Nearly half of the firms approved by the Internal Revenue Service to provide free online tax filing services have received a failing grade from a cybersecurity watchdog organization.
Of the 13 free e-file services that have agreements with the IRS, the Online Trust Alliance said six of them failed a cybersecurity “audit” based on the IRS’ revised 2010 security and privacy standards.
The problem, said Craig Spiezle, executive director and founder of OTA, is that potential hackers now target every link in the supply chain of information — the taxpayers, the e-file companies and the IRS.
“Whether we like it or not, the criminals recognize that the tax season is like Christmas for them,” Spiezle said in an interview with Federal News Radio. “What’s concerning is they’re not only looking at the consumer, they’re not only trying to target and breach the IRS. They’re looking at the whole flow of the data, the supply chain and increasingly a majority of returns through e-file providers. And so, not surprisingly, cyber criminals are smart, and they are actually looking and they are trying to compromise, either directly through hacking, or by masquerading as these legitimate e-file provider companies.”
The audit was released just days before the IRS announced that its May 2015 data breach compromised the sensitive information of more than 700,00 taxpayers — more than double the agency’s previous estimate.
Multiple requests to the IRS for comment on OTA’s findings and the security of its systems were not returned.
The OTA audit found fault with websites for their lack of authenticated email addresses, which left customers vulnerable to spear phishing attacks, the most common type of tax fraud.
“It’s a typical consumer that is just getting an email that purports to come from the IRS. They open it up, and says we have a problem with your [tax] return. They open up that attachment and by just doing that, that gets malware or key loggers on their machine,” Spiezle said.
The report also found misconfigured servers and a lack of protection from copycat websites, but Spiezle said most vulnerabilities were the result of poor management and not bad technology.
“We tried to reach out to these firms in advance, and it turns out they don’t have any conduits or mechanisms for people such as ourselves to try and responsibly disclose problems,” he said. “The whole point is these are not technology issues, these are operational issues.”
The IRS encourages taxpayers to their file their tax returns electronically and touts the popularity of its “Where’s My Refund?” website application, but Spiezle said that convenience also creates new points of vulnerability where data can be compromised.
“You have this industry out there that forces consumers to go through, and it’s not necessarily bad, but now you have yet another ‘hop,’ another layer, another whole segment that can be compromised. It’s doubling the threat landscape that there could be abuse,” he said.
The IRS in February requested $11.8 billion in President Barack Obama’s fiscal 2017 budget, an increase of 4.7 percent over 2016 levels. Spiezle agreed that the agency has been on hard financial times.
“The IRS itself continues to have their budgets challenged, and so in many ways they’re being limited in what they can do,” he said. “The IRS is doing, I think, as good a job as they probably can based on some technology limitations and budget, but again, their systems will be exploited.”
OTA said its has reached out to the National Taxpayer Advocate and the Treasury Department Office of Inspector General with its findings.
“I would expect you’re going to see additional review and process in place for e-file firms,” Spiezle said.
The following free e-file services made OTA’s honor roll: