IRS’s internal taxpayer authentication IT remains problematic, report says
In January 2017, just months before the April 6 hearing on Internal Revenue Security (IRS) by the House Committee on Small Business when lawmakers chastised the IRS about the vulnerability of sensitive taxpayer data, the Government Accountability Office (GAO) had already launched an audit of the agency’s security. The audit concluded this June.
GAO stated that, “While IRS has taken preliminary steps to implement National Institute of Standards and Technology’s (NIST) new guidance for secure digital authentication, it does not have clear plans and timelines to fully implement it by June 2018, as required by the Office of Management and Budget [OMB]. As a result, IRS may not be positioned to address its most vulnerable authentication areas in a timely manner. Further, IRS lacks a comprehensive process to evaluate potential new authentication technologies. Industry representatives, financial institutions, and government officials told GAO that the best authentication approach relies on multiple strategies and sources of information, while giving taxpayers options for actively protecting their identity. Evaluating alternatives for taxpayer authentication will help IRS avoid missing opportunities for improving authentication.”
“IRS has made progress on monitoring and improving authentication, including developing an authentication strategy with high-level strategic efforts,” but “it has not prioritized the initiatives supporting its strategy nor identified the resources required to complete them, consistent with program management leading practices,” GAO reported to lawmakers. And, “Doing so would help IRS clarify relationships between its authentication efforts and articulate resource needs relative to expected benefits. Further, while IRS regularly assesses risks to and monitors its online authentication applications, it has not established equally rigorous internal controls for its telephone, in-person, and correspondence channels, including mechanisms to collect reliable, useful data to monitor authentication outcomes. As a result, IRS may not identify current or emerging threats to the tax system.”
GAO added that, “Industry representatives told us that identity proofing and authentication are becoming more difficult with the wide availability of PII [Personally Identifiable Information, including biometrics]. Further, according to NIST, it is challenging for organizations to authenticate users remotely via a web application because the processes and technologies to establish and use digital identities offer multiple opportunities for impersonation or other attacks. These interactions may become even more difficult and risky for organizations like IRS, who may interact with a taxpayer only once a year.”
During the hearing last year, J. Russell George, Treasury Inspector General for Tax Administration, acknowledged that “improvements are still needed” in “detecting and resolving identity-theft issues …”
He also told the panel that, “The IRS recognizes that new identity-theft patterns are constantly evolving and that, as a result, it needs to continuously adapt its detection and prevention processes. These evolving identity-theft patterns affect not only individuals, but also businesses.”
“Criminals are becoming even more sophisticated and ruthless in ways they commit tax identity theft and file fraudulent returns with ill-gotten personal information,” said Rep. Steve Chabot (R-Ohio), chair of the House Small Business Committee. “At a minimum, the goal of the IRS must be to make this crime harder, not easier, for identity thieves to commit,” emphasizing, “It has become clear that the IRS, like all agencies trusted with the American people’s most sensitive personal information, needs to step up its game.”
GAO has issued at least six IRS IT security audit reports since July 2017.
In 2015, a breach of IRS databases resulted in an estimated 700,000 taxpayers’ PII being compromised. According to GAO’s latest audit report, “IRS reported that, between January and March 2017, fraudsters were able to use PII to access information from 100,000 taxpayer accounts through IRS’s Data Retrieval Tool. According to the Treasury Inspector General for Tax Administration, identity thieves may [also] have used PII obtained outside the tax system to start the Free Application for Federal Student Aid application process and access tax information through the Data Retrieval Tool. Further, we have previously reported that fraudsters can use PII obtained in a data breach to more easily create fraudulent returns that resemble authentic tax returns, making it more difficult for IRS to detect potential fraud.”
GAO emphasized that, “Even as IRS has adapted its IDT defenses, fraudsters have developed more complex and sophisticated methods to bypass those defenses and commit fraud undetected. IDT refund fraud affects IRS, state revenue offices, tax preparers, tax software companies, and financial institutions. According to industry representatives, as these entities improve security in one area prone to fraud, fraudsters’ methods evolve to target a weaker area.”
“The risk of fraud has increased as more personally identifiable information has become readily available as a result of, for example, large-scale cyberattacks on entities including IRS, the Office of Personnel Management (OPM), and, recently, Equifax,” GAO noted in its new audit report.
All of these breaches resulted in hundreds of thousands of citizens and federal officials PII, including a variety of biometric identifications, having been compromised.
In its latest IRS security audit report, GAO made 11 recommendations to IRS to estimate resources for and prioritizing its authentication initiatives, addressing internal control issues to better monitor authentication, develop a plan to fully implement new NIST guidance and to develop a process to evaluate potential authentication technologies.
IRS agreed with GAO’s recommendations.
In 2015, the IRS established the Identity Assurance Office (IAO) to increase insight into authentication and fraud detection needs agency-wide, including authentication services delivered via four channels: telephone, online, in-person, and correspondence (i.e., postal mail—hereafter referred to as mail—or fax).
“Among other responsibilities, IAO works with stakeholders across IRS to review the agency’s various authentication programs, including assessing risks of current and planned authentication efforts across the four channels and identifying ways to mitigate these risks,” GAO said, noting that, “In December 2016, IAO released its IRS Identity Assurance Strategy and Roadmap for developing a modern and secure authentication environment for all taxpayers, regardless of how they interact with IRS.”
GAO pointed out that NIST is responsible for developing and maintaining “standards, guidelines, recommendations, and research on the security and privacy of information and information systems,” and that, “In June 2017, NIST released guidance on digital authentication to help agencies improve the security of their identity-proofing and authentication programs.”
In this new guidance, NIST broke down the digital identity environment into three separate components of assurance:
• Identity proofing: establishing that the person is actually who they claim to be;
• Authentication: establishing that the person attempting to access a service is in control of one or more valid authenticators associated with that person’s identity; and
• Federation: the concept that one set of user credentials can be used to access multiple systems.
NIST’s “guidance directs agencies to assess the risk for each component of identity assurance, rather than conducting a single risk assessment for the entire process,” GAO stated, saying, “According to NIST officials, this new approach provides flexibility in choosing identity proofing and authentication solutions; aligns with existing, standards-based market offerings; is modular and cost-effective; and enhances individual privacy.”
“In addition to NIST’s new requirements for authentication,” GAO reported, “recent technology advances and private-sector innovation are providing new options for identity proofing and authenticating users, including in cases where, for example, IRS interacts with taxpayers once a year. Some examples of these technologies include physical biometrics, such as facial recognition, as well as behavioral biometrics, such as voice patterns, computer keystroke or mouse use patterns, swipe patterns, and gait analysis.”
For high-risk interactions — such as access to systems that include PII or financial information – NIST said multi-factor authentication requires at least two of the following: “something you know” (e.g., a user name and password); “something you have” (e.g., a mobile phone or cryptographic key); or “something you are” (e.g., a fingerprint or other biometric data).”
And, “For high-risk interactions, such as access to prior year tax information, authentication can help IRS avoid improperly disclosing PII or issuing a fraudulent refund,” GAO determined, pointing out that, “Authentication is particularly important for combating IDT refund fraud, which occurs when a fraudster obtains an individual’s SSN, date of birth, or other PII and uses it to file a fraudulent tax return seeking a refund.
“These controls include taxpayer authentication—in general, the process by which IRS verifies people’s identities before allowing them access to sensitive data (such as tax return information from a prior year) or, in the case of a suspicious tax return, a refund,” GAO said. “IRS also uses authentication to verify a person’s identity before allowing access to a resource, such as an information technology (IT) system.”
However, GAO noted, “Designing authentication programs involves a balancing act” for the IRS, which “needs to prevent fraudsters from passing authentication using stolen taxpayer information,” but must also “balance that against the burden on legitimate taxpayers who must also authenticate. If IRS makes the authentication process too stringent, legitimate taxpayers may not be able to successfully authenticate to, for example, access their prior year tax information or have IRS release a frozen refund. Conversely, if the process is too easy, fraudsters will likely be able to authenticate as easily as legitimate taxpayers.”
GAO also referred to the deployment of possession-based authentication, which provides users with a convenient, added layer of security when used as a second factor for accessing websites or systems that would otherwise rely on a username and password for single-factor authentication.
GAO said, the “Universal Authentication Framework (UAF) solutions use biometrics, such as an embedded fingerprint, facial recognition, or voice recognition sensor on a computer or smart phone, eliminating the need for a password. Similarly, authentication with a Universal Second Factor (U2F) uses a trusted device or ‘security key’ for authentication in addition to a username and password. According to a representative from the FIDO Alliance, UAF standards and U2F devices comply with NIST’s new guidance for digital authentication.” But, while the IRS isn’t “likely to provide the devices to taxpayers,” GAO said the IRS “could enable its systems to accept these types of standards-based authentication technology for taxpayers who elect to use UAF or U2F devices. For example, taxpayers could use a UAF or U2F device when logging into their IRS online account for additional protection.”
While partisan critics of IRS budget cuts have complained they’ve impaired the IRS’s capacity to protect taxpayer data, Chabot said during the hearing last year: “To be clear, this is not an issue of funding at the IRS. It is an issue of priorities at the IRS. If the IRS can pay out big bonuses to its employees — some of whom were implicated in the targeting of Americans for their political views — it should be able to find the money to protect people’s data from identity thieves.”