Last year's IRS e-filing hacker-friendly

Last year, the Internal Revenue Service left its e-filing system all but open to hackers, according to a report released Thursday by the General Accounting Office. Worse yet, the IRS had no way of telling whether its systems actually had been broken into, according to the GAO, the investigative arm of Congress.

"IRS did not adequately secure access to its electronic filing systems or to the electronically transmitted tax return data those systems contained," the GAO said in its report. "We demonstrated that unauthorized individuals, both internal and external to IRS, could have viewed and modified taxpayer data."

IRS officials did not immediately return calls seeking comment. But in a letter to the GAO, IRS Commissioner Charles Rossotti said the agency had addressed many of the problems.

"The IRS initiated timely actions to strengthen important security controls when (the GAO) audit findings were brought to our attention," Rossotti wrote in his letter. "Taxpayers can feel safe and secure using e-filing during the 2001 filing season."

Last year, more than 35 million taxpayers--about 28 percent of all taxpayers--filed electronic returns through the computer or over the telephone with the IRS, according to the report. Meanwhile, Congress has set a goal for the IRS that 80 percent of all returns will be filed electronically by 2007. The IRS expects some 42 million taxpayers to file electronically this year.

Online tax-preparation sites have already seen a spike in traffic this year, as taxpayers try to beat next month's filing deadline. Earlier this month, Intuit's tax site went down for more than 24 hours, and taxpayers have had trouble accessing such sites as 1040.com and H&R Block's Hrblock.com.

But those troubles appear to pale in comparison to the problems the GAO found with the IRS e-filing system. Among the security problems the GAO cited:

• The firewall protection the IRS used on its e-filing system did not effectively restrict outside access to the system, and the IRS turned off some of its network controls to speed the processing of returns. On top of that, the operating system on the e-filing system was insecure.

• Although the IRS normally encrypts data on its computer systems, the agency left tax returns on its e-filing system unencrypted.

• The password system used to safeguard data was insufficient. GAO investigators were able to guess many passwords and found some user IDs and passwords posted in public view at one IRS facility.

• The IRS did not have an adequate system in place to detect hacker intrusions. The e-filing system did not record certain events in its log files, and the agency and had no system for regularly reviewing those files to look for hacker attacks.

"IRS had not followed or fully implemented several of its own information security policies and guidelines," the report said. "It decided to implement and operate its e-file computers before completing all of the security requirements for certification and accreditation."

In a response to the report, the IRS said it had since completed the certification and accreditation requirements for its security systems. In addition, the agency has taken steps to improve its ability to detect possible intrusions, Rossotti said in his letter.

Rossotti noted that there is no evidence that anyone hacked into the IRS' systems last year.

"The (GAO) report does not differentiate between the likelihood of the threats occurring and the risks associated with the threats--resulting in the message unreasonably promoting undue concern," Rossotti said.

The IRS does not accept online returns filed directly by taxpayers. Instead, taxpayers are required to send returns through an approved partner of the IRS, such as Hrblock.com or Quicken.com.

But the GAO found problems with that process also. Sites such as Hrblock.com and Quicken.com--and tax-preparation services that filed electronically for taxpayers--sent tax returns to the IRS in plain text, meaning that employees at such companies could have viewed and modified the returns, according to the report.

The IRS is considering allowing its e-file partners to transmit encrypted returns, Rossotti said in his letter.

Some of the companies that work with the IRS have also had problems securing data. Last month, for instance, tax site e1040 mistakenly turned off its SSL (Secure Sockets Layer) software that it uses to encrypt transmissions from its customers. And last year, Hrblock.com exposed some customers' financial records to other customers.

Both companies shut down their tax filing sites temporarily to correct the problems.

While the IRS did take some steps to screen some of its e-file partners, most partners did not have to go through any kind of criminal background check, the GAO reported.

"IRS approved individuals to be e-file trading partners who had unpaid tax liabilities, filed tax returns late, filed false tax returns or had been assessed Trust Fund Recovery penalties," the GAO said.