IRS falls short on authenticating online users to prevent data breaches
The Internal Revenue Service is making progress on improving its authentication processes after a string of data breaches on some of its e-Services and online apps, but some of the improvements haven’t been completely implemented, according to a new report.
The report, from the Treasury Inspector General for Tax Administration, examined how well the IRS has been fixing its electronic authentication controls in response to the high-profile security breaches. In May 2015, the IRS found that cybercriminals had used information from outside sources to gain unauthorized access to the tax information in the Get Transcript application and used it to file 252,400 tax returns. In January 2016, it discovered data breaches in both the Identity Protection PIN app and the Electronic Filing PIN app. It later found problems with the data retrieval tool used to file applications for student loans. The IRS needed to temporarily remove access to the various apps until it could put in place better ways to authenticate the users.
TIGTA found the IRS has made progress in improving its electronic authentication controls. It deployed a more rigorous electronic authentication process that provides two-factor authentication via a security code sent to text-enabled mobile phones. It completed or updated electronic authentication risk assessments for 28 of its online applications to determine appropriate levels of authentication assurance, and enhanced its network monitoring and audit log analysis capabilities.
However, TIGTA auditors also found the network monitoring tools that the IRS bought to improve the prevention and detection of automated attacks weren’t fully implemented because of issues related to resources, incompatibility and higher priorities. On top of that, the controls that are supposed to prevent a fraudulent user from improperly creating profiles weren’t fully implemented. Further, the IRS isn’t fulfilling requirements for monitoring audit logs for suspicious activity due to inadequate processes for generating and reviewing audit log reports, nor is it ensuring that reports are useful for investigating and responding to suspicious activities.
TIGTA made four recommendations in the report. It recommended the IRS’s chief information officer prepare a plan of action and milestones to ensure that remaining issues preventing full implementation of the two network monitoring tools are addressed; establish a process to adequately test and subsequently monitor enhancements made to application controls until it can be confirmed that the controls are effective; ensure that electronic authentication audit logs capture adequate data to allow for tracking and analysis of user activity; and ensure that IRS policy is met in regards to audit log report generation and review, and reports are useful for investigation and response to suspicious activities.
The IRS agreed with TIGTA’s recommendations, including coming up with a plan to ensure the remaining issues preventing full implementation of network monitoring tools are addressed and continuing to implement the capability to generate reports from the audit logs. That should allow on-demand audit review, analysis, and after-the-fact investigations.
“The IRS is committed to continuously improving the identification proofing process and capabilities and maintaining required levels of assistance as directed by National Institute of Standards and Technology and the Office of Management and Budget,” wrote IRS CIO Gina Garza in response to the report. “This is critical to help maintain the integrity, confidentiality and availability of taxpayer data.”