GAO finds holes in; Treasury plugs 'em

GAO finds holes in; Treasury plugs 'em

Inconsistent security controls for Treasury Department's online payment service left it open to rogue users, who could tap into customers' confidential information or disrupt service, the General Accounting Office reported today.

Based on the findings of the congressional auditors, Treasury's Financial Management Service immediately took action. Between the audit briefing and the release of the new report, the agency told GAO that it has corrected the security weaknesses.

FMS and the Federal Reserve put in place and documented many security controls and procedures for the portal. But those controls were not always implemented effectively enough to ensure the confidentiality, integrity and availability of the data, GAO said in its report, Information Security: Computer Controls over Key Treasury Internet Payment System.

Via, which FMS manages and the Federal Reserve operates at three of its facilities, the public can make online payments for things such as loans, fines and fees, but not taxes. The portal collected $1.5 billion last year. Although it is early in its implementation, eventually could process 80 million transactions annually valued at $125 billion, the report said.

Underlying the security weaknesses was inadequate management by FMS of federal facilities personnel whose job it was to install security functions, GAO said. FMS did not require a risk assessment for security certifications nor accreditations to validate that vulnerabilities had been plugged.

'Numerous vulnerabilities existed in [the portal's] computing environment because of the cumulative effects of control weaknesses,' GAO said. Auditors noted problems with user accounts, passwords, access rights, network services and monitoring of security-relevant events.

For example, outdated software versions existed that were exploitable from the Internet and could have provided an attacker with root-level access to a server. From the vulnerable server, an attacker would have had direct access to the management network, the report said. An attacker could then have exploited other vulnerabilities, such as test accounts and easily guessed passwords or insecurely configured Windows servers, the report said.

The lack of an intrusion detection system and poor real-time alerts meant 'the likelihood of detection would have been remote,' GAO said.

FMS agreed with the findings, which recommended that the Treasury agency strengthen security and management. GAO also said FMS should develop technical guidance for staff members who implement security controls.

About the Author

Mary Mosquera is a reporter for Federal Computer Week.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected