Ten months after a major hack into taxpayer information at the IRS, the Treasury Inspector General for Tax Administration says the IRS is still working on bolstering its Internet sign-in procedures.
Continue Reading Below
Initially the IRS had said last May that more than 100,000 taxpayer records had been stolen. But then in August it tripled that estimate to 334,000. The IRS says hackers had made an estimated 615,000 attempts to break in, for a success rate of more than 50%.
The thieves broke in through the IRS’s Get Transcript application and stole copies of tax transcripts, loaded with personal details including Social Security numbers, incomes, home addresses, birth dates, marital statuses, as well as information about family members.
HyTrust president and co-founder Eric Chiu said: "These profiles can be used to open new accounts, siphon funds and ultimately steal the identities of the victims.” In the first half of 2014, The Treasury Inspector General for Tax Administration (TIGTA) reported that 1.6 million taxpayers were affected by identity theft compared to just 271,000 in 2010.
The IRS at the time didn’t require visitors at its Get Transcript website to click through multiple layers of authentication. Instead, unauthorized individuals stole tax data by successfully answering simple questions about identity, among other items.
The IRS moved to close the gaps in this application starting last spring, and is now trying to come up with more secure sign-on procedures for taxpayers so they can access their tax information, says the new watchdog report.
Continue Reading Below
The watchdog’s findings come as more than eight out of ten taxpayers use websites to get information about their tax payments, the IRS says. However, the IRS’s web security problems extend beyond just individual taxpayers.
Last March, the Government Accountability Office (GAO) said IRS computer systems relied on easily hacked passwords, adding the IRS was not providing proper web security training, making taxpayer information vulnerable to its outside contractors.
The GAO also found a “significant deficiency” in the IRS’s financial reporting systems, relying on old software that lacked security steps and outdated passwords that could be easily hacked.
And the GAO said the IRS was not deleting former workers’ IRS accounts, meaning, ex-employees could still log on and access IRS data systems. Gregory Wilshusen, a co-author of the GAO report, said taxpayers should realize that IRS insiders could hack taxpayer data, too—just as bank insiders have been accused of doing.
It’s a difficult chore for the IRS, to attempt to provide customer service, ease of online use, while protecting taxpayer information. STEALTHbits Technologies executive Jeff Hill has said that: "Once legitimate credentials are obtained, it’s nearly impossible to distinguish between the good guys and the bad guys, especially if the attackers are patient and disciplined.”
The Treasury watchdog notes that, while the IRS is still "evaluating potential improvements to existing authentication methods for the purpose of preventing identity theft," it has yet to roll out a broader plan to beef up taxpayer web security across all of its operations.
“It is not yet achieving its mission," the inspector general’s report concluded.
The problem is strong multifactor authentication that doesn’t rely on simple knowledge-based questions such as “what street did you grow up on” or “what is the name of your favorite pet.” The inspector general said: "The information typically required to authenticate an identity can be obtained from other sources.”
In addition, the IRS was using knowledge-based questions generated by a third-party credit reporting agency to fill requests for tax data via its Get Transcript app. Visitors were asked to give an e-mail address and wait for a confirmation code from the IRS. One weakness here: The IRS didn’t require the email address to match the email it had on file for a taxpayer.
The IRS has indicated it will put in place the watchdog’s recommendations.