Congress probes IRS online authentication efforts
The House Ways and Means Oversight Subcommittee held a hearing Wednesday on the Internal Revenue Service’s online taxpayer authentication efforts after a string of security breaches in recent years.
The IRS has needed to add extra authentication technology to several of its online applications after they suffered security breaches, including its Get Transcript, electronic filing PIN, Identity Protection PIN, and the data retrieval tool for federal student aid applications.
“Sadly, the IRS’s online tools and applications have also become an attractive target for criminals looking to steal taxpayer information and commit identity theft fraud,” said subcommittee chairman Lynn Jenkins, R-Kansas, in her opening statement. “The IRS uses a process known as ‘authentication’ to separate legitimate taxpayers who want to access the IRS’s online services from criminals looking to commit fraud. Unfortunately, given the large amount of personal information on taxpayers available in the public domain, criminals can easily impersonate legitimate taxpayers and pass through the IRS’s authentication process undetected.”
IRS chief information officer Gina Garza and chief privacy officer Edward T. Killen explained how the IRS has been improving its authentication technology. They pointed to the efforts of the Security Summit, in which the IRS partners with state tax authorities and the tax prep industry to combat tax-related identity theft. They said that from 2015 to 2017, the number of taxpayers reporting to the IRS that they were victims of identity theft dropped by 65 percent, and the number of tax returns with confirmed identity theft fell by 57 percent with more than $20 billion in taxpayer refunds being protected. However, cybercriminals are becoming more sophisticated and are targeting tax professionals.
“We realize we cannot let up in the fight against fraud and tax-related identity theft,” they said in their written statement. “As we have strengthened our defenses, identity thieves are continuously working to obtain more detailed financial information to help them do a better job of impersonating legitimate taxpayers and file more realistic-looking tax returns to claim fraudulent refunds. Cyberthieves are targeting tax professionals, human resources departments, businesses and other places with large amounts of sensitive financial information. Therefore, the IRS and its partners not only continue to improve our safeguards against fraudulent returns, but we also continue to encourage taxpayers, tax professionals and businesses to protect their data and avoid becoming victims of proliferating tax scams.”
“We have had some conversations with other countries, but the ID proofing part is the hard part of it," Garza added when testifying. "Everyone is solving for the authentication piece. But the ability to ensure that the person that you’re talking to, that the taxpayer, is who they say they are. That’s the part people seem to be having a hard time finding.”
Garza noted that identity authentication remains a major challenge for the IRS. “You have to already know that the person is who they say they are," she said. "That’s the part that has been very hard to solve…That’s what we’re trying to work through and that’s where we’re trying to explore for new solutions around the ID proofing component.”
James R. McTigue Jr., director of strategic issues at the Government Accountability Office, presented a report on how strengthening taxpayer authentication efforts could help protect the IRS against fraudsters. “IRS’s ability to continuously monitor its current authentication methods while also looking ahead to new identity verification technologies is critical to keeping ahead of fraudsters, who constantly adapt their schemes to thwart IRS’s defenses,” he said. “The agency must also strike a balance in designing its authentication programs. Authentication must be strong enough to prevent fraudsters from gaining access to IRS services using stolen personally identifiable information, without being overly burdensome on legitimate taxpayers who also must authenticate.”
Michael McKenny, deputy inspector general for audit at the Treasury Inspector General for Tax Administration, described the results of several of TIGTA’s audits of the IRS. “It is critical that the methods that the IRS uses to authenticate individuals’ identities provide a high level of confidence that tax information and services are provided only to individuals who are entitled to receive them,” he said. “In February 2018, TIGTA reported that the IRS made progress in improving its electronic authentication controls. For example, the IRS deployed a more rigorous electronic authentication process that provides two-factor authentication via a security code sent to text-enabled mobile phones. However, these improvements only applied to five online applications."
He noted that the IRS also completed or updated electronic authentication risk assessments for 28 of its online applications to determine appropriate levels of authentication assurance, and enhanced its network monitoring and audit log analysis capabilities. TIGTA's audit also found that network monitoring tools that the IRS purchased to improve the prevention and detection of automated attacks were not fully implemented due to issues related to resources, incompatibility and higher priorities.
"Controls to prevent fraudulent users from improperly creating profiles were not fully implemented," said McKenny. "Further, the IRS is not fulfilling its requirements for monitoring audit logs for suspicious activity. This is due to inadequate processes for generating and reviewing audit log reports as well as failure to ensure that reports are useful for investigating and responding to suspicious activities. The risk of unauthorized access to tax accounts will continue to be significant as the IRS proceeds with expansion of the online tools it makes available to taxpayers.”