Study: IRS security vulnerable to social engineering
Hey, baby, I'm the taxman -- and I can be hacked by random phone callers
IDG News Service - The Internal Revenue Service computer network is vulnerable to social-engineering hacks, with 60% of employees changing their computer passwords when requested by phone callers posing as help desk workers, according to a government auditor.
The IRS employees fell for the ruse even though the Treasury Inspector General for Tax Administration Office has run similar tests with IRS employees two other times since August 2001.
Sixty-one of 102 IRS employees and contractors contacted in March and April agreed to change their passwords to ones requested by callers from TIGTA, posing as IRS help-desk workers.
In the last test, only eight of the 102 employees contacted IRS authorities about the social-engineering attempt.
Seventy-one percent of employees fell for a similar trick in August 2001, but only 35% fell for it in December 2004. TIGTA called the recent results "alarming" in a report (PDF format) released Friday.
While IRS officials have said there's never been a successful outside attempt to breach agency computers and steal taxpayer data, the social-engineering vulnerabilities raise concerns, the report said.
"This is especially disturbing because the IRS has taken many steps to raise employee awareness of the importance of protecting their computers and passwords," Treasury Inspector General J. Russell George said in a statement. "All the sophisticated encryption and other security mechanisms available will not protect the sensitive taxpayer data on IRS computers until employees get the message loud and clear that they must, at a minimum, protect their passwords."
Asked why they changed their passwords, 21 of the IRS workers said the scenario the caller presented sounded legitimate. Ten employees said they believed that changing their passwords is not the same as disclosing their passwords, which they know is against the rules. Eight employees know the rules but changed their passwords anyway, according to the TIGTA report.
Of the 41 who refused to change their password, 20 said training, e-mail advisories or meetings reinforced the need to protect their passwords, and 17 said they didn't believe the scenario or couldn't verify the caller.
Asked why the numbers of disclosures increased from 2004, TIGTA spokeswoman Bonnie Heald said she didn't know. "That's a good question to ask IRS," she said. "IRS has tried to work really hard to raise security awareness."
An IRS spokesman said he didn't think the agency would comment on the report.
TIGTA made recommendations to the IRS, including continued security awareness training and internal social-engineering tests. The agency has agreed with the recommendations, the TIGTA report said.
- PCI 3.0 Compliance In this white paper, learn how PCI-DSS 3.0 effects how you deploy and maintain PCI compliant networks using CradlePoint devices.
- Mitigating Security Risks at the Networks Edge This white paper provides strategies and best practices for distributed enterprises to protect their networks against vulnerabilities, threats, and malicious attacks.
- 5 Strategies for Modern Data Protection Read the five strategies for modern data protection that will not only help solve your current data management challenges but also ensure that...
- 5 Ways Dropbox for Business Keeps Your Data Protected Protecting your data isn't a feature on a checklist, something to be tacked on as an afterthought. Download here to find out how...
- Business-driven data protection Setting up data protection infrastructures with your organizations' core mission or business in mind is key. In this webinar, the ARCserve team will...
- On-Demand Webinar: Mind the Gap! Watch the webinar featuring Bob Janssen, CTO and Co-Founder of RES Software, to start building a solid foundation for business and IT to... All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!