Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security The Almighty Buck United States

IRS Freely Gives Out Employee User Name/Password Info 146

An anonymous reader writes "The Treasury Inspector General for Tax Administration reports that its inspectors were able to get IRS employees to improperly disclose their user names and passwords over 61% of the time. 60,000 of the IRS's 100,000 employees and contractors thus are susceptible to computer hackers, putting personal taxpayer information at risk for unauthorized disclosure, theft and fraud. 'Only eight of the 102 employees contacted either the inspector general's office or IRS security offices to validate the legitimacy of the caller ... The IRS agreed with recommendations from the inspector general that it should take steps to make employees more aware of hacker tactics such as posing as an internal employee and to remind people to report such incidents to security officials.'"
This discussion has been archived. No new comments can be posted.

IRS Freely Gives Out Employee User Name/Password Info

Comments Filter:
  • Misleading title... (Score:5, Informative)

    by Tokimasa ( 1011677 ) <[thomas.j.owens] [at] [gmail.com]> on Sunday August 05, 2007 @02:23PM (#20123977) Journal
    No taxpayer information was given out...just the IRS employee's user name and password for the internal IRS system (through which someone could potentially gain access to taxpayer information).
    • by AchiIIe ( 974900 )
      > No taxpayer information was given out...just the IRS employee's user name and password for the internal IRS system

      I think you parsed the headline incorrectly, let me help you with that:
      (IRS
      (Freely Gives Out)
      (Taxpayer
      ((User Name/Password)
      • I don't get what you are trying to say...the title implies that the IRS is giving away information relating to taxpayers. That is not happening (at least in this study).
        • One would hope that the people working for the IRS are taxpayers as well...
        • ...the title implies that the IRS is giving away the usernames and passwords of their employees. I don't know how they could have stated it any more clearly.

          'IRS' - The Internal Revenue Service
          'Freely Gives Out' - Gives random people who call them
          'Employee User Name/Password Info' - the usernames and passwords of their employees

          The Internal Revenue Service gives random people who call them the usernames and passwords of their employees.
          How is that misleading???
      • by rolfwind ( 528248 ) on Sunday August 05, 2007 @02:38PM (#20124109)
        when you start speaking with a Lisp.
    • Re: (Score:3, Interesting)

      by Mistlefoot ( 636417 )
      Which means a lot. As someone who works for a company where log-ins are important I see huge issues with this. Any disgruntled employee who knows the password information of someone else can freely do incredible damage. While changes to any account (in our system) are trackable - those tracks lead to the person who logged in and made the changes.

      What's to stop one of those 100,000 employees from doing something to their hated neighbour, mechanic, or whomever; while logged in as someone who gave out their
      • Re: (Score:1, Interesting)

        by Anonymous Coward
        You don't have to be an IRS employee to do that. Just file a tax return, report a million bucks in gambling winnings, and put your victim's name and address on it. Once any IRS computer decides that you own a shitload of money, it can take a decade for every IRS computer to quit sending goons to harass you for it.
    • Re: (Score:2, Informative)

      by Urza9814 ( 883915 )
      Ok, so I'm replying to this guy twice, but I just noticed he has a +5 informative rating on this post, which is completely ridiculous.
      I should go post on the 'The Study of Physical Hacks at DefCon' saying the title is misleading because it implies that the hacks are taking place on a computer. Except...no, that would actually make some sense, since that's a common usage of hack. People would actually understand where I'm coming from on that one. The above statement is mind-blowing in the sense that it is co
      • The title is simply worded poorly. It should say "IRS employees unusually susceptible to social engineering schemes". Face it, if they're willing to give out their own username and password, it wouldn't take much more skill for someone to convince them to give up information about people they don't even know if you presented the request in a believable manner.
      • (1) At the time of my posting, "Employees" was "Taxpayer", which was incorrect. This was changed well after my posting.

        (2) Even with this information, it's not like you can just log into the IRS system and change tax data. You can look at a lot of information, which is where the problem is.
        • reply to 1) Ah, ok. I see. That is extremely misleading

          2) Exactly. I never said you can just log in and change tax data. I agree with you completely on this point.
        • Hey, now, I'm sure IRS employees pay taxes too. It's not like they get a customer discount or anything.
  • Wasn't there a story on this yesterday?
  • The Human Hack (Score:5, Insightful)

    by EmbeddedJanitor ( 597831 ) on Sunday August 05, 2007 @02:25PM (#20123999)
    I worked in the physical security industry for a while... designing and installing card-swipe style security systems for buildings etc. What we found with some of our research was that no matter what your physical security set up, the major holes in the operating security system were due to people. Security staff would buzz people through with no card. Tailgaters would get through on someone elses card. People would pass back their card for someone else to get in.

    The greatest security measure of all time was probably the Great Wall of China. That got breached by bribing a gate guard (OK, bribing him with his life...).

    With all the fancy immobilisers etc, many cars still get ripped off because people leave their doors open or their keys in the lock.

    Security in computing etc only changes where the action happens. People still fundamentally operate the same way.

  • by multisync ( 218450 ) on Sunday August 05, 2007 @02:31PM (#20124051) Journal
    Not to mention CEOs [slashdot.org].
  • Holy $h!t!!! (Score:5, Insightful)

    by rolfwind ( 528248 ) on Sunday August 05, 2007 @02:35PM (#20124079)
    The IRS has 100,000 employees! What a drag on the economomy! Imagine if each one costs $5-10K an average per month in salary, health care, space, pension -- what that all adds up to.

    Ron Paul is right, get rid of that juggernaut.
    • Re:Holy $h!t!!! (Score:4, Insightful)

      by Invidious ( 106932 ) on Sunday August 05, 2007 @02:55PM (#20124243)
      Average employee costing $5-10K a month? LOL! The largest portion of IRS employees are GS 3-6, making, at the top end of that scale, about $17/hr (and that's if you're in NY or somewhere else that qualifies for the largest locality pay increases.) Tack on witholding (which just goes back to the IRS, at least temporarily, and you can bet your ass they're getting interest on that) and deductions for health care, SSA, TSP investment and such, and the average employee is taking home 2K/month. If they've got health insurance -- and a lot of the employees don't, particularly among the part-timers, temp, and term employees -- that's maybe an extra $300-500 in premiums covered by the gov't.
      • Re: (Score:3, Informative)

        by rolfwind ( 528248 )
        However, future entitlements have to be factored in, pensions which I think you are underestimating, and space. People don't work in the outdoors. They were in buildings that have to built and paid for, with airconditioning and maintenance, and do they use computers? A car?

        I looked up the budget for the IRS in 2008, a little more than $11B. Divided by 100K employees, that is $9167 per employee per month to operate - so I guess I am correct.
        • Re:Holy $h!t!!! (Score:4, Interesting)

          by Fulcrum of Evil ( 560260 ) on Sunday August 05, 2007 @03:28PM (#20124411)
          And the GNP is $40T. Really, who cares about a cost of collections of .025%?
          • Collections were 2.2T in 2006, not $40T. You can't base cost of collections on GNP, that's just stupid.
          • Re: (Score:3, Insightful)

            by QuantumRiff ( 120817 )
            Hate to hop into this argument, but wouldn't the cost of collections be taken from the $3T they actually collect? So its more like .3%.. Still a small amount, but still several times higher.. GNP is a big number people like to use to make other things seem soo much smaller and insignificant..
      • Re: (Score:3, Insightful)

        Salary/wages are usually less than 50% of the total cost of an employee. The cost of the office rent, power, PCs, desks, support systems, infrastructure, and all the people who maintain those things is at least as much as their salary. So your figure of 2k probably comes out to 5k in total costs.
    • Re: (Score:3, Interesting)

      Comment removed based on user account deletion
      • by The One and Only ( 691315 ) * <[ten.hclewlihp] [ta] [lihp]> on Sunday August 05, 2007 @05:08PM (#20125163) Homepage
        You misspelled "worse way", "more damage", and "I don't know anything about economics".
        • Comment removed based on user account deletion
          • No, quite far from it. I'm just a guy who would rather have a 10% smaller paycheck than pay 30% sales tax on everything I buy. And, honestly, unless you're at the point where you're saving or investing most of your income, switching to a national sales tax will only hurt you.
            • Comment removed based on user account deletion
              • Am I? Maybe, I don't have my tax returns handy so I can't say. But I would be paying even more if it was a sales tax. They were example numbers, anyway--I wouldn't exchange a 20% income tax for a 50% sales tax, either. I didn't really want to spend the time working out a rigorous mathematical relation, and if I did, it would probably obscure my point more than illustrate it.

                The point is, if you take the same tax burden (doesn't matter what size it is) and distribute it among sales taxes, you're going to ge

                • Comment removed based on user account deletion
                  • by Don853 ( 978535 )
                    I just read that, and I'm more confused than I was before. How will they increase the tax income if the tax burden of every income category of citizen is reduced (per graphs on pages 3 & 4)? Is it working on the premise that lowering the tax rate will increase consumption, increasing spending, increasing the tax base and taxes collected? I'm not sure I follow where exactly the money is coming from under their proposal. Or was it this line that makes up the difference?

                    Generally total taxes paid di
                    • Comment removed based on user account deletion
                    • by Don853 ( 978535 )
                      I did see that.. I'm just curious... The tax net revenue (collected - rebate) summed over the whole population has to remain pretty similar to the current tax revenue. If someone's paying at a lower rate, either someone else has to be paying at a higher rate or the whole pot has to be getting bigger. It appears they think the pot will be getting somewhat bigger (they claimed 10.5% in the first year), but it didn't seem like it would be enough to make up the difference. Obviously making the tax code simp
                    • Comment removed based on user account deletion
                • "Am I? Maybe, I don't have my tax returns handy so I can't say. But I would be paying even more if it was a sales tax. They were example numbers, anyway--I wouldn't exchange a 20% income tax for a 50% sales tax, either. I didn't really want to spend the time working out a rigorous mathematical relation, and if I did, it would probably obscure my point more than illustrate it."

                  I dunno...from what I've seen, the so called 'Fair Tax' would do more good than harm. In past years...I was taxed like 30% of my pa

                  • No, actually it wouldn't. First, the rich already pay more in income tax anyway--things like interest are already taxable income, so you can't "live off investments or inheritance" without paying income tax. Secondly, even not counting "necessities", poor and middle class people still pay disproportionately more for "non-essential goods" than the rich. The rich might save like 80% of their income, spend 10% on essentials, and 10% on non-essentials. The poor, if they're lucky, save 10%, spend 60% on essentia

                    • Comment removed based on user account deletion
                    • They may not pay the nominal rate, but they still pay more than they would with a national sales tax.
                    • Comment removed based on user account deletion
                    • No, it most certainly is not. Someone who is rich enough to only spend 10% of their income on spending would only pay 30% of 10-20%, or 3-6%. We both know those people would pay more than 3-6% income tax. Hell, you're probably one of them, and that's why you're foisting this crap off on the rest of us. (I was enamored with national sales taxes when I was in high school, until I learned what a stupid idea it was. What's your excuse?)
                    • Comment removed based on user account deletion
                    • I'm working on it too. Unfortunately, I wouldn't be doing nearly as good a job if I had to pay 30% sales tax on everything. That's the entire goddamn point--high sales taxes make upward social mobility artificially difficult. They're sort of a drawbridge where rich people stay that way and don't allow anyone else to join them. Income taxes, on the other hand, don't get in the way of stepping up.
                    • Comment removed based on user account deletion
                    • I could very well ask you the same question. If you compare sales tax (which is weighted against the poor) against progressive income tax (which is weighted against the rich) or even a flat income tax (which is weighted less drastically against the rich), and consider that people become rich by saving money, putting more of the tax burden on poor people will keep them from becoming rich by preventing them from saving money or forcing them into greater debt. That's not a difficult thing to understand.
                    • Comment removed based on user account deletion
                    • Small businesses have to do paperwork to handle sales taxes, too, if they sell anything. In any case, "let's simplify the accounting for our tax system" is a far cry from "let's fundamentally change the basis of our tax system". That's like saying that instead of eating dirty food you should eat paper. No, you eat clean food.
                    • Comment removed based on user account deletion
                    • I love rich people--and hey, if anything I hate poor people. In any case, bringing personal motivations into the discussion was a mistake and I apologize for introducing that unpleasantry.

                      That being said, dealing with income taxes could be just about as trivial as sales taxes, if the income tax system was simplified. Imagine a flat tax, for instance. Every time you produce a paycheck, apply the flat rate, withhold the funds, and remit payment. Doing that would solve the problems you point out while avoidin

                    • Comment removed based on user account deletion
                    • A flat tax is an improvement, but we started with a flat income tax applied only to rich people, and look where we are now.

                      I could just as much argue that *you* want to start with a flat sales tax applied only to...well, whatever you want to make exempt--and say that we're going to end up in the same place years from now. (If we're lucky--we might get there as soon as it gets out of committee.)

                      As long as there's any kind of an income tax, it will be business as usual, as the politicians keep playing the game of bribing us by offering temporary relief to one group or another at everyone else's expense. Manipulating a sales tax is far more obvious, and harder for a politician to rationalize.

                      But you've opened the door to that the second you start coming up with exemptions. Then it'll become variable rates for "luxury items" and cruft will accumulate just as it did before. The reason state sales taxes don't do that is, fi

                    • Comment removed based on user account deletion
                    • Does putting words in other people's mouths work in your usual social circles? I didn't say I wanted to exempt anything, and the FairTax bill is very clear on this. It applies to all retail sales and services of new goods.

                      Christ, than it's even worse than I had thought. Exemptions for things like housing and food are pretty much universal in state income taxes, and I assumed they would be present in a federal income tax. They would, without a doubt, be introduced should a federal sales tax ever be seriously considered by the Congress, but if you're arguing against them, that only strengthens my point. Do you honestly think making it more difficult to afford groceries is a good thing? (Further, my point was--and I apologize

                    • Comment removed based on user account deletion
                    • I agree with your main point. That said, putting exemptions into the sales tax is already popular enough to get away with, and may be brought on by popular demand itself. Other complications will be easy to hide because sales taxes are calculated entirely by sellers. If the government wanted to do something really complicated like vary the tax rate based upon the price, carbon footprint, etc. of a given product, the end user won't see any of these complications--especially if they went a step further and ma
                  • Comment removed based on user account deletion
            • Ah, I see you Americans are barely getting used to the idea of what we Europeans call "Value Added Tax".
              The fun part however (not in the "ha, ha, funny" way however) is that you'll probably get that AND THEN KEEP everything else in place too.
              • Like Europe? (I think there is a difference between VAT and sales tax--VAT is incorporated into the posted price, sales tax is calculated and added onto the bill later. VAT is more convenient, sales tax is more transparent.)
      • by Manchot ( 847225 )
        Too bad the so-called "fair tax" is actually highly regressive (as is all sales tax), making it decidedly unfair. Even though it makes exemptions for spending below the poverty line, it'll still have the overall effect of putting pressure on the middle class.
    • I like Paul, too. A rarity among the swine who dominate American politics. In fact, he appeals to me more than do any of the leading Democrats, although I am to the left of all of them.

      Paul's anti-war and anti-IRS positions address our central problem: we cannot sustain our misshapen and violent empire, nor should we try.

      Under the mutant Reagan-Clinton-Bush vision of government, tax revenues are collected primarily for military expansion and subsidizing corporate profits. Meanwhile the essence of any

  • by Invidious ( 106932 ) on Sunday August 05, 2007 @02:35PM (#20124083)
    Actually, I work for the IRS, so let me set the record straight. I've seen the original paper, which was published months ago: the users involved didn't give out their passwords, they changed them to one requested by the "tech support" person (and these calls came in to extensions which the public doesn't really have access to, for the most part.) Still highly stupid, but most of the people at the IRS don't know much about computers, and while they've generally got "don't give out your password" down, they didn't seem to equate this to "if you change your password to something someone suggests, that's the same thing."

    Also, this is mostly an internal threat; without access to the IRS intranet, I'd say that 99% of those compromised accounts would be useless to someone outside the IRS.

    But, whatever. This is what happens when you have what amounts to a major data center staffed primarily by people who're just barely computer literate. AFAIK, memos about the problem have gone out to ~everyone and meetings have been held at the lowest levels to inform the staff that doing this is Bad.

    What's really fucked up is that several of the employees that fell for this were at the highest GS levels. I can understand how the problem would be prevalent among the lower-level off-the-street employees, but you'd think that someone who was getting paid $100K+ a year would have a clue about data security.
    • Re: (Score:1, Insightful)

      by Anonymous Coward
      without access to the IRS intranet, I'd say that 99% of those compromised accounts would be useless to someone outside the IRS.

      Course, isn't there a statistic floating around that most corporate espionage is done by insiders?

      captcha: probed
    • Re: (Score:1, Troll)

      by insomnyuk ( 467714 )
      Replace 'barely computer literate' with 'barely literate' and you have a more accurate assessment.
    • by rho ( 6063 )

      What's really fucked up is that several of the employees that fell for this were at the highest GS levels. I can understand how the problem would be prevalent among the lower-level off-the-street employees, but you'd think that someone who was getting paid $100K+ a year would have a clue about data security.

      Trust a government employee to fail to realize what's really fucked up about the situation.

      What's really fucked up is that the IRS, which asks for, demands and is granted access to a great deal of

  • by advocate_one ( 662832 ) on Sunday August 05, 2007 @02:58PM (#20124261)
    then the rest might just start taking things seriously...
  • by HalAtWork ( 926717 ) on Sunday August 05, 2007 @03:19PM (#20124367)
    People need to grow some balls when it comes to these situations. They're afraid of offending the person on the other end, they think they're suggesting that they're liars or frauds. Really, it's just a precaution for your own ass (you'll get fired) and your business (their normal operations can't be disrupted by random people).

    Then again, administrators, executives, etc need to be more patient and understanding when what they say is challenged. They can't get an attitude or it will cause people to react by defending their character; i.e. if a less confident individual is accused of incompetence, audacity, or whatever for challenging another, then they will be more likely to feel that it is audacious or incompetent to verify a workplace activity.

    Using social engineering to get people to give up their passwords? People were already socially engineered to be susceptible, and afraid. Places of businesses need to have employees treat each other with respect and make it clear to the employees that they have a right to challenge the legitimacy of any workplace situation.
    • by pbhj ( 607776 ) on Monday August 06, 2007 @05:54AM (#20128497) Homepage Journal
      I part-own a ceramic cafe. A sales person visited to encourage us to switch to accepting Amex (IIRC). After all the blah-blah I said "sounds fine", he says give us your bank details (on the form for Amex).

      So, I wanted to get some verification of his ID. He shows me a photo card, OK. Can I ring your boss? He didn't have a number I could call (eg on the Amex literature) only some number on his business card (I spoke to the guy on the other end, but all this shows is he knows someone with a phone!). Even if I could have had that number on the literature how would that verify him, me thinks, easily faked.

      It turns out he was genuine (or an Amex insider!) - I eventually managed to chase him through the Amex phone system. But without some means to check his ID the transaction never happened.

      The thing is this. Clearly no-one else ever bothered to ask for (proper) identification - there was no system in place. And this for a major financial institution that relies on proper ID.
  • by Alain Williams ( 2972 ) <addw@phcomp.co.uk> on Sunday August 05, 2007 @03:24PM (#20124387) Homepage
    Yes: people should know better; training should be better. However with 100,000 employees there will be many who can be 'bought', they may have finance problems (drugs, gambling, divorce, ...). For a bit of cash you could get the info that you want without having to get access to internal systems and know any passwords.
  • Social Engineering (Score:5, Insightful)

    by nurb432 ( 527695 ) on Sunday August 05, 2007 @03:27PM (#20124403) Homepage Journal
    Is always the most effective way into a 'system'.
  • taxpayer (Score:1, Funny)

    by Anonymous Coward
    whew, it's a good thing i don't pay taxes.
  • That kind of bad training doesn't happen overnight. Where is the US Cybersecurity chief [wikipedia.org], who should be making sure that government agencies use proper security practices? Do we even have one, after every other one since Bush created the department has resigned in disgust?

    And is the current one as fired as is the clueless one in _Live Free or Die Hard [imdb.com]_?
  • I used to work for the federal government, and I am now a contractor. Everything you feared about the level of incompetence in the government is true and probably worse than you feared.

    I had to take a "privacy awareness" exam, which covered how to handle sensitive data. The exam began with a summary of the various laws that federal employees are required to follow. Then, there was a multiple choice test. The problem was that if you answered a question incorrectly, you were immediately told so, and given

news: gotcha

Working...