Tax watchdog dings IRS on security controls

Poor security controls for an online tax transcript service at the IRS may be fueling refund fraud, an inspector general audit found.

A review of transcript logs identified 138 users who requested nearly 30,000 tax transcripts despite not properly authenticating their identity and after their privileges were supposed to have been revoked. The IRS told auditors they do not know how many of those transcripts were accessed, but the Treasury Inspector General for Tax Administration's office notes that the audit was initiated after inspectors were "notified of a potential refund fraud scheme affecting corporations and involving tax transcript information."

"Our review of the processes that e-Services TDS users or taxpayers can complete to request and obtain tax transcripts identified that, other than requests made in person at a Taxpayer Assistance Center, the IRS cannot confirm with certainty that a taxpayer actually authorized the release of their tax information," wrote auditors.

The oversight is particularly worrisome because the IRS has known for years about poor security controls for its e-services, most notably the 2015 Get Transcript data breach. Despite this, the audit notes that IRS officials only moved to improve security controls for the Tax Delivery System when they learned of another potential breach that same year.

The Transcript Delivery System is part of a suite of e-services the IRS provides, allowing third parties to view and obtain tax information about businesses or individuals. According to the audit, the agency fulfilled 168 million such requests between 2014 and 2016. However, before using such services, a requester is supposed to authenticate their identity to the IRS, providing information such as their Social Security number, legal name, date of birth, income and home mailing address.

Auditors found that agency managers weren't following federal information security standards, such as multi-factor authentication, set out by the Office of Management and Budget and the National Institute for Standards and Technology.

Auditors made nine recommendations to the agency, some of which are significantly redacted. The recommendations include fully instituting multifactor authentication, discontinuing tax transcript services where the IRS "cannot confirm whether legitimate taxpayers authorized the release" of their transcripts and curtailing third party data-scraping tools that allow fraudsters to request an unlimited number of transcripts.

The IRS agreed with four of the recommendations, took actions that resolved another two and disagreed with the final three. Regarding multifactor authentication, Kevin Corbin, commissioner of the IRS' wage and investment division, noted in a letter that the agency successfully implemented this process across all of its e-services in December 2017.

A day after the audit was released, the IRS sent out a notice seeking applicants for nomination to the Electronic Tax Administration Advisory Committee, seeking candidates who have experience with "cybersecurity and information security, tax software development, tax preparation, payroll and tax financial product processing, systems management and improvement" and other areas.