Skip to content

Drs. Hamlen and Kantarcioglu Discuss the IRS’ Tax Refund Fraud Detection Systems Vulnerability to Hackers

TBO – Tampa Tribune |

The new computer system the IRS is using to detect identity theft refund fraud may be vulnerable to hackers, according to a recent inspector general report, which cited delays in patching known cyber security issues.

The IRS is touting what it describes as a powerful and sophisticated system to detect and prevent tax refund fraud. According to agency officials, the Return Review Program is a significant improvement over the tax agency’s previous computer filter system used to detect patterns of fraudulent tax returns and block bogus refunds from going to criminals.

But like many initiatives by the IRS, the new system has had some problems, according to a recent report by the IRS’ inspector general. The report identified security vulnerabilities that one expert said are potentially very dangerous and could allow criminals access to highly sensitive information.

The Return Review Program enables the IRS to add new filters in real time as officials identify patterns of fraudulent activity. The filters help the agency sort out potentially fraudulent tax returns from legitimate returns and prevent the issuance of bogus refunds to criminals who file using other people’s stolen personal information.

Stolen identity refund fraud, which exploded among street criminals in the Tampa area five years ago, is now increasingly being perpetrated by international organized crime syndicates, according to the IRS.

“These criminals have been able to gather enormous amounts of personal data from sources outside the IRS,” said IRS Commissioner John Koskinen in a conference call with reporters last week. “This makes protecting taxpayers more challenging and difficult.”

The Return Review Program is an improvement over the prior system, the Electronic Fraud Detection System, which could be updated only every six months.

In a trial run, the IRS reported the new system detected 25 percent more fraud than the prior system, the inspector general said.

Implementation of the new system, which the IRS began developing in 2009, was delayed because of budget problems, according to the Taxpayer Advocate. Consequently, the agency was not able to bring the new system fully online by the initial deadline of Jan. 1, 2015.

And because of the way the system was classified, security problems were not addressed and identified quickly, according to a report by the Treasury Inspector General for Tax Administration, the watchdog for the IRS.

Consequently, for example, two system servers found to be vulnerable to the Heartbleed bug had not been patched six months after the problem was discovered, according to the inspector general’s report, which says that particular vulnerability has since been addressed.

Dr. Murat Kantarcioglu
Dr. Murat Kantarcioglu

Scans of the system last year, the report states, found that four of 131 systems were “less than 80 percent compliant with required security settings; an additional 12 servers failed a high-risk check.”

Also, there were 322 critical failed tests, according to the report.

“Clearly, they need to put more resources into getting rid of these vulnerabilities,” said Murat Kantarcioglu, director of the Data Security and Privacy Lab at the University of Texas at Dallas and a visiting scholar at Harvard University. “They need to employ state-of-the-art techniques. It looks like they haven’t done that.”

Kevin Hamlen, senior technical advisor for the Cyber Security Research and Education Institute (CSI) at the same university, said by mentioning the Heartbleed bug, the inspector general is saying something about just how vulnerable the IRS system was when it was examined.

“I think the reason the inspector general report highlights that one is because Heartbleed was probably the most publicized” computer security issue last year, Hamlen said. “They’re pointing out that if you didn’t patch that one, you didn’t patch much.”

The 322 failed tests, Hamlen said, “surely represent more than one vulnerability” and are “a strong indication that there were many vulnerabilities that they had not patched.”

The Heartbleed bug, he said, is potentially very dangerous. The fact that it wasn’t addressed for six months, Hamlen said, is “rather shameful.”

The bug enabled hackers to exploit an error in a program widely used for secure Internet communications, Hamlen said. Using it, criminals can send requests to anything running that software and ask it to send a random chunk of information in its memory.

“Anything stored in that memory, the bad guy could see,” Hamlen said, including, potentially, master encryption keys that, once obtained, would enable the criminal to decrypt all traffic between a server and its users.

Other sensitive information, including tax records, could also be vulnerable, Hamlen added.

The report doesn’t say whether the IRS updated its firewalls to log suspicious traffic, Hamlen said, so it’s unclear if there was a Heartbleed attack during the period of vulnerability or if the IRS even knows. “It’s possible there may have been successful attacks against them that we may never know about,” he said.

All that said, Hamlen wasn’t shocked at the inspector general’s findings. “If I wasn’t experienced in the field, I would be more surprised by this,” he said. “Unfortunately what we’re seeing is there is a big broad problem across many agencies” of the federal government.

Agencies, he said, are slow to patch many of their machines, mainly because the government’s computer systems are so vast. “Sometimes it’s not clear how many systems they own,” Hamlen said.

Last year, the Department of Energy’s Inspector General released a report with similar findings. That report noted that in the preceding fiscal year, “the department, including the National Nuclear Security Administration, had taken positive actions to improve the security and awareness of the unclassified cyber security program.” But it said more needed to be done.

For example, the summary of the report said, “We discovered network systems and workstations at 13 locations with patch management weaknesses of varying degrees of criticality. Specifically, critical and high-risk vulnerabilities were identified on many of the systems and networks tested.”

“I think it’s sort of a systemic problem that patching systems in response to emerging security vulnerabilities turns out to be a difficult task for organizations that own many digital assets,” and not just government, Hamlen said. But with government, “they operate on such a large scale that that problem gets magnified.”

Hamlen said his lab has created a technology to deal with this problem by making patches invisible to criminals. This causes the bad guys to waste time trying to penetrate systems that are protected, making it harder to find which ones are vulnerable, and giving security technicians time to fix the vulnerabilities.

Kantarcioglu said it’s common, both in government and private business, for a new computer system to be introduced without the best security. “Almost always, the No. 1 concern is putting the system up and running,” he said.

Even with the best practices in place, problems can arise, he said. Kantarcioglu likened cyber security to personal health. Someone can do everything right, eat healthy, exercise, see the doctor. That person reduces the chance of getting sick, but can still become ill.

Having the best level of cyber security, Kantarcioglu said, can likewise reduce the threat and lowers the level of damage if something does happen. But problems can still arise.

Asked last week about the inspector general report, Koskinen, the IRS commissioner, initially said the issues it raised were not related to security.

“It was basically how we could make (the Return Review Program) more effective and better use data,” he said. The program, he said, was being “rolled out slowly because of funding shortages.”

When pressed about the security issues identified by the inspector general, Koskinen said, “We have taken those recommendations, although (the inspector general’s staff) think we ought to approach a security issue one way and our security people disagree with that, and we have those ongoing discussions. But nonetheless, as a general matter, most of the time, we agree with their recommendations.”

Koskinen said he is “satisfied that the Return Review Program … is secure and it would be very difficult for somebody to figure out how to get into that program.”


Source | TBO – The Tampa Tribune | Written by:  Elaine Silvestrini


 About the UT Dallas Computer Science Department

The UT Dallas Computer Science program is one of the largest Computer Science departments in the United States with over 1,600 bachelor’s-degree students, more than 1,100 master’s students, 160 PhD students, and 80 faculty members, as of Fall 2015. With The University of Texas at Dallas’ unique history of starting as a graduate institution first, the CS Department is built on a legacy of valuing innovative research and providing advanced training for software engineers and computer scientists.



CS Department Hosts Three Conferences in October
NSF Grants Bring Together Computer, Political Scientists for International Conflict Projects
Department of Computer Science