After Transcript Hack, IRS Still Evaluates Stronger Sign-On Measures

Months after fraudsters exploited a vulnerable Internal Revenue Service application, the agency is still evaluating new, stronger sign-on procedures, according to a new watchdog report.

Hackers gained access to tax account information, the IRS revealed last spring, in part because the agency didn’t require website visitors to undergo multiple layers of authentication.

IRS estimated that 615,000 unauthorized access attempt were made on the Get Transcript application, and about 334,000 were successful in obtaining a copy of tax transcripts. Thieves would have access to details such as taxpayer's marital status, income and age, among other details. (IRS deactivated that application in May.)

The internal IRS team responsible for beefing up authentication measures is still "evaluating potential improvements to existing authentication methods for the purpose of preventing identity theft," but isn't coming up with broader strategies across all IRS functions, according to the report from the Treasury Inspector General for Tax Administration.

IRS management had envisioned the team would address authentication needs across the entire agency, according to TIGTA. But the group “is not evaluating new trends and schemes used to commit tax-related identity theft” or anticipating the agency’s future authentication needs, auditors said.

While the authentication group has made progress, “it is not yet achieving its mission," the report concluded.

TIGTA is recommending IRS beef up the internal group to see that authentication procedures are consistent across the organization and that they meet government standards.

Watchdogs have repeatedly blasted IRS' information security practices. In March, the Government Accountability Office concluded that IRS' internal information security processes -- weak passwords and lack of security training for all contractors, among other issues -- could expose sensitive taxpayer information to employees and contractors.

TIGTA said the agency still hasn’t put in place true multifactor authentication.

While taxpayers may have to complete multiple steps to authenticate their identity, these steps do not meet the requirements for a multifactor authentication," the report stated.

For instance, when requesting access to Get Transcript, individuals must answer knowledge-based questions generated by a third-party credit reporting agency; they also must provide an e-mail address and receive a confirmation code from IRS.

But the email address doesn't need to match the one on the taxpayer's record, "nor is it a confirmation code that serves as a second authentication factor to prove an individual’s identity," TIGTA concluded.

Single-factor authentication "provides some assurance" that the person trying to access Get Transcript or other applications is who they claim to be, but "the information typically required to authenticate an identity can be obtained from other sources.,” the report said.

Standards from the National Institute for Standards and Technology require agencies confirm the address, name, and date of birth associated with a taxpayer's government identification number, or their financial or utility account number, matches that on the application for access. But IRS’s current system doesn't require that applications provide either a government identification or a financial or utility account number, according to the report.

The problem isn’t going anywhere. IRS research finds that “[t]axpayers continue to want electronic products and services that enable them to interact and communicate with the IRS."

According to the report, a 2014 IRS taxpayer attitude survey showed that 82 percent of taxpayers are likely to use a website to help them with tax compliance.

IRS agreed to implement all TIGTA’s recommendations.