Ron Johnson hammers IRS on security design flaw

GOP chair hammers IRS on security design flaw
The Hill
Cory Bennett

Sen. Ron Johnson (R-Wisc.) on Tuesday hammered IRS officials over a basic security design flaw that contributed to the digital theft of over 100,000 people’s tax returns.

The IRS revealed last week that 104,000 taxpayers had their personal information nabbed by what the agency and lawmakers believe was an organized crime syndicate. The data pilfered via the “Get Transcript” application has led to at least $39 million in fraudulent returns.

During a Senate hearing Tuesday afternoon, Johnson pressed IRS leaders over why the cyber crooks trying to illegally access accounts were able to repeatedly use the same email address.

“It’s one of the design flaws,” acknowledged Terence Millholland, IRS chief technology officer, during the Senate Homeland Security and Governmental Affairs Committee hearing.

“That’s a relatively significant flaw,” replied Johnson, who chairs the panel. “Each email has got to be a unique email.”

Most online registration systems allow only one account to be tied to a particular email address.

“That is a corrective item that needs to be done almost immediately,” Johnson told the officials.

IRS Commissioner John Koskinen explained that part of the reason his agency hasn’t implemented the unique email feature is that the IRS can’t communicate directly with taxpayers.

“We never send emails back and forth because we don’t have [the] security,” he said.

Koskinen said that the ability to communicate via email would also bolster the agency’s two-factor authentication process, which has been criticized in the wake of the breach.

Two-factor authentication involves a secondary check on top of a password, such as a time-sensitive code emailed to the user, or additional personal questions.

The IRS went the personal question route. The “Get Transcript” application asked, for instance, for the taxpayer’s monthly mortgage or car payment. Cyber crooks were able to track down this type of information from the vast troves of personal data being traded on the dark Web after numerous company data breaches in recent years.

But before choosing how to improve confidence in this two-factor process, Millholland said the IRS has to make a major decision about how it interacts with taxpayers.

“We fundamentally have to decide, are we going to decide to set up accounts for taxpayers so they can file directly?” he said.

If they do, the agency will consider biometric authentication, such as a fingerprint, as a secondary factor.

“That gives us that additional proof that person is who they say they are,” he said.