CNET también está disponible en español.

Ir a español

Don't show this again


IRS bureaucrats duped into exposing passwords

A new report says 60 percent of employees contacted by government investigators posing as help-desk employees agree to change their log-ins. Fortunately, it was just a test...this time.

Brace yourself for another fine example of the tech-savviness of federal bureaucrats (and yes, this sentence is dripping with sarcasm).

According to a report released Friday (PDF) by the Treasury Department's inspector general, 60 percent of a sampling of 102 Internal Revenue Service employees, when contacted by government auditors posing as help-desk employees, were perfectly willing to reveal their usernames and change their passwords to ones suggested by the callers.

The auditors said they were particularly alarmed by this year's findings against the backdrop of a similar test in 2004, when only 35 percent fell for the trick. In 2001, 71 percent succumbed to the requests, which led the IRS to take "corrective actions" designed to raise awareness about social-engineering attempts and password protection requirements.

Clearly the Internal Revenue Service needs to do much more to warn about the perils of such "social-engineering" attacks on its computer security and to drive home that sharing usernames and passwords with anyone is forbidden, the report said.

Despite frequent evidence of attempted external intrusions to the tax agency's aging computer systems, it appears no successful attacks have ever occurred, the report said. But if employees are so easily fooled by requests from fake insiders, they could create real threats to sensitive taxpayer information and overall IRS security.

The report included a two-paragraph response from Daniel Galik, the IRS's chief of mission assurance and security services, who said, "We continue to re-emphasize computer security practices, including social engineering, to IRS personnel."