The Government Accountability Office (GAO) has issued a report that says IRS measures still fall short when it comes to protecting the personal information of taxpayers. While the 50-page report credits the Internal Revenue Service for improvements in its Taxpayer Protection Program (TPP), it finds the IRS, at the time the GAO audit was carried out, had overlooked a key threat in its risk assessment of computer systems.

A risk assessment poses scenarios to the network or system being tested, and sees if the defenses in place are good enough to stop unauthorized access. The GAO says the IRS failed to test the possibility that hackers would have access to personally identifiable information (PII) for taxpayers that allows the intruder to side-step defenses.

This is the scenario that played out in 2014, when fraudsters used stolen personal information to get past IRS defenses and steal hundreds of thousands of income tax return through the Get Transcript tool on the IRS web site. The Get Transcript tool is now operating again after being shut down, although the GAO says its security should be beefed up even more.

TPP is used to authenticate the identities of suspicious filers in an effort to block fraudulent returns. It uses “singled-factor” authentication procedures that use one of three elements:

• Something You Know
• Something You Have, or
• Something You Are

The GAO acknowledges that at one time, this would have been sufficient to stop most security hacks. But with personal information now available to cyber-criminals through Internet searches or phishing websites, yesterday’s security is today’s security liability.

In its response, the IRS agreed with the recommendation to include the missing assumption into future risk assessments, and to continue to strengthen security methods.