on my laptop for the face to face. At one point, it was clear he was enjoying the stupidity of my ineptness. Not in a bad way... but he goes "You don't have to hold the phone to your ear," and I think he just was glad I was able TO stay with him. I think plenty of people with developmental issues are really going to struggle with this program. Also, a cel phone device was not an accepted option. Many people only HAVE cels nowadays. Reply - 15. Reuven Avram January 19, 2022 I already had an id.me account-not sure why-and used it to log into the IRS website. It made me re-upload my Drivers License, even though it indicated that had already been verified, and I had to do the video verify. I doubt if my 88 year old mother would figure this process out. I suspect the elderly will be the preferred targets for identity theft because, no doubt, they will have to relax verification standards for them. I also expect ID.me to be hit with many ADA lawsuits over accessibility. Reply - 16. Bruce Boyle January 19, 2022 The registration process hung at verifying my phone also, but I was able to complete it by copying the included link to the Chrome browser on my PC. Not extremely secure, I'm afraid, and clearly a compatibility issue with the Chrome browser on my Android phone. Reply - 17. Dena January 19, 2022 era of fuedulism; techno feudalism. I saw a vlog about about that concept and found this interesting. Everyone will have to set an account eventually, this is the way of life. Besides, many do need to access the IRS for various reasons; the pandemic added to that. What is capitalism anyway? Reply - 1. Aned January 19, 2022 OMG, you saw it on a vlog? Wow, must be true. Relax. This isn't a slippery slope. You can always mail in your forms to the IRS, and you could always do it. The website is a convenient option but don't act so entitled. Geez, this generation of whiny entitlement is the real feudalism. Reply - 18. Dean Marino January 19, 2022 Regardless of the efficiency of the process... 1) Federal Govt has no business relying on a third party for identification. I suspect an attempt to offload liability for breaches. 2) Let's talk about breaches . Quick - what organization is every hacker from here to Saturn going to go after? Perhaps ID.me ? The Website Logo Image should be a rifle range target. Just my family - going RIGHT back to paper Tax Returns. As we file quarterly, with the goal of "no refund"? Not our issue if the FEDS take 3-4 years to process the paper returns. Reply - 1. JamminJ January 19, 2022 I agree with (1). Identity providers can be a 3rd party, if owned and operated at that level of government. The SSA for example, uses login.gov, provided by the GSA. If it can't be helped, they need to regulate the crap out of the private industry. Much more than civil defense contractors. (2) is pretty weak as an argument. Although adding a 3rd party does increase the attack surface, it provides substantially better security for authentication. So it's probably a better thing for attackers to target a hardened, security focused authentication platform... rather than the soft, squishy targets that attackers have been so successful at breaching for years now. But yeah, for anyone who doesn't like it, they can go back to paper filings. Reply - 19. AzTechGuy January 19, 2022 My experience was slightly different. I did not have to upload any documents. My ID is a CDL and I have a hazmat (explosives) endorsement with TSA, ATF and Homeland background checks attached, so I wonder if that is why they didn't prompt for documents. A simple comparison with my ID and my face scan (Done on a computer web cam), then on to the phone verify and confirmation of my data. I was done at that point. I too used MFA keys. I suggest you make sure you register more than one key. Also, you will need it every time you log in, you can't select to have it remember a device. Reply - 20. Jack Lail January 19, 2022 Later this year? I had to switch to the new system when I logged in a week ago. The site said my previous credentials had to be updated to the ID.me system. It did the face scan and used some personal information to do a credit file match (it seemed). Reply - Comment navigation - Older Comments Leave a Reply Cancel reply Your email address will not be published. Required fields are marked * [ ] [ ] [ ] [ ] [ ] [ ] [ ] Comment [ ] Name * [ ] Email * [ ] Website [ ] [Post Comment] [ ] [ ] [ ] [ ] [ ] [ ] [ ] D[ ] Advertisement [7] Advertisement Mailing List Subscribe here Search KrebsOnSecurity Search for: [ ] [Search] Recent Posts * IRS Will Soon Require Selfies for Online Access * At Request of U.S., Russia Rounds Up 14 REvil Ransomware Affiliates * Who is the Network Access Broker 'Wazawaka?' * 'Wormable' Flaw Leads January 2022 Patch Tuesday * 500M Avira Antivirus Users Introduced to Cryptomining Spam Nation Spam Nation A New York Times Bestseller! Thinking of a Cybersecurity Career? Thinking of a Cybersecurity Career? Read this. All About Skimmers All About Skimmers Click image for my skimmer series. Story Categories * A Little Sunshine * All About Skimmers * Ashley Madison breach * Breadcrumbs * Data Breaches * DDoS-for-Hire * Employment Fraud * How to Break Into Security * Latest Warnings * Ne'er-Do-Well News * Other * Pharma Wars * Ransomware * Security Tools * SIM Swapping * Spam Nation * Target: Small Businesses * Tax Refund Fraud * The Coming Storm * Time to Patch * Web Fraud 2.0 The Value of a Hacked PC valuehackedpc Badguy uses for your PC Badguy Uses for Your Email Badguy Uses for Your Email Your email account may be worth far more than you imagine. Donate to Krebs On Security Most Popular Posts * Sextortion Scam Uses Recipient's Hacked Passwords (1076) * Online Cheating Site AshleyMadison Hacked (798) * Sources: Target Investigating Data Breach (620) * Trump Fires Security Chief Christopher Krebs (534) * Cards Stolen in Target Breach Flood Underground Markets (445) * Reports: Liberty Reserve Founder Arrested, Site Shuttered (416) * Was the Ashley Madison Database Leaked? (376) * DDoS-Guard To Forfeit Internet Space Occupied by Parler (374) * True Goodbye: 'Using TrueCrypt Is Not Secure' (363) * Who Hacked Ashley Madison? (361) Why So Many Top Hackers Hail from Russia [computered-580x389] Category: Web Fraud 2.0 Criminnovations Innovations from the Underground [shreddedID-copy-285x189] ID Protection Services Examined Is Antivirus Dead? Is Antivirus Dead? The reasons for its decline The Growing Tax Fraud Menace The Growing Tax Fraud Menace File 'em Before the Bad Guys Can Inside a Carding Shop Inside a Carding Shop A crash course in carding. Beware Social Security Fraud Beware Social Security Fraud Sign up, or Be Signed Up! How Was Your Card Stolen? How Was Your Card Stolen? Finding out is not so easy. Krebs's 3 Rules... Krebs's 3 Rules... ...For Online Safety. (c) Krebs on Security