GAO finds holes in Pay.gov; Treasury plugs 'em

GAO finds holes in Pay.gov; Treasury plugs 'em

Inconsistent security controls for Treasury Department's online payment service left it open to rogue users, who could tap into customers' confidential information or disrupt service, the General Accounting Office reported today.

Based on the findings of the congressional auditors, Treasury's Financial Management Service immediately took action. Between the audit briefing and the release of the new report, the agency told GAO that it has corrected the security weaknesses.

FMS and the Federal Reserve put in place and documented many security controls and procedures for the Pay.gov portal. But those controls were not always implemented effectively enough to ensure the confidentiality, integrity and availability of the data, GAO said in its report, Information Security: Computer Controls over Key Treasury Internet Payment System.

Via Pay.gov, which FMS manages and the Federal Reserve operates at three of its facilities, the public can make online payments for things such as loans, fines and fees, but not taxes. The portal collected $1.5 billion last year. Although it is early in its implementation, Pay.gov eventually could process 80 million transactions annually valued at $125 billion, the report said.

Underlying the security weaknesses was inadequate management by FMS of federal facilities personnel whose job it was to install security functions, GAO said. FMS did not require a risk assessment for security certifications nor accreditations to validate that vulnerabilities had been plugged.

'Numerous vulnerabilities existed in [the portal's] computing environment because of the cumulative effects of control weaknesses,' GAO said. Auditors noted problems with user accounts, passwords, access rights, network services and monitoring of security-relevant events.

For example, outdated software versions existed that were exploitable from the Internet and could have provided an attacker with root-level access to a server. From the vulnerable server, an attacker would have had direct access to the management network, the report said. An attacker could then have exploited other vulnerabilities, such as test accounts and easily guessed passwords or insecurely configured Windows servers, the report said.

The lack of an intrusion detection system and poor real-time alerts meant 'the likelihood of detection would have been remote,' GAO said.

FMS agreed with the findings, which recommended that the Treasury agency strengthen Pay.gov security and management. GAO also said FMS should develop technical guidance for staff members who implement security controls.

About the Author

Mary Mosquera is a reporter for Federal Computer Week.

inside gcn

  • cloud video processing

    Sprocket kicks video processing into high gear

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group