Months after fraudsters exploited a vulnerable Internal Revenue Service application, the agency is still evaluating new, stronger sign-on procedures, according to a new watchdog report.
Hackers gained access to tax account information, the IRS revealed last spring, in part because the agency didn’t require website visitors to undergo multiple layers of authentication.
IRS estimated that 615,000 unauthorized access attempt were made on the Get Transcript application, and about 334,000 were successful in obtaining a copy of tax transcripts. Thieves would have access to details such as taxpayer’s marital status, income and age, among other details. (IRS deactivated that application in May.)
The internal IRS team responsible for beefing up authentication measures is still “evaluating potential improvements to existing authentication methods for the purpose of preventing identity theft,” but isn’t coming up with broader strategies across all IRS functions, according to the report from the Treasury Inspector General for Tax Administration.
IRS management had envisioned the team would address authentication needs across the entire agency, according to TIGTA. But the group “is not evaluating new trends and schemes used to commit tax-related identity theft” or anticipating the agency’s future authentication needs, auditors said.
While the authentication group has made progress, “it is not yet achieving its mission,” the report concluded.
TIGTA is recommending IRS beef up the internal group to see that authentication procedures are consistent across the organization and that they meet government standards.