A Treasury Department watchdog says the Internal Revenue Service has made progress in improving its identity management controls for people filing their taxes online, but still has some work to do when it comes to identifying fraudulent profiles and activity.
The Treasury Inspector General for Tax Administration (TIGTA), which audits the IRS, released a report Thursday appraising the agency’s implementation and improvement of authentication controls.
TIGTA credited the IRS for requiring taxpayers to use two-factor authentication to log on to use the IRS’s online services. The auditor also said the IRS improved its ability to automatically to monitor activity across different systems and detect any anomalies.
“Using this tool, the Cyber Fraud Analytics group identified fraudulent activity in which fraudsters improperly used data stolen from sources outside of the IRS to successfully perpetrate a small number of targeted attacks,” TIGTA said.
However, the auditor added that those monitoring tools need to get better at detecting automated attacks.
“If automated attacks are not prevented, more taxpayer records could be compromised and revenue lost to identity theft refund fraud,” the report said.
In January 2016, the IRS suffered a bot attack that tricked the agency’s online PIN generation tool to issue an estimated 100,000 PINs to cybercriminals who used them to try to reap about $100 million in fraudulent refunds.
And despite implementing two-factor authentication, TIGTA also said the IRS still needs to improve its ability to detect the creation of new profiles that impersonating real people. The report grants that the IRS has made some progress in this regard, but says there are still deficiencies. However, the deficiencies are redacted in the report.
“While the IRS indicated it had completed actions to correct this deficiency, it did not adequately test or monitor the audit logs to determine whether the controls were fully effective at preventing the unauthorized activities,” TIGTA said.
TIGTA cites a May 2015 incident in which criminals “used taxpayer personal identification information obtained from sources outside the IRS to impersonate legitimate taxpayers.” In that incident, TIGTA estimates that 252,400 fraudulent tax returns were filed, leading the IRS to issue $490 million in wrongful refunds.
The IRS agreed with all four of the TIGTA report’s recommendations, which encompass better planning and improving the specific systems TIGTA audited.