Hackers spare nobody in their attacks, not even the most robust government information security infrastructure.
That is why the Internal Revenue Service is facing a security risk with its identity theft refund fraud detection system, which it touts as a powerful system for preventing fraudulent tax refund claims. The IRS Inspector General recently released a damning report that shows the system is vulnerable to cyber attacks.
And worse, the IRS has been slow in fixing the security flaw. According to the IG report, the Return Review Program of IRS contains a serious security problem that could allow attackers to steal sensitive data if left unattended for an extended period.
The Return Review Program is designed to identify fraudulent tax returns and prevent criminals from obtaining bogus refunds. However, the system failed to go online on time due to budget constraints, which has given rise to some security issues that were left un-patched. That means the IRS did not notice the problem earlier because of the implementation delay.
As a result, a vulnerability has been found to infect two system servers of IRS. The vulnerabilities discovered would allow the Heartbleed bug to infect the servers. However, even after more than six months since the discovery of the flaws, the vulnerabilities have not been resolved.
The fact that the Inspector General has made mention of the Heartbleed bug, a massive security flaw that affects encryption, demonstrates the high risk the IRS system is facing as long as this issue is not fixed.
Heartbleed has infected the SSL last year, which resulted in a massive security problem among websites that use the security protocol. Heartbleed allows cyber criminals to view sensitive information such as encryption keys, which poses even more risks because by then, the bad guys would be able to read the traffic between a user and a server.
Security experts suspect that there are more security issues with the IRS antifraud system aside from the ones reported on by the Inspector General, and urge the agency to patch the issue at hand as soon as possible.
Tax records are the most feared to be affected by the problem, and IRS remains silent whether it has updated its firewalls to detect suspicious activities within its network. It is not known also whether there were incidents of Heartbleed-related attacks in the past six months since the flaw was found. But security experts are positive there have been such attacks, only that they may not have been known this early, as is the usual case.