Slashdot Mirror

← Back to Stories (view on slashdot.org)

IRS Freely Gives Out Employee User Name/Password Info

Posted by Zonk on from the thanks-uncle-same dept.

An anonymous reader writes "The Treasury Inspector General for Tax Administration reports that its inspectors were able to get IRS employees to improperly disclose their user names and passwords over 61% of the time. 60,000 of the IRS's 100,000 employees and contractors thus are susceptible to computer hackers, putting personal taxpayer information at risk for unauthorized disclosure, theft and fraud. 'Only eight of the 102 employees contacted either the inspector general's office or IRS security offices to validate the legitimacy of the caller ... The IRS agreed with recommendations from the inspector general that it should take steps to make employees more aware of hacker tactics such as posing as an internal employee and to remind people to report such incidents to security officials.'"

13 of 146 comments (clear)

  1. The Human Hack by EmbeddedJanitor · · Score: 5, Insightful
    I worked in the physical security industry for a while... designing and installing card-swipe style security systems for buildings etc. What we found with some of our research was that no matter what your physical security set up, the major holes in the operating security system were due to people. Security staff would buzz people through with no card. Tailgaters would get through on someone elses card. People would pass back their card for someone else to get in.

    The greatest security measure of all time was probably the Great Wall of China. That got breached by bribing a gate guard (OK, bribing him with his life...).

    With all the fancy immobilisers etc, many cars still get ripped off because people leave their doors open or their keys in the lock.

    Security in computing etc only changes where the action happens. People still fundamentally operate the same way.

    --
    Engineering is the art of compromise.
    1. Re:The Human Hack by Anonymous Coward · · Score: 1, Insightful

      My experience with passkeys is that most people will buzz in anyone they know or recognize. That can be abused in the case of an ex-employee or contractor improperly being let back in, but in general I never saw the big deal with passing cards back and forth - people leave their card in their office when they go to lunch or leave it at home and it would take 10 minutes and cause a big stink if they followed proper procedure and went to the main security office every time that happened.

      Other than when the boss is watching no one is going to hold adherence to a security procedure to be more valuable than their convenience. You can't really change that short of creating a very unpleasant and draconian atmosphere, you have to make security as convenient as possible or people will bypass it.

  2. 60% "susceptible to computer hackers" by multisync · · Score: 3, Insightful

    Not to mention CEOs.

    --
    I don't care why you're posting AC
  3. Holy $h!t!!! by rolfwind · · Score: 5, Insightful

    The IRS has 100,000 employees! What a drag on the economomy! Imagine if each one costs $5-10K an average per month in salary, health care, space, pension -- what that all adds up to.

    Ron Paul is right, get rid of that juggernaut.

    1. Re:Holy $h!t!!! by Invidious · · Score: 4, Insightful

      Average employee costing $5-10K a month? LOL! The largest portion of IRS employees are GS 3-6, making, at the top end of that scale, about $17/hr (and that's if you're in NY or somewhere else that qualifies for the largest locality pay increases.) Tack on witholding (which just goes back to the IRS, at least temporarily, and you can bet your ass they're getting interest on that) and deductions for health care, SSA, TSP investment and such, and the average employee is taking home 2K/month. If they've got health insurance -- and a lot of the employees don't, particularly among the part-timers, temp, and term employees -- that's maybe an extra $300-500 in premiums covered by the gov't.

    2. Re:Holy $h!t!!! by QuantumRiff · · Score: 2, Insightful

      Hate to hop into this argument, but wouldn't the cost of collections be taken from the $3T they actually collect? So its more like .3%.. Still a small amount, but still several times higher.. GNP is a big number people like to use to make other things seem soo much smaller and insignificant..

      --

      What are we going to do tonight Brain?
    3. Re:Holy $h!t!!! by AaronLawrence · · Score: 2, Insightful

      Salary/wages are usually less than 50% of the total cost of an employee. The cost of the office rent, power, PCs, desks, support systems, infrastructure, and all the people who maintain those things is at least as much as their salary. So your figure of 2k probably comes out to 5k in total costs.

      --
      For every expert, there is an equal and opposite expert. - Arthur C. Clarke
  4. Re:It took this long for this to hit /.? by Anonymous Coward · · Score: 1, Insightful

    without access to the IRS intranet, I'd say that 99% of those compromised accounts would be useless to someone outside the IRS.

    Course, isn't there a statistic floating around that most corporate espionage is done by insiders?

    captcha: probed

  5. People need to grow some balls by HalAtWork · · Score: 5, Insightful

    People need to grow some balls when it comes to these situations. They're afraid of offending the person on the other end, they think they're suggesting that they're liars or frauds. Really, it's just a precaution for your own ass (you'll get fired) and your business (their normal operations can't be disrupted by random people).

    Then again, administrators, executives, etc need to be more patient and understanding when what they say is challenged. They can't get an attitude or it will cause people to react by defending their character; i.e. if a less confident individual is accused of incompetence, audacity, or whatever for challenging another, then they will be more likely to feel that it is audacious or incompetent to verify a workplace activity.

    Using social engineering to get people to give up their passwords? People were already socially engineered to be susceptible, and afraid. Places of businesses need to have employees treat each other with respect and make it clear to the employees that they have a right to challenge the legitimacy of any workplace situation.

    --
    Twinstiq, game news
  6. Social Engineering by nurb432 · · Score: 5, Insightful

    Is always the most effective way into a 'system'.

    --
    ---- Booth was a patriot ----
  7. Re:Stupid? by iminplaya · · Score: 3, Insightful

    Can you fly a fighter jet? I can't.

    He couldn't either before he was trained to. Could you learn to fly a fighter jet? Probably.

    As far as his school is concerned, that's just rinding daddy's coattails. And his business deals with Enron and the Rangers shows just the kind of education he received. It's too bad he's not stupid. That would be his only saving grace.

    --
    What?
  8. Re:Stupid? by Fulcrum+of+Evil · · Score: 2, Insightful

    Can you fly a fighter jet? I can't.

    I probably can. This means that I could probably get in one, take off, fly in a big circle and possibly land without killing myself (landing's the hard part). If I was rated on a medium sized prop plane, I'd upgrade that to 'definitely'. Still doesn't tell you if I'm at all smart.

    --
    "We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
  9. Re:Flawed logic? by Anonymous Coward · · Score: 1, Insightful

    61 / 102 = 59.8%