After Transcript Hack, IRS Still Evaluating Stronger Sign-On Measures

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.nextgov.com/cybersecurity/2015/12/after-transcript-hack-irs-still-evaluating-new-stronger-sign-measures/124730/

Months after fraudsters exploited a vulnerable Internal Revenue Service
application, the agency is still evaluating new, stronger sign-on
procedures, according to a new watchdog report.

Hackers gained access to tax account information, the IRS revealed last
spring, in part because the agency didn’t require website visitors to
undergo multiple layers of authentication.

IRS estimated that 615,000 unauthorized access attempt were made on the Get
Transcript application, and about 334,000 were successful in obtaining a
copy of tax transcripts. Thieves would have access to details such as
taxpayer's marital status, income and age, among other details. (IRS
deactivated that application in May.)

The internal IRS team responsible for beefing up authentication measures is
still "evaluating potential improvements to existing authentication methods
for the purpose of preventing identity theft," but isn't coming up with
broader strategies across all IRS functions, according to the report from
the Treasury Inspector General for Tax Administration.

IRS management had envisioned the team would address authentication needs
across the entire agency, according to TIGTA. But the group “is not
evaluating new trends and schemes used to commit tax-related identity
theft” or anticipating the agency’s future authentication needs, auditors
said.

While the authentication group has made progress, “it is not yet achieving
its mission," the report concluded.

TIGTA is recommending IRS beef up the internal group to see that
authentication procedures are consistent across the organization and that
they meet government standards.

Watchdogs have repeatedly blasted IRS' information security practices. In
March, the Government Accountability Office concluded that IRS' internal
information security processes -- weak passwords and lack of security
training for all contractors, among other issues -- could  expose sensitive
taxpayer information to employees and contractors.

TIGTA said the agency still hasn’t put in place true multifactor
authentication.

While taxpayers may have to complete multiple steps to authenticate their
identity, these steps do not meet the requirements for a multifactor
authentication," the report stated.

For instance, when requesting access to Get Transcript, individuals must
answer knowledge-based questions generated by a third-party credit
reporting agency; they also must provide an e-mail address and receive a
confirmation code from IRS.

But the email address doesn't need to match the one on the taxpayer's
record, "nor is it a confirmation code that serves as a second
authentication factor to prove an individual’s identity," TIGTA concluded.

Single-factor authentication "provides some assurance" that the person
trying to access Get Transcript or other applications is who they claim to
me, but "the information typically required to authenticate an identity can
be obtained from other sources.,” the report said.

Standards from the National Institute for Standards and Technology require
that agencies confirm that the address, name, and date of birth associated
with a taxpayer's government identification number, or their financial or
utility account number, matches that on the application for access. But
IRS’s current system doesn't require that applications provide either a
government identification or a financial or utility account number,
according to the report.

The problem isn’t going anywhere. IRS research finds that “[t]axpayers
continue to want electronic products and services that enable them to
interact and communicate with the IRS."

According to the report, a 2014 IRS taxpayer attitude survey showed that 82
percent of taxpayers are likely to use a website to help them with tax
compliance.

IRS agreed to implement all TIGTA’s recommendations.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!