Security

IRS employees successfully social engineered


In an audit of IRS security rules by the Treasury Inspector General for Tax Administration, it appears that they were able to successfully social engineer IRS employees into improperly disclosing their user names and passwords -- a staggering 61% of the time.

According to the report, a caller posed as a technical support person and contacted 102 employees. On the pretext of solving a computer problem, he attempted to persuade them to temporarily change his or her password to one based on his suggestion.

Excerpt from SignOnDiego.com:

Sixty-one of the 102 people who got the test calls, including managers and a contractor, complied with a request... Only eight of the 102 employees contacted either the inspector general's office or IRS security offices to validate the legitimacy of the caller.

Also,

The IRS agreed with recommendations from the inspector general that it should take steps to make employees more aware of hacker tactics such as posing as an internal employee and to remind people to report such incidents to security officials.

The especially disturbing part here is the revelation that IRS actually took many measures to improve their security awareness after two similar test telephone calls in 2001 and 2004.

The report sums the efforts: "... the corrective actions have not been effective.”

It is needless to say that the employees were putting the IRS at risk of providing unauthorized people access to taxpayer data. Still, is this case simply a sign of the impossibility of educating end-users, especially in a large corporation or organization spanning multiple locations, or is it due to the lack of a proper system?

You might want to check out on The Deadliest Zero Day Exploit, which I wrote a while back.

In the meantime, do share your views with us.

--------------------------------------------------------------------------------

Stay on top of the latest tech news

Get this news story and many more by subscribing to our free IT News Digest newsletter, delivered each weekday. Automatically sign up today!

About

Paul Mah is a writer and blogger who lives in Singapore, where he has worked for a number of years in various capacities within the IT industry. Paul enjoys tinkering with tech gadgets, smartphones, and networking devices.

18 comments
janezhao88
janezhao88

It looks like that IRS needs more measurement other than just the employee awareness policy. It needs specific enforcement procedures. Employees are only human, even in IRS;). It is almost unfair to keep them vigilant and working on their routine load all the time.

jswift
jswift

Where I work, we are subject to the Health Information Privacy and Portability Act that stipulates a $200,000 fine and/or 5 years in prison for the disclosure of the identity of our clients. When we trained the Trainers (those that would train everyone in the agency), this was explained. When I went to training (EveryOne had to go to training) this point was not covered. When I asked why, I was told that they had been told it was too scary for new hires. Now, even the lazyest, stupidest person can not be fired at the first instance of walking away from a computer with confidential information viewable on it because they were not informed of the severity of the violation.

mauritz.scherman
mauritz.scherman

It just proves that the real problem lies between the keyboard and the screen.

melekali
melekali

Any idiot should know that the IT department would never call asking a user to change a password. Why would they? They have the power to do that already. Users are ALWAYS the greatest and weakest link in computer security.

NickNielsen
NickNielsen

Just because they work for the Infernal Revenue doesn't make them any smarter that the average user. Edit: In fact, I wouldn't be surprised to find that they believe nobody would mess with them [i]because[/i] they are with the IRS.

melekali
melekali

Sad but true, I think you are totally correct.

IT-b
IT-b

That number doesn't surprise me. It seems like most people still believe that the odds are with them when it comes to identity theft & hacking, and they want to believe that if the person sounds nice on the phone, that they have good intentions.

paulmah
paulmah

Do share your views with us.

GreyTech
GreyTech

One of the problems with security is that it is not part of the users job/interest. Their job is accounts/secretary/HR etc. Security is both complex and a barrier to getting on with their work. The best security for those outside the security industry must be simple to use and not get in the way. From the security officer's point of view it must be foolproof and unavoidable. Bio-security may be part of the answer to move towards it being FOOLproof but it still needs some user input. One suggestion is RFID user ID cards with a simple PIN that does not have to be changed every 42 days or whatever IT or Microsoft suggest. I have found that people do not write down passwords if they are allowed to keep them for a long time. My own experience is don't force expiry dates but do suggest that users use longer phrases with a minimum of 12 characters. Making it clear to all users that no one will ever need to know their passwords including their boss encourages them to use the same sort of security attitude that they use with their on-line banking. I have always used the approach that everything that is done in the system using their ID is their responsibility. It does mean that all IT administrators need to be strictly audited. The best system I found was using RFID security passes with PINs that were also needed to move from one area of the building to another. The PINs were not needed to move around but only to get access to PCs and photocopiers. PCs could not be accessed in an area if the user had not entered the area using the pass, so holding the door open did happen but users still ran their pass by the RFID sensor to "log" them into the area.

cubeslave
cubeslave

True, there is an argument for some user training (especially in security) there, but I think part of the fault is with the organization (aside from the apparent lack of the earlier mentioned user training). Seeing how sensitive the data they compile is, I would think they should have some kind local, or at least dedicated support staff. With more and more user support moving farther and farther from the user (outsourcing, and centralized operations) this sort of thing becomes easier and easier to do. For general PC, software and network problems, I don't think have ever dealt with the same remote help desk tech twice. The situation is much more secure with the hardware and apps that we have a limited number of contacts. Even when the support isn't local we know exactly who should be calling, and who to check with if anyone else calls. If those IRS employees had local support they would have known something was up the second anyone other than their known support people calling in to ask them to do anything. I'll bet of the users that were compromised, there was a portion of them that had concerns, but who gave in because they had no idea who to check with.

ozi Eagle
ozi Eagle

Hi, Maybe the answer is to use fingerprint scanners to log in. IT sets up the system with the password(s) and the user doesn't know them. They log in by touch the fingerprint scanner. Any future querying of the User for passwords etc would be useless, because they don't know them. The old adage - you can't tell what you don't know. Herb

Rob Howard
Rob Howard

As has been quoted, Mythbusters cracked this one fairly easily. Fingerprints fall into the security category of something you have, similar to a username, they are publicly available (just watch the police shows like CSI). The can only serve in a security sense as a means of identifying a user, not authenticating a user. Cheers Rob

mad tabby
mad tabby

By getting a fingerprint photocopying it, cleaning up the photocopy and then running it. Of course it's still a lot harder to hack a fingerprint than to hack a password taped to the monitor. Although I wonder, if I cut my finger, will I still be authorized? Or will the computer see it as a different fingerprint?

melekali
melekali

That's an excellent idea, assuming it works consistently. I haven't had the opportunity to try this technology yet. Have you?

dryflies
dryflies

small network, 70 users, good physical and system security, the big hole is the users. despite repeated warnings and training. including posters, talks, lectures, etc. I can find the password to at least half the systems in my domain on a yellow sticky somewhere near the desk it sits on. I am frustrated at the lack of concern for security that my users have.

mad tabby
mad tabby

And when I've tried to give them tips such as "if you need to write something down, write down a hint, NOT THE PASSWORD" the average response I get is "I'm too busy to deal with that" I wish I was in a position to lock them out over such things.

melekali
melekali

I would recommend you talk with the bosses and see if they will go with this. Those who write their passwords like you described should be locked out of the system for a period you and management come up with. At the far end, if the people fail to follow simple security procedures, fire their sorry selves and hire someone with a functional brain.

Locrian_Lyric
Locrian_Lyric

I know a few tried and true tricks. I won't publish them for obvious reasons, but I do tell people what to look out for. 1)"idiot traps", these are along the line of a big red button that says "don't push". The trick works by playing on basic human curiousity. A variant of that is the 'forbidden secret' be it a malicious file labeled 'HR salary info' or a secret about a celebrity. 2)The "I don't want to get in trouble" trap. You see this one in the movies all the time when someone bluffs their way past a guard asking them to cut them some slack because they lost their ID for the third time this month or some other sob story. This one works well too. The irony of this one is that the more tightly security clamps down, the more effective this one is. Fellow employees who have been hassled by security for seemingly trivial matters will be VERY sympathetic and hold the door open for that 'employee' who 'lost his ID card'. 3)DO THIS OR YOU'RE GOING TO BE IN TROUBLE! Simple intimidation. The scammer pretends to be someone in a position of power and simply damands the information they want/ 4)Standard procedures: This one nails bureaucracies every time. When employees are trained to be mindless robots and policies are never explained, someone can just walk in, grab anything they want and leave with it if they simply assert that they are following a new procedure.