The IRS Steps Up To Fix Authentication Issues

Just to prove that information security news is not always bad, I want to highlight some recent changes at the U.S. Internal Revenue Service (IRS). Last March, I highlighted in my blog how weak authentication had resulted in two massive breaches at the IRS. Both breaches were caused by the failure of knowledge-based authentication (KBA) systems to protect highly sensitive data.

In the first breach, cyber thieves gained access to the IRS’s “Get Transcript” program by entering personal information and answering personal verification questions. They then downloaded copies of tax returns and used them to file phony returns and claim refunds.  In the second breach, thieves accessed the IRS’s electronic filing personal identification number (E-File PIN) application and stole more than 100,000 PINs, which were needed for electronic filing of fraudulent returns.

Now the good news: the IRS has responded. The agency has added multi-factor authentication to its Get Transcript program, and it has taken its E-File PIN application out of service.

The Get Transcript application now has three layers of authentication. The first asks for personal information, like name, birth date, Social Security Number, tax filing status, and current address. The second layer requires taxpayers to enter an account number from a credit card, mortgage, line of credit, or auto loan that is then verified by the IRS.

The real security improvement comes with the third layer. The IRS now requires taxpayers to enter a mobile phone number that is associated with their name, and uses this number to send a text with a one-time passcode. By adding this out-of-band authentication, the IRS has greatly reduced the possibility of compromised accounts, as it is unlikely that thieves could intercept the one-time passcode.

As for the E-File PIN application, it was taken out of service on June 26, after the IRS detected additional cyber attacks on the system.  According to the agency, the effect on taxpayers should be minimal because the E-File PIN was used by only a small number of taxpayers to verify their signature when filing. Most taxpayers use their adjusted gross income from their prior-year return to authenticate. And those who do not have a copy of their prior-year return can use the Get Transcript application, which as described above, is now more secure!

So why has the IRS been so slow to address these issues? The first reason lies in the difficulty of strengthening security while remaining “consumer-friendly.” It’s very common for taxpayers to forget their usernames and passwords (or any unique PIN or code they are given), so users must be able to retrieve their credentials, knowing only what they know. Secondly, when the IRS changes E-filing rules, like the E-File PIN, the change affects tax preparers and tax preparation applications, so the change must be coordinated with many partners and affiliates.

Real progress is being made at the IRS, and it provides a good example of how important it is to take a proactive approach to managing user access. It’s a critical piece of the equation in terms of securing sensitive data and business processes, no matter if you’re the IRS, a private company or a large, globally-dispersed publicly-held enterprise.