Treasury Inspector General for Tax Administration
October 19, 2016
TIGTA - 2016-25
Contact: Karen Kraushaar, Director of Communications
WASHINGTON — Additional improvements are needed to strengthen the Internal Revenue Service’s (IRS) Electronic Authentication Process controls, which allowed fraudsters to gain access to an estimated 724,000 taxpayer accounts in May of 2015 through the Get Transcript application, according to an audit report released today by the Treasury Inspector General for Tax Administration (TIGTA).
The IRS estimated that unauthorized accesses may have occurred on an estimated 724,000 taxpayer accounts as a result of fraudulent activity on its online Get Transcript application. The consequences of unauthorized accesses include expanding the taxpayers’ preexisting identity theft issues and potential delays in tax return processing while identity theft issues are resolved. In May 2015, the IRS discovered that fraudsters, using personal information stolen from third parties, had been able to perpetrate an attack on the online Get Transcript application by successfully authenticating via the eAuthentication process.
The overall objective of TIGTA’s audit was to evaluate the appropriateness of the IRS’s response to the Get Transcript incident and the effectiveness of the proposed solution to address the authentication weakness which allowed the incident to occur.
TIGTA found that the IRS has taken a number of steps to improve systems and provide for more secure authentication, including strengthening application and network controls. However, additional actions could further improve security over the eAuthentication process. Due to poor communication between the IRS and its contractor, the IRS did not have complete knowledge of what was being screened at the Integrated Enterprise Portal, and thus it was unaware of the weaknesses related to detecting automated attacks or which tools it might need to address them. The IRS did not clearly specify which parties, including IRS divisions and contractors, were responsible to detect and prevent such automated attacks.
At the time of the Get Transcript incident, audit log reports were not being adequately monitored. For example, in July 2014, one user attempted to authenticate 902 times within one 24-hour period, which far exceeded the unusual activity trigger. Additionally, the IRS did not have a routine way to correlate audit log information across different repositories. During the audit period, the IRS was able to produce the required reports, but they were just lists of transactions and did not contain summary information that could be used to identify trends. Additionally, some useful transaction information was not captured in eAuthentication audit logs. The IRS also did not provide responsible staff with the tools and training needed to monitor and analyze large amounts of audit log data.
“The risk of unauthorized access to tax accounts will continue to grow as the IRS focuses its efforts on delivering online tools to taxpayers,” said J. Russell George, Inspector General. “In this environment, it is incumbent upon the IRS to take every possible step to ensure the security of taxpayer account information.”
TIGTA recommended that the Chief Information Officer: 1) clarify IRS and contractor responsibilities related to preventing automated attacks; 2) monitor results of controls being put in place to prevent/detect automated attacks; 3) ensure that management implements IRS policy to monitor audit trails; 4) provide security specialists with adequate tools and training; 5) implement enhancements to audit log analysis; 6) compile periodic summary data of eAuthentication volume and unusual activity trigger event transactions; and 7) ensure that audit trails indicate which target application the user intended to access after authenticating.
The IRS agreed with TIGTA’s recommendations. The IRS stated that it has completed four of the seven recommendations. In addition, the IRS plans to provide security specialists with training, produce monthly reports for unusual activity, and ensure that audit trails indicate the target application.
Read the report.
Note: The difference between the date TIGTA issues an audit report to the Internal Revenue Service and the date TIGTA publicly releases the report is due to TIGTA's internal review process to ensure that public release is in compliance with Federal confidentiality laws.