IRS still has work to do on authenticating taxpayers to use apps
The Internal Revenue Service is making progress on improving the taxpayer authentication processes for its online applications after a series of data breaches led to the theft of personal information from hundreds of thousands of taxpayers, but more needs to be done, according to a new report.
The report, from the Treasury Inspector General for Tax Administration, acknowledged the IRS has set up the Electronic Authentication Risk Assessment Compliance Initiative, an ongoing effort to help secure the IRS’s public-facing applications. In addition, the IRS is continuing to take steps to mitigate some of the risks related to using text messaging as part of the authentication process.
In May 2015, the IRS discovered that criminals had attacked its Get Transcript app, using taxpayers’ personal identification information they got from sources outside the IRS to impersonate legitimate taxpayers and gain unauthorized access to tax information in the Get Transcript application. TIGTA estimated 724,000 potential unauthorized accesses to taxpayer accounts through the Get Transcript app, resulting in 252,400 potentially fraudulent tax returns being filed. In another incident IN 2016 involving the Identity Protection Personal Identification Number, or IP PIN, app, TIGTA found that, of the 100,463 tax returns filed with an IP PIN for tax year 2015, 23,991 (24 percent) of the tax returns with refunds claimed totaling $26 million were potentially fraudulent.
In response to these and other cybersecurity incidents, the IRS has been adding more authentication to its online apps for taxpayers and tax professionals. After analyzing its 52 public‑facing applications, as of April 2018 it has secured 14 high-risk and eight moderate-risk applications at their assessed (or at a higher) electronic authentication levels of assurance based on older electronic authentication guidelines from the National Institute of Standards and Technology, or NIST. However, TIGTA found that 26 of the applications (or 50 percent) were not at the assessed electronic authentication level of assurance and weren’t in compliance with the old federal standards. The other four applications were either offline or have been retired.
The IRS acknowledged it is accepting the risks associated with half of its public-facing applications not meeting the necessary level of assurance. TIGTA found the IRS’s rationale for maintaining them at the current level was reasonable based on the IRS’s transaction analysis and compensating controls to mitigate risks.
TIGTA also found the IRS isn’t yet in compliance with new NIST guidelines for public-facing applications that were issued in June 2017. The Office of Management and Budget requires compliance with these guidelines within one year of publication. The IRS has initiated efforts to develop its own Digital Identity Risk Assessment process to meet the new guidelines and started piloting some new processes with one of its high‑risk public-facing applications.
The report found the IRS has taken steps to mitigate some of the risks related to using the Short Messaging Service, or text messaging, as part of the authentication process. “Evolving threat vectors have rendered the use of the Short Messaging Service as a less secure means to authenticate individuals,” the report noted. “Smartphones, which are typically used to receive verifying texts during the authentication process, are prone to theft and undetected redirection of text messages. In December 2017, the IRS launched an authentication module within its IRS2Go mobile application. The IRS2Go mobile application provides an alternative means for users to authenticate rather than using Short Messaging Service. Next to providing users a security token, use of an authentication application provides the best available means of authentication.”
TIGTA recommended the IRS make sure its public-facing legacy applications are complying with the NIST digital identity guidelines and that its implementation plan includes specific timelines for accomplishing full compliance for legacy applications.
The IRS partially agreed with TIGTA’s recommendation and intends to make sure its public-facing legacy applications aligned with the NIST guidelines through its Digital Identity Risk Assessment process.
“Over the last several years, we have focused on strengthening our online identity proofing and authentication processes, and we have made significant progress,” wrote IRS chief information officer S. Gina Garza in response to the report. “We are encouraged the report recognizes that the IRS’s rationale for maintaining the current identity proofing and authentication methods is reasonable based on this independent review. Our goal is to ensure we use adequate security controls, and where necessary, implement strong mitigations and compensating controls to strengthen the overall security of online services.”
TIGTA said it concurs in part with the IRS’s approach to addressing its recommendation but it’s still concerned the IRS didn’t include an implementation plan. On top of that, TIGTA said it’s concerned that the completion date proposed by the IRS will leave it noncompliant with the NIST guidelines until February 2023.