IRS tax transcript system’s authentication protocols not strong enough, OIG says

An IRS system that allows third parties to obtain tax transcripts still doesn’t have strong enough authentication procedures to meet federal standards or reduce its risk profile, according to a new report.

The Treasury Inspector General for Tax Administration’s March 26 audit examined the IRS’s Transcript Delivery System — used by tax professionals and others to obtain transcripts through the agency’s e-Services — to assess the risk of unauthorized releases of tax information through gaps in the system’s verification process following the 2015 Get Transcript breach.

The report showed that IRS officials continued to use single-factor authentication in the TDS system, failing to meet National Institute of Standards and Technology standards for validating an identity.

IRS officials told TIGTA that attempts to apply two-factor authentication ran into several roadblocks during the testing phase, which delayed verification updates.

“These barriers included that other IRS applications would be impacted by the implementation of multifactor authentication requirements, and the IRS needed additional time to identify a solution,” the report said.

Agency officials developed an interim solution, which included requiring TDS users to re-authenticate their identities, and sent them letters with instructions on how to do it in December 2016.

But TIGTA officials said between October 2015 and March 2017, more than 4,000 TDS users who requested tax transcripts were not sent letters on how to re-authenticate because the IRS failed to identify all of the system’s users.

Of those who didn’t receive a letter, 1,507 continued to request tax transcripts without re-authorizing. As a result, the information of nearly18,000 taxpayers was disclosed without the intended authorization of the requestors.

Another 138 users who failed to authenticate their identity on alternative systems but requested tax transcripts did not have their access revoked as required.

The report also raised concerns about the verification process for taxpayers authorizing the release of their information after TIGTA found anomalies in transcript requests that it deemed suspicious and perhaps the work of automated data scraping programs.

TIGTA offered nine recommendations, including that the commissioner of the Wage and Investment Division implement multi-factor authentication, stronger procedures for identifying taxpayers authorizing the release of their information and safeguard other information.

IRS officials disagreed with a recommendation that it notify the 4,022 users to re-authenticate, saying it had attained proper information standards in December 2017.

Agency officials also disagreed with recommendation calling for processes to prevent the use of data scraping programs. IRS officials said “that neither TIGTA’s nor their analysis has identified illegitimate transcript requests associated with the use of data scraping programs.”