Slashdot Mirror
IRS Freely Gives Out Employee User Name/Password Info
An anonymous reader writes "The Treasury Inspector General for Tax Administration reports that its inspectors were able to get IRS employees to improperly disclose their user names and passwords over 61% of the time. 60,000 of the IRS's 100,000 employees and contractors thus are susceptible to computer hackers, putting personal taxpayer information at risk for unauthorized disclosure, theft and fraud. 'Only eight of the 102 employees contacted either the inspector general's office or IRS security offices to validate the legitimacy of the caller ... The IRS agreed with recommendations from the inspector general that it should take steps to make employees more aware of hacker tactics such as posing as an internal employee and to remind people to report such incidents to security officials.'"
Actually, I work for the IRS, so let me set the record straight. I've seen the original paper, which was published months ago: the users involved didn't give out their passwords, they changed them to one requested by the "tech support" person (and these calls came in to extensions which the public doesn't really have access to, for the most part.) Still highly stupid, but most of the people at the IRS don't know much about computers, and while they've generally got "don't give out your password" down, they didn't seem to equate this to "if you change your password to something someone suggests, that's the same thing."
Also, this is mostly an internal threat; without access to the IRS intranet, I'd say that 99% of those compromised accounts would be useless to someone outside the IRS.
But, whatever. This is what happens when you have what amounts to a major data center staffed primarily by people who're just barely computer literate. AFAIK, memos about the problem have gone out to ~everyone and meetings have been held at the lowest levels to inform the staff that doing this is Bad.
What's really fucked up is that several of the employees that fell for this were at the highest GS levels. I can understand how the problem would be prevalent among the lower-level off-the-street employees, but you'd think that someone who was getting paid $100K+ a year would have a clue about data security.
then the rest might just start taking things seriously...
Donald 'Duck' Dunn: We had a band powerful enough to turn goat piss into gasoline.
Well, he did his undergrad at Yale and has a Harvard MBA. He flew fighter jets (F-102s) in the national guard.
Can you fly a fighter jet? I can't.
You would have an easy time convincing me that several negative adjectives describe President Bush. However, you will have difficulty convincing me that the man is stupid.
They don't grade fathers, but if your daughter's a stripper, you fucked up. --Chris Rock
Which means a lot. As someone who works for a company where log-ins are important I see huge issues with this. Any disgruntled employee who knows the password information of someone else can freely do incredible damage. While changes to any account (in our system) are trackable - those tracks lead to the person who logged in and made the changes.
What's to stop one of those 100,000 employees from doing something to their hated neighbour, mechanic, or whomever; while logged in as someone who gave out their password?
Yes: people should know better; training should be better. However with 100,000 employees there will be many who can be 'bought', they may have finance problems (drugs, gambling, divorce, ...). For a bit of cash you could get the info that you want without having to get access to internal systems and know any passwords.
And the GNP is $40T. Really, who cares about a cost of collections of .025%?
"We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
You don't have to be an IRS employee to do that. Just file a tax return, report a million bucks in gambling winnings, and put your victim's name and address on it. Once any IRS computer decides that you own a shitload of money, it can take a decade for every IRS computer to quit sending goons to harass you for it.
The cost of IRS employees is noise. The real drag on the economy is excessive government spending, but even without getting a lid on the congress's profligate ways, there's a better way to collect the money, while doing far less damage. See here.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
I part-own a ceramic cafe. A sales person visited to encourage us to switch to accepting Amex (IIRC). After all the blah-blah I said "sounds fine", he says give us your bank details (on the form for Amex).
So, I wanted to get some verification of his ID. He shows me a photo card, OK. Can I ring your boss? He didn't have a number I could call (eg on the Amex literature) only some number on his business card (I spoke to the guy on the other end, but all this shows is he knows someone with a phone!). Even if I could have had that number on the literature how would that verify him, me thinks, easily faked.
It turns out he was genuine (or an Amex insider!) - I eventually managed to chase him through the Amex phone system. But without some means to check his ID the transaction never happened.
The thing is this. Clearly no-one else ever bothered to ask for (proper) identification - there was no system in place. And this for a major financial institution that relies on proper ID.