The Internal Revenue Service has not established a service-wide approach to managing effective authentication processes and procedures for individual taxpayers’ identities, according to the Treasury Inspector General for Tax Administration.
“The increasing number of data breaches in the private and public sectors means more personal information than ever before is available to unscrupulous individuals,” TIGTA said in the report. “Much of these data are detailed enough to enable circumvention of most authentication processes.”
“The IRS recognizes the need to establish a service-wide approach to managing its authentication needs and has established two groups that focus on taxpayer authentication. However, neither of these groups provides for cross-functional management, oversight, and continued evaluation of the IRS’s existing authentication processes to ensure that they address current and future needs,” TIGTA stated.
In addition, according to the report, authentication methods used for current online services do not comply with Government Information Security Standards. For example, TIGTA analysis of the e-quthentication processes used to authenticate users of the IRS online Get Transcript and Identity Protection Personal Identification Number applications found that the authentication methods provide only single-factor authentication, despite the government standards requiring multifactor authentication for such high-risk applications. As a result, unscrupulous individuals have gained unauthorized access to tax account information, the report said.
“It is critical that the methods the IRS uses to authenticate individuals’ identities ensure that tax information and services are provided only to individuals who are entitled to them,” said Inspector General J. Russell George. “The unauthorized disclosure of tax information can enable identity thieves to preparer identity theft tax returns that more accurately reflect a valid return, increasing the risk that fraudulent returns will not be detected by the IRS,” he added.
TIGTA recommended that the deputy commissioner for services and enforcement develop a service-wide strategy that establishes consistent oversight of all authentication needs across IRS functions and programs; ensure that the level of authentication risk for all current and future online applications accurately reflects the risk; and ensure that the authentication processes meet Government Information Security Standards. The IRS agreed to implement all three recommendations.