IRS Stimulus Website Plagued by Privacy, Security Issues

By Rob Sabo

Linda Elkington Huotari was excited when she logged into the new IRS website “Get My Payment” and learned she was eligible for direct deposit of her coronavirus stimulus check.

Huotari, who lives in Sherwood, Ore., had already filed her 2018 and 2019 tax returns, so the Internal Revenue Service had her correct banking information.

Two weeks have passed, however, and Huotari has yet to see any funds under the Coronavirus Aid, Relief and Economic Security Act (CARES) deposited into her checking account.

She’s actually one of the lucky ones who successfully navigated Get My Payments to track the status of her payment.

“I’ve received my refunds from 2018 and 2019, but no stimulus funds — and there’s no reason why,” Huotari told Digital Privacy News.

Tens of millions of Americans have received stimulus checks via direct deposit, but millions more have encountered difficulty navigating Get My Payment.

The most-common issues are users receiving an error message stating “payment status not available” — and not having any way to provide correct banking information.

More alarming, security and data-privacy experts told Digital Privacy News, is the lack of safeguards and critical site vulnerabilities that potentially leave millions of consumers who accessed the site prone to data intrusion and cyberfraud.

“Get My Payment was launched a mere five days after the IRS announced it was being developed,” said Mandee Rose, editor at TheVPNShop.com. “Had efforts toward developing the site started sooner, the IRS would have had time to make sure cybersecurity and online privacy measures were properly implemented.”

“Until the IRS conducts a proper cybersecurity audit, it’s a guessing game as to when that sensitive data starts appearing on the black market.”
— Mandee Rose, editor, TheVPNShop.com

The IRS announced Sunday that it had significantly revamped the site to allow more users to enter their banking information and bypass the “payment status not available” message.

IRS Commissioner Chuck Rettig said in a statement that people who haven’t visited the site recently should do so again for the latest information on their stimulus payments.

Information submitted to IRS.gov is subject to numerous screens and filters that protect taxpayers against identity theft, the agency said.

What is Get My Payment?

The U.S. Treasury Department and IRS launched Get My Payment on April 15. The site allows Americans who filed tax returns the past two years to update their banking information to hasten delivery of their stimulus payments via direct deposit.

To access the site, users must input their birthdate, address, ZIP code and Social Security number.

The site offers little more in terms of functionality outside of a link to a “FAQ” page for users who get the “payment status not available” message.

Upon launch, the site was overwhelmed with traffic, according to news reports, and users were placed in an IRS virtual “waiting room” before gaining access.

Poor functionality and other issues may be annoying to consumers, experts told Digital Privacy News, but the real problem lies in the sensitive nature of the data consumers must provide to check the status of their payments.

“Anyone can use sensitive information to check on the status of another’s check. There is no (safeguard) as to identity.”
— Sara H. Jodka, cybersecurity and data-privacy attorney, Columbus, Ohio.

“The data categories required to access the site include an individual’s name, Social Security number, address and ZIP code,” said Sara H. Jodka, a cybersecurity and data-privacy attorney at the Dickinson Wright law firm in Columbus, Ohio.

“Because the site is bare bones, it’s possible the site does not comport with all necessary security protocols to fully protect that sensitive information from unauthorized access and disclosure.”

Identity Theft Potential

The IRS is aware of increased attempts to scam and victimize Americans during the COVID-19 pandemic, IRS Criminal Investigation Chief Don Fort said in a memo provided to Digital Privacy News. 

“The IRS Criminal Investigation Division is working hard to find scammers and shut them down, but in the meantime, we ask people to remain vigilant,” he said.

Get My Payment and other tools on IRS.gov are safe and secure, the agency said. Despite these assurances, serious privacy and security questions remain.

Jodka said the limited functionality and sensitive information would trigger data-breach alerts in all 50 states if compromised.

Get My Payments was a rush job and may not fully comply with necessary security protocols to protect sensitive user data and prevent unauthorized access, she said.

“Landlords and creditors are using the site and sensitive information obtained from their tenants and debtors to request rent and other payments based on information they receive about the status of the tenant-debtor’s stimulus check,” Jodka told Digital Privacy News.

“Anyone can use sensitive information to check on the status of another’s check,” she added. “There is no (safeguard) as to identity.

“This privacy-intrusion allowance by the site builders sets the stage for more serious intrusion due to security issues.”

Visions of Obamacare Rollout

Unscrupulous landlords and creditors aren’t the only issue, said TheVPNShop.com’s Rose.

Unlike the launch of HealthCare.gov. in October 2013, which crashed two hours after rollout from high traffic and incomplete site design, Get My Payment has other problems, she told Digital Privacy News.

Given the history of federal institutions suffering major data leaks, it’s not unrealistic to assume Get My Payment already has left millions of Americans exposed to cyber fraud, Rose said.

“Until the IRS conducts a proper cybersecurity audit, it’s a guessing game as to when that sensitive data starts appearing on the black market,” she said. “Sensitive data exposure relies on security misconfiguration, specifically in how encryption methods are implemented.

“Without proper encryption standards, sensitive data can be intercepted.

“Similarly, an attacker can easily steal that information if the storage hasn’t been properly encrypted,” Rose added. “Ultimately, these concerns manifest in the same way: a data leak.

“Sensitive data could be used to steal funds, identity theft or any other number of cybercrimes.”

Protecting Yourself

With its vast pool of resources, the federal government should have taken more time to set up a more secure site with tighter security measures, experts told Digital Privacy News.

This would have allowed developers to audit their work and strengthen security protocols.

However, consumers still can protect their data when using Get My Payment by never logging into the site through public WI-FI and by using a reliable VPN service for more secure network connections, Rose said.

“Broken authentication systems and unvalidated redirects are two of the most common security vulnerabilities,” she said. “Unfortunately, the most common user complaints regarding Get My Payment strongly suggest both of these vulnerabilities are present.”

Rob Sabo is a Nevada writer.

Sources: