In a Government Accountability Office audit, made public Thursday, the GAO credited the IRS for implementing programs to prevent, detect and resolve identity theft, but said the tax agency needs to do a better job in assessing the effectiveness of its initiatives. And, as it relates to potential online abuse, the IRS should be more consistent in enforcing security controls.
"Although IRS does not know of any cases where information security weaknesses have led to actual identity theft, IRS had 149 incidents of lost data affecting 911 taxpayers in 2008," the GAO report said. "Perhaps more importantly, IRS has information security weaknesses that increase the likelihood of IRS employees committing identify theft. Specifically, in January 2009 we reported that IRS did not consistently implement controls that were intended to prevent, limit and detect unauthorized access to its systems and information."
GAO noted the IRS did not always enforce strong password management for properly identifying and authenticating users and authorize user access, including access to personally identifiable information, to permit only the access needed to perform job functions.
For example, GAO pointed out, the agency allowed authenticated users on its network access to shared drives containing taxpayer information as well as performance appraisal information for IRS employees including their Social Security numbers.
GAO recommended that the IRS strengthen its information security practices, and the IRS agreed, saying the agency is working to improve its security posture, and will develop a detailed corrective action plan. "Until IRS addresses these weaknesses, " GAO said, "there is an increased risk that someone could use his or her access to steal personally identifiable information and commit identity theft-related crimes."
To address online threats to its sites and taxpayers, the IRS in 2007 created the Online Fraud Detection and Prevention (OFDP) office to reduce online fraud against IRS and taxpayers and provide a rapid response capability to detect and respond to such fraud.
Even so, the GAO said, the IRS faces challenges combating fraudulent websites. OFDP officials told the auditors that schemes and websites that originate outside the United States are particularly challenging because of jurisdictional issues. However, the officials also told the GAO that IRS is working with Treasury Inspector General for Tax Administration, Justice Department and other organizations to use existing authorities and relationships to assist with combating such fraud.
The GAO said another challenge the IRS faces is its ability to identify fraudulent parties who use multiple computer IP addresses that change frequently, making it difficult to trace the perpetrator's actual IP address. In addition, the auditors were told, some institutions are reluctant to share specific information about online fraud perpetrated against them. To help overcome this, officials stated that they are working with organizations such as the National Cyber Forensics and Training Alliance, Anti-Phishing Working Group and others to facilitate and improve information sharing about fraud schemes.
IRS has considered additional steps to help combat phishing and similar identity theft schemes such as providing a list of legitimate websites but the GAO concluded that such a list would be almost impossible to keep current.