(May 27, 2015 at 4:15 pm)KevinM1 Wrote: Hey Tib, thoughts on the veracity of this AV chart?
http://chart.av-comparatives.org/chart1.php
I'm currently using BitDefender for my PC and Android phone based on the numbers there.
Also, what would you have done differently than the IRS to prevent the breach? In case you're not aware, 100,000 people's tax records were stolen from the IRS' transcript site. It used weak authentication - just a SSN and valid email address - and people who had stolen others' identities simply entered their stolen info, provided an email address, and had unfettered access to those individulals' records.
Talking with a friend, I suggested two factor authentication, but access could be a problem since not everyone owns/has access to a cellphone or PC. Is there anything else that could be done in that case?
AV-Comparatives are pretty thorough and open about their testing techniques, so I'd definitely trust them as an independent testing organisation. From the looks of the graph, BitDefender seems like a good choice. Might have to switch over from Kaspersky when our license runs out.
As for the IRS breach, I believe more validation of the user identity should have been performed. For instance, you should not be able to take a social security number and a mailing address (both of which are pretty easy pieces of information to get...your employer likely has both) and get copies of tax records. Rather, what should happen is the following:
1) User without an IRS.gov account enters their SSN and address.
2) IRS.gov checks the SSN and address match what they have on file, and asks user to enter an email address / username.
3) IRS.gov then mails a randomly generated password to the user's mailing address, which they can combine with their username to log in.
It's not a perfect system, as a really dedicated attacker could sit and wait for the mail I suppose, but ultimately those cases of fraud are going to happen one way or the other anyway.
