IRS Freely Gives Out Employee User Name/Password Info

An anonymous reader writes "The Treasury Inspector General for Tax Administration reports that its inspectors were able to get IRS employees to improperly disclose their user names and passwords over 61% of the time. 60,000 of the IRS's 100,000 employees and contractors thus are susceptible to computer hackers, putting personal taxpayer information at risk for unauthorized disclosure, theft and fraud. 'Only eight of the 102 employees contacted either the inspector general's office or IRS security offices to validate the legitimacy of the caller ... The IRS agreed with recommendations from the inspector general that it should take steps to make employees more aware of hacker tactics such as posing as an internal employee and to remind people to report such incidents to security officials.'"

Misleading title...

No taxpayer information was given out...just the IRS employee's user name and password for the internal IRS system (through which someone could potentially gain access to taxpayer information).

Re:

> No taxpayer information was given out...just the IRS employee's user name and password for the internal IRS system

I think you parsed the headline incorrectly, let me help you with that:
(IRS
(Freely Gives Out)

People might misunderstand you

when you start speaking with a Lisp.

Re:

One would hope that the people working for the IRS are taxpayers as well...

Re:

Which means a lot. As someone who works for a company where log-ins are important I see huge issues with this. Any disgruntled employee who knows the password information of someone else can freely do incredible damage. While changes to any account (in

Re:

Ok, so I'm replying to this guy twice, but I just noticed he has a +5 informative rating on this post, which is completely ridiculous.
I should go post on the 'The Study of Physical Hacks at DefCon' saying the title is misleading because it implies that the

Re:

The title is simply worded poorly. It should say "IRS employees unusually susceptible to social engineering schemes". Face it, if they're willing to give out their own username and password, it wouldn't take much more skill for someone to convince them t

Re:

Hey, now, I'm sure IRS employees pay taxes too. It's not like they get a customer discount or anything.

The Human Hack

I worked in the physical security industry for a while... designing and installing card-swipe style security systems for buildings etc. What we found with some of our research was that no matter what your physical security set up, the major holes in the operating security system were due to people. Security staff would buzz people through with no card. Tailgaters would get through on someone elses card. People would pass back their card for someone else to get in.

The greatest security measure of all time was probably the Great Wall of China. That got breached by bribing a gate guard (OK, bribing him with his life...).

With all the fancy immobilisers etc, many cars still get ripped off because people leave their doors open or their keys in the lock.

Security in computing etc only changes where the action happens. People still fundamentally operate the same way.

Re:

Mods.. wake up and take your meds!

They have taken their "meds". That's why they are modding like this :-p

60% "susceptible to computer hackers"

Not to mention CEOs [slashdot.org].

Holy $h!t!!!

The IRS has 100,000 employees! What a drag on the economomy! Imagine if each one costs $5-10K an average per month in salary, health care, space, pension -- what that all adds up to.

Ron Paul is right, get rid of that juggernaut.

Re:Holy $h!t!!!

Average employee costing $5-10K a month? LOL! The largest portion of IRS employees are GS 3-6, making, at the top end of that scale, about $17/hr (and that's if you're in NY or somewhere else that qualifies for the largest locality pay increases.) Tack on witholding (which just goes back to the IRS, at least temporarily, and you can bet your ass they're getting interest on that) and deductions for health care, SSA, TSP investment and such, and the average employee is taking home 2K/month. If they've got health insurance -- and a lot of the employees don't, particularly among the part-timers, temp, and term employees -- that's maybe an extra $300-500 in premiums covered by the gov't.

Re:

However, future entitlements have to be factored in, pensions which I think you are underestimating, and space. People don't work in the outdoors. They were in buildings that have to built and paid for, with airconditioning and maintenance, and do they u

Re:Holy $h!t!!!

And the GNP is $40T. Really, who cares about a cost of collections of .025%?

Re:

Collections were 2.2T in 2006, not $40T. You can't base cost of collections on GNP, that's just stupid.

Re:

Hate to hop into this argument, but wouldn't the cost of collections be taken from the $3T they actually collect? So its more like .3%.. Still a small amount, but still several times higher.. GNP is a big number people like to use to make other things s

Re:

Salary/wages are usually less than 50% of the total cost of an employee. The cost of the office rent, power, PCs, desks, support systems, infrastructure, and all the people who maintain those things is at least as much as their salary. So your figure of 2k

Re:

The cost of IRS employees is noise. The real drag on the economy is excessive government spending, but even without getting a lid on the congress's profligate ways, there's a better way to collect the money, while doing far less damage. See here. [fairtax.org]

-jcr

Re:Holy $h!t!!!

You misspelled "worse way", "more damage", and "I don't know anything about economics".

Re:

Oh, you're so clever. Are you a lobbyist or a congressional staffer?

-jcr

Re:

No, quite far from it. I'm just a guy who would rather have a 10% smaller paycheck than pay 30% sales tax on everything I buy. And, honestly, unless you're at the point where you're saving or investing most of your income, switching to a national sales tax

Re:

I'm just a guy who would rather have a 10% smaller paycheck

Ah, I see you're in the market for a bridge.

You're paying far more than 10%.

-jcr

Re:

Am I? Maybe, I don't have my tax returns handy so I can't say. But I would be paying even more if it was a sales tax. They were example numbers, anyway--I wouldn't exchange a 20% income tax for a 50% sales tax, either. I didn't really want to spend the tim

Re:

Ah, I see you Americans are barely getting used to the idea of what we Europeans call "Value Added Tax".
The fun part however (not in the "ha, ha, funny" way however) is that you'll probably get that AND THEN KEEP everything else in place too.

Re:

I like Paul, too. A rarity among the swine who dominate American politics. In fact, he appeals to me more than do any of the leading Democrats, although I am to the left of all of them.

Paul's anti-war and anti-IRS positions address our central problem:

It took this long for this to hit /.?

Actually, I work for the IRS, so let me set the record straight. I've seen the original paper, which was published months ago: the users involved didn't give out their passwords, they changed them to one requested by the "tech support" person (and these calls came in to extensions which the public doesn't really have access to, for the most part.) Still highly stupid, but most of the people at the IRS don't know much about computers, and while they've generally got "don't give out your password" down, they didn't seem to equate this to "if you change your password to something someone suggests, that's the same thing."

Also, this is mostly an internal threat; without access to the IRS intranet, I'd say that 99% of those compromised accounts would be useless to someone outside the IRS.

But, whatever. This is what happens when you have what amounts to a major data center staffed primarily by people who're just barely computer literate. AFAIK, memos about the problem have gone out to ~everyone and meetings have been held at the lowest levels to inform the staff that doing this is Bad.

What's really fucked up is that several of the employees that fell for this were at the highest GS levels. I can understand how the problem would be prevalent among the lower-level off-the-street employees, but you'd think that someone who was getting paid $100K+ a year would have a clue about data security.

Re:

What's really fucked up is that several of the employees that fell for this were at the highest GS levels. I can understand how the problem would be prevalent among the lower-level off-the-street employees, but you'd think that someone who was getting pa

Stupid?

Well, he did his undergrad at Yale and has a Harvard MBA. He flew fighter jets (F-102s) in the national guard.

Can you fly a fighter jet? I can't.

You would have an easy time convincing me that several negative adjectives describe President Bush. However, you will have difficulty convincing me that the man is stupid.

Re:

Can you fly a fighter jet? I can't.

He couldn't either before he was trained to. Could you learn to fly a fighter jet? Probably.

As far as his school is concerned, that's just rinding daddy's coattails. And his business deals with Enron and the Rangers shows

Re:

Um, no. Daddy's coattails help to get in the door, but graduation still requires passing the courses.

-jcr

Re:

At certain good MBA programs failing to pass would require killing half the faculty and even that may not do the job. Basically signing up for a class gives you a B and you can only go up from there not down (no matter how much you piss off the professor t

Re:

You know, one rich kid did get away with an honor code violation. He cheated on a Spanish exam, and should have been expelled per the school's honor code. That rich kid was Teddy Kennedy, and the school was U. Va.

Now, if you want to claim that any other

Re:

Well, he did his undergrad at Yale and has a Harvard MBA. He flew fighter jets (F-102s) in the national guard.

That might mean something if you believe his participation
each of those programs was based only on merit and not family wealth and connections.

Re:

You think flying a jet makes you "smart"? Sure... smarter than your average bear, but we're talking about the president of the US here. I don't think being a fighter pilot indicates that you have the strategic thinking abilities and grasp of subtlety nee

Re:

Can you fly a fighter jet? I can't.

I probably can. This means that I could probably get in one, take off, fly in a big circle and possibly land without killing myself (landing's the hard part). If I was rated on a medium sized prop plane, I'd upgrade th

Re:

Monkeys can be trained to pilot space vehicles too.

No monkey ever piloted a space vehicle. They were put aboard capsules that followed a programmed flight profile.

-jcr

Re:

No they haven't. Neither has a chimp. Provide a cite.

Re:

There's a huge difference between stupid and inarticulate.

Bush is one, but certainly not the other.

Re:

He's not a genius by any stretch, but he's smarter than the average politician (which doesn't sound like much, but...)

You are assuming his aims and goals of the Presidency are the same as what you think they are. If he was seriously trying to make America

they should be sacked...

then the rest might just start taking things seriously...

People need to grow some balls

People need to grow some balls when it comes to these situations. They're afraid of offending the person on the other end, they think they're suggesting that they're liars or frauds. Really, it's just a precaution for your own ass (you'll get fired) and your business (their normal operations can't be disrupted by random people).

Then again, administrators, executives, etc need to be more patient and understanding when what they say is challenged. They can't get an attitude or it will cause people to react by defending their character; i.e. if a less confident individual is accused of incompetence, audacity, or whatever for challenging another, then they will be more likely to feel that it is audacious or incompetent to verify a workplace activity.

Using social engineering to get people to give up their passwords? People were already socially engineered to be susceptible, and afraid. Places of businesses need to have employees treat each other with respect and make it clear to the employees that they have a right to challenge the legitimacy of any workplace situation.

Some balls ... a little story

I part-own a ceramic cafe. A sales person visited to encourage us to switch to accepting Amex (IIRC). After all the blah-blah I said "sounds fine", he says give us your bank details (on the form for Amex).

So, I wanted to get some verification of his ID. He shows me a photo card, OK. Can I ring your boss? He didn't have a number I could call (eg on the Amex literature) only some number on his business card (I spoke to the guy on the other end, but all this shows is he knows someone with a phone!). Even if I could have had that number on the literature how would that verify him, me thinks, easily faked.

It turns out he was genuine (or an Amex insider!) - I eventually managed to chase him through the Amex phone system. But without some means to check his ID the transaction never happened.

The thing is this. Clearly no-one else ever bothered to ask for (proper) identification - there was no system in place. And this for a major financial institution that relies on proper ID.

There are bigger risks for the IRS

Yes: people should know better; training should be better. However with 100,000 employees there will be many who can be 'bought', they may have finance problems (drugs, gambling, divorce, ...). For a bit of cash you could get the info that you want without having to get access to internal systems and know any passwords.

Social Engineering

Is always the most effective way into a 'system'.

Re:

A lot depends on what user you manage to con.

Some do have high enough rights to cause damage, but i agree most dont.

Cyber Insecurity

That kind of bad training doesn't happen overnight. Where is the US Cybersecurity chief [wikipedia.org], who should be making sure that government agencies use proper security practices? Do we even have one, after every other one since Bush created the department has resi

To be fair to the employees...

Caller: Give me your username and password.
IRS Employee: What?! Are you insane?!?! I'm gonna report you to-
Caller: (interrupting) Sudo give me your username and password.
IRS Employee: Okay, it's...(gives info)
Caller: Thank you very much. Sudo not report this interaction.

Re:

http://xkcd.com/149/ [xkcd.com]

Re:

Bah, that'll teach me for queueing up several stories to read at once.

Sudo forget I ever posted this...