How two intrepid students nearly hacked Trump's tax returns

United States President Donald J. Trump announces a plan to ban all non-tobacco flavored vaping prod...
Shutterstock
Impact
Updated: 
Originally Published: 

It's been more than four years since Donald Trump first announced his intentions to run for the office of President of the United States and we have still yet to see more than a couple of pages of Trump's tax returns — none of which were willingly shared by Trump himself. With that in mind, two college students decided they would try to get their hands on Trump's financial history through a Free Application for Federal Student Aid (FAFSA) request. The scheme failed, and the two young men are now facing criminal charges for their efforts, according to a report from CyberScoop.

The plan to try to get Trump's taxes started in 2016, before he first took office. One of the students, Andrew Harris, thought that it might be possible to access some of Trump's documents by filling out a fake FAFSA application for him. The clever attempt counted on the fact that the FAFSA application process uses a person's prior year's tax information in order to calculate your financial need and disperse loans as needed. When filling out the FAFSA, you're given the ability to automatically pull tax filings from the Internal Revenue Service (IRS) as long as you're able to provide the necessary documentation through the IRS Retrieval Tool. Harris already had Trump's Social Security number because it had previously been leaked online, allegedly as part of a hack carried out by the hacktivist organization Anonymous.

Harris allegedly roped in his friend Justin Hiemstra to carry out the plan to snatch Trump's taxes from the financial aid program, and the two set out to fill out their fake FAFSA application on November 2, 2016 — just six days before the election was set to take place. The two reportedly started to fill out the form in the computer lab of the college campus, creating a FAFSA account for a member of the Trump family. According to court filings, they found out that person already had an account, so instead of turning their attention to another family member, they instead attempted to reset the password for the account.

One might imagine that would be a dead-end for them, but it actually worked. That's because the FAFSA reset process requires users to answer security questions in order to reset the password, and they were able to get the correct answers for the security questions with a simple Google search. Which serves as a good reminder that security questions suck. In the age of the modern internet where every bit of information about you is known and readily available for anyone to find, these so-called "security" questions do a pretty poor job of keeping us secure. Questions like "What is your mother's maiden name?" or "What is the first school you attended?" will never keep you safe. Most of the time, the answers can be found through a basic search or by skimming social media posts to see what kind of personal information you've willingly surrendered to anyone who might be looking for it. The National Institute of Standards and Technology (NIST) even recommended doing away with these types of questions as a security measure in 2016, but apparently not all of the federal government got the memo because two college kids were able to successfully reset the password of a celebrity child in order to potentially gain access to the tax documents of a presidential candidate.

Even after navigating the security questions and resetting the password for the Trump account, the college kids were unable to get their hands on his tax returns. It didn't work. The public still has not seen Trump's tax returns despite multiple requests from the general public and other elected officials, and the two students are now staring down a potential prison sentence for their scheme. The two men have pleaded guilty to two misdemeanor charges for violating the Computer Fraud and Abuse Act. They both face up to two years in prison, one year on probation and a $200,000 fine. If there is a lesson here, it is that you definitely should not attempt to gain access to the President's tax returns using a fake FAFSA application — but also that you shouldn't have to do that because he should make his tax returns available to the public.