The Internal Revenue Service still has some work to do to strengthen the controls over its Electronic Authentication Process after criminals gained access to an estimated 724,000 taxpayer accounts through its online Get Transcript application last year, according to a new report.
The report, from the Treasury Inspector General for Tax Administration, acknowledged the IRS has taken several steps to improve its systems and provide more secure authentication, including strengthening its application and network controls. However, the IRS should take further actions to improve security over its eAuthentication process, according to TIGTA’s report.
The IRS took down the Get Transcript app in May 2015 after it discovered criminals were using the system to access transcripts of hundreds of thousands of old tax returns (see IRS Detects Massive Breach in ‘Get Transcript’ Application and IRS Finds ‘Get Transcript’ Data Breach Was More Widespread).
Last tax season, taxpayers and tax professionals could only use the online service to order tax transcripts that would be sent to them by mail, instead of being able to view and print the tax transcripts directly online. The IRS only restored the Get Transcript application this past June, adding a multi-factor authentication process to deter identity thieves (see IRS Relaunches ‘Get Transcript’ App with Better Authentication).
The IRS had similar issues with the Identity Protection PIN service that is supposed to safeguard victims of identity theft by giving them a special personal identification number to use when filing their taxes. The agency needed to suspend the use of the IP PIN service this past March after discovering it too had security vulnerabilities (see IRS Suspends IP PIN Service for Identity Theft Victims). The IRS revived the tool in July after beefing up the authentication procedures (see IRS Restores IP PIN Tool with Improved Authentication).
The IRS has also tried to improve the authentication capabilities of its online e-Services for tax professionals, warning them last month they would have to re-register using a new Secure Access process by October 24 (see E-Services Users Must Re-Register, IRS Warns). However, last week the agency sent an email to tax professionals telling them the security upgrade has been postponed indefinitely (see IRS Delays E-Services Security Upgrade).
The report released Wednesday by TIGTA blamed poor communication between the IRS and an outside contractor for the authentication problems behind the Get Transcript breach, so the IRS did not entirely know what was being screened through the Integrated Enterprise Portal. Therefore, it was unaware of the weaknesses related to detecting automated attacks or which tools it might need to address them. The IRS failed to clearly specify which parties, including specific IRS divisions and contractors, were responsible for detecting and preventing such automated attacks.
At the time of the Get Transcript breach, the IRS was not doing enough to monitor its audit log reports. In July 2014, for instance, one user tried to authenticate 902 times within a single 24-hour period, far exceeding the trigger that was supposed to signal unusual activity to the IRS. On top of that, the IRS lacked a routine way to correlate its audit log information across different repositories. Although the IRS was able to produce the required reports while it was being audited by TIGTA, the reports merely provided lists of transactions and did not include summary information that could be used to identify any trends. In addition, the eAuthentication audit logs failed to capture some useful transaction information. Plus, the IRS did not provide the staff members who were responsible for this work with the tools and training they needed to monitor and analyze large amounts of audit log data.
TIGTA recommended that the IRS’s chief information officer clarify the various IRS and contractor responsibilities for preventing automated attacks. The IRS should also monitor the results of the controls it is putting in place to prevent and detect automated attacks, TIGTA suggested. In addition, the IRS should ensure it implements a policy for monitoring audit trails and provides its security specialists with enough tools and training. The IRS also needs to improve its audit log analysis, compile periodic summary data of eAuthentication volume and any unusual activity trigger event transactions, and make sure its audit trails indicate which target application the user intended to access after authenticating, according to the report.
“The risk of unauthorized access to tax accounts will continue to grow as the IRS focuses its efforts on delivering online tools to taxpayers,” said TIGTA Inspector General J. Russell George in a statement. “In this environment, it is incumbent upon the IRS to take every possible step to ensure the security of taxpayer account information.”
The IRS agreed with TIGTA’s recommendations and said it has already completed four of the seven recommendations in the report. The IRS also plans to provide its security specialists with the proper training, produce monthly reports for unusual activity, and ensure that audit trails indicate the target application.
IRS CIO S. Gina Garza said the IRS has taken a number of steps to improve the eAuthentication program. “We have worked with the United States Digital Service to identify the most critical authentication requirements and implement appropriate methods of delivering secure account multifactor authentication,” Garza wrote in response to the report. “The IRS is also working with state tax authorities and the tax preparer industry to jointly develop additional steps to combat stolen identity refund fraud, as well as developing capabilities to quickly detect and prevent malicious activity and fraudulent transactions.”
The new initiative includes plans to deploy additional capabilities to analyze large volumes of data across the IRS and track end-to-end access and usage of online applications, according to Garza. On top of that, the IRS has put in place enhanced network controls to further prevention and the detection of automated attacks. Garza believes this improvement will reduce the risk of unauthorized access to tax records.