IRS searches for new authentication measures in wake of huge data breach

Listen to Jared's story on the Federal Drive

wfedstaff |

The IRS, its inspector general and private security experts told the Senate Tuesday that the fundamental cybersecurity safeguards the agency used for the web portal involved in a massive heist of taxpayer data have probably outlived their usefulness.

In hindsight, that assessment might seem self-evident given the fact that an organized criminal syndicate bypassed the checkpoints and stole data from 104,000 taxpayers.

But it leaves the agency pondering several vexing questions over what to do next, including how it can deliver secure online services without making the sign-up process so cumbersome that no will use it, how it can it verify taxpayer identities without collecting and storing data that would provoke objections from members of Congress who are already highly-suspicious of the IRS, and how to offer a decent online experience via data systems built decades ago.

The theft of taxpayer data the IRS disclosed first disclosed last week involved its Get Transcript web portal, which used “out of wallet” information, sometimes called knowledge-based authentication (KBA).

In this case, visitors were challenged with multiple-choice questions developed and provided under service contracts through major credit bureaus: for example, whether they’ve had credit cards from a given bank, whether they’d lived on a certain street in the past, whether any of the last four digits in a list of phone numbers is one they’ve used in the past or which high school they graduated from.

But because all of the victims had already had their identities stolen through other sources, much of that information was already known to the hackers or easily deduced from search engines — making them easy targets for tax refund fraud.

“The IRS faces a daunting task of protecting its data and IT environment from an ever-changing and rapidly evolving hacker world,” said Russell George, the Treasury Inspector General for Tax Administration. “This incident provides a stark reminder that security controls that may have been adequate in the past can be overcome by hackers who are anonymous, persistent, and have access to vast amounts of personal data and knowledge.”

George said his office had made a number of recommendations to the IRS that, if implemented, would have made the hackers’ job “more difficult,” but could not specify any specific measures that would have prevented the months-long exfiltration.

John Koskinen, the IRS commissioner, took the Get Transcript system offline last week until the agency devises a more secure way for taxpayers to access their data.

He emphasized that all of the information the criminal network used to access the IRS system was previously stolen from other sources, but said the security value of the KPA-based authentication mechanisms his agency, other government institutions and private companies are using for identity management is dwindling as hackers build up their own vast database of personal information.

“There are breaches across the private sector every day, and all of that data is being collected by criminals in the dark web that exceeds the regular amount of data we have access to,” he said. “We have to continually attack this problem. It’s an increasingly complicated challenge. What worked a year ago is not working anymore today. The problem with our authentication process for our websites is that what was a perfectly-good solution for private sector companies and others has been overtaken by events.”

In Senate testimony Tuesday, private security experts urged the IRS and other agencies to transition away from authentication methods that rely entirely on users’ answers to questions that only they are supposed to know, since that knowledge can be easily stolen and transmitted around the world instantaneously — particularly when the information is composed precisely of the kind of financial data targeted by identity thieves and routinely traded in dark corners of the Web.

IRS and independent security experts agreed an ideal scenario would involve a transition to some form of two-factor authentication: the agency would require some independent means to verify a taxpayer’s identity when he or she signs up to access electronic services on the agency’s website.

“You need some independent identity verification,” said Jeffrey Greene, the director for government affairs at Symantec. “If you’re sending a confirmation message to the same email address the person submitted when they set up an online account, it’s circular. You’re still dealing with the same person.”

The latest iteration of Get Transcript appears to have ignored that precept: the system did not require users to supply and verify their identities through a separate voice, email or text message before creating an online account. IRS officials acknowledged Tuesday that they considered that shortcoming to be a design flaw.

But from the agency’s perspective, establishing a nationwide two-factor authentication process is easier said than done. Companies like Google and Microsoft implement those additional security measures by sending a numeric code to a user’s mobile phone or email address and requiring them to enter that PIN to access their accounts. But in the mass-market private-sector, two-factor authentication is managed on a voluntary, opt-in basis.

And Koskinen said the IRS is a long way from being able to implement that sort of system, even for taxpayers who want it.

“Part of our problem is that we can’t communicate with taxpayers electronically at all yet — we never send emails back and forth because we have no security for that,” he said. “If we could communicate with taxpayers electronically, that would accomplish a lot of our goals. One of them would be that we could communicate with taxpayers in the same ways that financial institutions do today: they can send you an email to your email address, because they know ahead of time that it’s your email address.”

In the absence of secure electronic communication mechanisms, the IRS is tinkering with other ways to head-off identity theft. The agency already issues personal identification numbers to previous victims of identity theft. After having proved their identities to the IRS, they must supply annual PINs, sent by mail along with their tax returns before the agency will accept their return and process a refund.

The IRS is piloting a system in the District of Columbia, Georgia and Florida to let all taxpayers opt-in to the PIN program. But the agency is wary of deploying the program nationwide until it sees the results: officials worry it could create more problems than it solves, since taxpayers are more likely to forget or lose their IRS PIN numbers than their social security numbers.

Still, Koskinen says the IRS is exploring ways that it could quickly enhance its security measures by, for example, requiring Get Transcript users to pay a $1 fee via a credit card. Such a system would mimic private merchants’ security procedures by attempting to ensure the requestor had a valid credit card in their physical possession.

Measures such as that would still be far from foolproof, but Koskinen said the agency is struggling to strike a balance between ease of access for ordinary taxpayers and the imperative to head-off fraud by international fraud syndicates.

Terence Millholland, the IRS’s chief technology officer said that’s the exact conversation the agency had with itself before it brought the Get Transcript system online two years ago.

At the time, asking a few questions based on credit data seemed like a reasonable backstop against fraud.

“The debate inside the IRS was how many of those questions we should ask,” he said. “Instead of asking four of five questions, you can ask 15 or 16. Each one of those questions can increase your level of confidence that you’re really talking to the person you think you’re talking to, and by the time you get to the 16th question, you’re in the 99 percent range. But that’s a burden on the taxpayer. So how easy do you make it, and how do you balance that against the risk that you’re wrong?”

But Millholland also acknowledged a failure of imagination on the IRS’s part: When it set about implementing the the Get Refund system two years ago, the agency still thought fraudsters would be queuing up to get transcripts one-by-one, just as they used to do via telephone. The agency did not anticipate a concerted online bombardment by an organized criminal network.

“We built it the same way the phone system was running back then, where if you wanted to get someone’s tax return, you’d call up and fake it. That’s the mindset we had at the time,” he said. “That’s something we should have thought better about, but it’s a hindsight question.”

Koskinen, who has frequently complained about the budget cuts his agency has faced over the past several years, said this particular breach was not a direct result of IRS underfunding. But he said other core IRS IT systems are in dire need of modernization, including several that the agency’s IG has criticized for failure to patch with security updates.

“We are running an antiquated system with some applications that are 50 years old,” Koskinen said, “We haven’t even been able to provide patches for all of the upgrades. Some of our systems don’t have patches because they’re no longer even supported by the provider.”

RELATED STORIES:

IRS shuts down Web app after criminal network steals taxpayers’ data

Taxpayer advocate slams IRS service as ‘officially worst’ since 2001

IRS Commissioner questions congressional double-edged sword

Comments

Sign up for breaking news alerts