The IRS needs to step up security over its eAuthentication process to avoid breaches, such as the attack on the agency’s “Get Transcript” app last year when cyber criminals gained access to more than 700,000 taxpayer accounts, according to a new report from the Treasury Inspector General for Tax Administration (TIGTA).

Otherwise, the IRS’s already widely known problems with identity theft will only increase and, in turn, delay processing of tax returns.

This isn’t the first time that TIGTA has found oversight or software problems with IRS electronic systems that lead to security breaches. The gist of all of them is that the agency is striving to get much of its service online and accessible electronically, but it lacks adequate staff and adequately trained staff to monitor everything. And the agency’s budget has been slashed – something IRS officials often mention in answering TIGTA’s findings.

TIGTA’s audit was triggered by a May 2015 discovery that cyberthieves had used personal information stolen from third parties to gain access to the Get Transcript tool through the eAuthentication process.

Poor communication between the IRS and its contractor led to the agency’s lack of complete knowledge of what information was being screened at the “Integrated Enterprise Portal.” That means the IRS was in the dark about weaknesses in detecting automated attacks or the tools needed to handle them, the report states. Further, the IRS didn’t specify which people, including its divisions and contractors, were supposed to detect and prevent automated attacks.

When the Get Transcript breach happened last year, audit log reports weren’t adequately monitored, the report states. About a year before the discovered attack, a user tried to gain access through eAuthentication 902 times in one day, and that was far more than the “unusual activity” trigger.

The IRS lacked “a routine way” to correlate audit log information across different repositories, the report states. During TIGTA’s audit, the IRS provided required reports, but they only listed transactions instead of summaries that could identify trends. Auditors also found that some useful transaction information wasn’t captured in eAuthentication logs.

The IRS also didn’t give responsible staffers the tools and training they needed to monitor and analyze large quantities of audit log information, the report states.

TIGTA wants the IRS chief information officer (CIO) to:

  • Clarify the responsibilities of the agency and its contractors to prevent cyberattacks
  • Monitor the controls in place to detect and prevent attacks
  • Ensure that managers implement IRS policies to monitor audit trails
  • Provide security specialists with proper tools and training
  • Enhance audit log analysis
  • Provide periodic summaries of eAuthentication volume and unusual-activity trigger events
  • Ensure that audit trails indicate which application the crooks wanted to access after using eAuthentication

In a response to TIGTA’s report, IRS CIO S. Gina Garza said that many of the recommendations are completed or in the process of completion. Also, security specialists now have tools to monitor audit plans. Additional training has begun and will be completed by March 31, 2017, she wrote. .

Garza also noted that the agency’s cybersecurity staffers will provide monthly reports that include unusual-activity transaction triggers. That is expected to be in place by Dec. 15, 2017. .

In determining which app was the crooks’ target after using eAuthentication, Garza said software will determine identity proofing, security codes, and target app information. This process is expected to be in place by Feb. 15, 2017. 

Last June, the IRS said it had adopted dual-factor authentication for Get Transcript, after the agency relaunched the online tool a year after the breach. Once users register and each time they come back to Get Transcript, they’ll have to enter their username and password, plus a security code that will be sent as a text message to their cellphone. Usernames and passwords alone are no longer enough to enter the system.

TrackBack URL for this post: