TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

Improvements Are Needed to Strengthen Electronic Authentication Process Controls

September 7, 2016 Reference Number: 2016-20-082

This report has cleared the Treasury Inspector General for Tax Administration disclosure review process and information determined to be restricted from public release has been redacted from this document.

Phone Number / 202-622-6500

E-mail Address / TIGTACommunications@tigta.

Website

/

To report fraud, waste, or abuse, call our toll-free hotline at:

1-800-366-4484

By Web: tigta/

Or Write: Treasury Inspector General for Tax Administration

P.O. Box 589 Ben Franklin Station Washington, D.C. 20044-0589

Information you provide is confidential and you may remain anonymous.

HIGHLIGHTS

IMPROVEMENTS ARE NEEDED TO STRENGTHEN ELECTRONIC AUTHENTICATION PROCESS CONTROLS

Highlights

Final Report issued on September 7, 2016

Highlights of Reference Number: 2016-20-082 to the Internal Revenue Service Chief Information Officer.

IMPACT ON TAXPAYERS

The risk of unauthorized access to tax accounts will continue to grow as the IRS focuses its efforts on delivering online tools to taxpayers. The IRS estimated that unauthorized accesses may have occurred on an estimated 724,000 taxpayer accounts as a result of fraudulent activity on its online Get Transcript application. The consequences of unauthorized accesses include expanding the taxpayers' preexisting identity theft issues and potential delays in tax return processing while identity theft issues are resolved.

WHY TIGTA DID THE AUDIT

In May 2015, the IRS discovered that fraudsters, using personal information stolen from third parties, had been able to perpetrate an attack on the online Get Transcript application by successfully authenticating via the eAuthentication process. The overall objective of this review was to evaluate the appropriateness of the IRS's response to the Get Transcript incident and the effectiveness of the proposed solution to address the authentication weakness which allowed the incident to occur.

WHAT TIGTA FOUND

The IRS has undertaken a number of steps to improve systems and provide for more secure authentication, including strengthening application and network controls. However, additional actions could further improve security over the eAuthentication process.

Due to poor communication between the IRS and its contractor, the IRS did not have complete knowledge of what was being screened at the Integrated Enterprise Portal, and thus it was unaware of the weaknesses related to detecting automated attacks or which tools it might need to address them. The IRS did not clearly specify which parties, including IRS divisions and contractors, were responsible to detect and prevent such automated attacks.

At the time of the Get Transcript incident, audit log reports were not being adequately monitored. For example, in July 2014, one user attempted to authenticate 902 times within one 24-hour period, which far exceeded the unusual activity trigger. Additionally, the IRS did not have a routine way to correlate audit log information across different repositories. During the audit period, the IRS was able to produce the required reports, but they were just lists of transactions and did not contain summary information that could be used to identify trends. Additionally, some useful transaction information was not captured in eAuthentication audit logs. The IRS also did not provide responsible staff with the tools and training needed to monitor and analyze large amounts of audit log data.

WHAT TIGTA RECOMMENDED

TIGTA recommended that the Chief Information Officer: 1) clarify IRS and contractor responsibilities related to preventing automated attacks; 2) monitor results of controls being put in place to prevent/detect automated attacks; 3) ensure that management implements IRS policy to monitor audit trails; 4) provide security specialists with adequate tools and training; 5) implement enhancements to audit log analysis; 6) compile periodic summary data of eAuthentication volume and unusual activity trigger event transactions; and 7) ensure that audit trails indicate which target application the user intended to access after authenticating.

The IRS agreed with our recommendations. The IRS stated that it has completed four of the seven recommendations. In addition, the IRS plans to provide security specialists with training, produce monthly reports for unusual activity, and ensure that audit trails indicate the target application.

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

DEPARTMENT OF THE TREASURY WASHINGTON, D.C. 20220

September 7, 2016 MEMORANDUM FOR CHIEF INFORMATION OFFICER

FROM:

Michael E. McKenney Deputy Inspector General for Audit

SUBJECT:

Final Audit Report ? Improvements Are Needed to Strengthen Electronic Authentication Process Controls (Audit # 201520006)

This report presents the results of our review of the Internal Revenue Service's (IRS) response to the Get Transcript incident. The overall objective of this review was to evaluate the appropriateness of the IRS's response to the Get Transcript incident and the effectiveness of the proposed solution to address the authentication weakness which allowed the incident to occur. This audit is included in our Fiscal Year 2016 Annual Audit Plan and addresses the major management challenge of Security for Taxpayer Data and IRS Employees.

Management's complete response to the draft report is included as Appendix IV.

Copies of this report are also being sent to the IRS managers affected by the report recommendations. If you have any questions, please contact me or Danny Verneuille, Acting Assistant Inspector General for Audit (Security and Information Technology Services).

Improvements Are Needed to Strengthen Electronic Authentication Process Controls

Table of Contents

Background............................................................................................................Page 1

Results of Review ................................................................................................Page 6

The Get Transcript Incident Response Generally Followed Federal Guidance ..........................................................................Page 6 Network Monitoring Tools Were Not Sufficient to Detect Automated Attacks ............................................................................Page 9

Recommendation 1:........................................................Page 10 Recommendation 2:........................................................Page 11 The eAuthentication Audit Logs Were Captured, but Were Not Adequately Monitored..................................................................Page 11 Recommendations 3 and 4: ..............................................Page 13 Requirements for Correlating Audit Log Information Were Not Fully Implemented .......................................................................Page 14 Recommendation 5:........................................................Page 15 Additional Information Would Improve the Usefulness of Audit Log Reports ....................................................................................Page 15 Recommendations 6 and 7: ..............................................Page 17

Appendices

Appendix I ? Detailed Objective, Scope, and Methodology ........................Page 18 Appendix II ? Major Contributors to This Report ........................................Page 20 Appendix III ? Report Distribution List .......................................................Page 21 Appendix IV ? Management's Response to the Draft Report ......................Page 22

CSIRC ID IRM IRS NIST PIN SAAS SP SSN TIGTA

Improvements Are Needed to Strengthen Electronic Authentication Process Controls

Abbreviations

Computer Security Incident Response Center Identification Internal Revenue Manual Internal Revenue Service National Institute of Standards and Technology Personal Identification Number Security Audit and Analysis System Special Publication Social Security Number Treasury Inspector General for Tax Administration

Improvements Are Needed to Strengthen Electronic Authentication Process Controls

Background

Taxpayers continue to prefer electronic products and services that enable them to interact and communicate with the Internal Revenue Service (IRS). As such, the IRS has ongoing plans to expand the information and tools available online to assist taxpayers. The IRS's goal is to provide taxpayers with dynamic online account access that includes viewing their recent payments, making minor changes and adjustments to their accounts in real-time, and corresponding digitally with the IRS to respond to notices or complete required forms. Federal regulation also mandates development of such online services. The IRS Restructuring and Reform Act of 19981 requires the IRS to allow taxpayers to access tax account information online. Other Federal mandates2 provide guidance related to implementing electronic access to Government information.

When taxpayers seek to access tax returns or other personal information from the IRS, they are required to authenticate their identities. Authentication in a face-to-face setting, such as when a taxpayer visits a Taxpayer Assistance Center, is straight-forward. A picture identification (ID) is compared with the taxpayer's face. However, online authentication is more difficult because of the lack of physical verification. Electronic authentication is the process of establishing confidence in user identities electronically prior to any transaction with an information system.3 Electronic authentication also poses a technical challenge when this process involves the remote authentication of individuals over an open network, such as the Internet, for the purpose of electronic Government and commerce.

The risk of unauthorized access to tax accounts will continue to grow as the IRS focuses its efforts on delivering online tools to taxpayers. The increasing number of data breaches in the private and public sectors means more personal information than ever before is available to unscrupulous individuals. Much of these data are detailed enough to enable circumvention of most authentication processes. No single authentication method or process will prevent unscrupulous individuals from filing identity theft tax returns or attempting to inappropriately access IRS services. However, strong authentication processes can reduce the risk of such activity by making it harder and more costly for such individuals to gain access to resources and information. Therefore, it is important that the IRS ensure that its authentication processes are in compliance with National Institute of Standards and Technology (NIST) standards in order to

1 Pub. L. No. 105-206, 112 Stat. 685 (codified as amended in scattered sections of 2 U.S.C., 5 U.S.C. app., 16 U.S.C., 19 U.S.C., 22 U.S.C., 23 U.S.C., 26 U.S.C., 31 U.S.C., 38 U.S.C., and 49 U.S.C. (2013)). 2 Office of Management and Budget Memorandum M-04-04 E-Authentication Guidance for Federal Agencies (Dec. 2003), and the President's National Strategy for Trusted Identities in Cyberspace (Apr. 2011). 3 Per Office of Management and Budget, M 04-04, E-Authentication Guidance for Federal Agencies (Dec. 2003), authentication focuses on confirming a person's identity, based on the reliability of his or her credential. This differs from authorization in that authorization focuses on identifying the person's user permissions.

Page 1

Improvements Are Needed to Strengthen Electronic Authentication Process Controls

provide the highest degree of assurance required and ensure that authentication processes used to verify individuals' identities are consistent among all methods used to access tax account information.

In January 2014, the IRS implemented the eAuthentication Release 2 application as a means for public users to authenticate their identity with the IRS. Public users requesting access to an online application, such as Get Transcript, are first routed through the eAuthentication application, which acts as an authentication service for IRS online applications. A key component of security and privacy risk is the manner in which individual users identify (proof) themselves to the system and how they subsequently re-authenticate.

The IRS designed eAuthentication to allow for variable levels of assurance regarding identity proofing depending on the risk assessment of the IRS applications being protected. Applications determined to be less risky can be protected at a lower level of assurance, with increased levels of assurance needed to access applications with more sensitive information. The eAuthentication service, once fully developed, will enable the IRS to require multifactor authentication4 for all applications that warrant a high level of assurance. The eAuthentication identity-proofing process can validate identity information provided by public users against a combination of IRS and third-party data. The applications that used eAuthentication in Calendar Years 2014 and 2015 included Get Transcript, Identity Protection Personal Identification Number (PIN), and Online Payment Agreements.

Get Transcript incident

Starting in January 2014, taxpayers could request tax information online using the IRS's Get Transcript application on its public website (). Information requested could include account transactions, line-by-line tax return information, and income reported to the IRS. Taxpayers could generate all five types of transcripts (tax account, tax return, record of account, wage and income, and verification of nonfiling) and either view online, print, or download a transcript. From October 1, 2014, through April 15, 2015, the IRS provided 23 million transcripts to individuals using the Get Transcript application.

In May 2015, the IRS discovered that fraudsters, using personal information stolen from third parties, had been able to perpetrate an attack on the Get Transcript application by authenticating via eAuthentication. In many cases, the fraudsters were able to obtain or view copies of taxpayer transcripts. A previous Treasury Inspector General for Tax Administration (TIGTA) audit5 found that the IRS did not require multifactor authentication for its online services. The IRS used a multistep, but single-factor, process to authenticate Get Transcript users before tax

4 Multifactor authentication is a characteristic of an authentication system or a token that uses two or more authentication factors to achieve authentication. The three types of authentication factors are something you know, something you have, and something you are. 5 TIGTA, Ref. No. 2016-40-007, Improved Tax Return Filing and Tax Account Access Authentication Processes and Procedures Are Needed (Nov. 2015).

Page 2

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download