Easily Tricked, IRS Employees Fail Password Audit

How do you get an IRS employee to change a sensitive password?

Why, you simply call him up and ask.

According to the results of a security test run by the Treasury Department's Inspector General for the Tax Administration, IRS workers are highly susceptible to social engineering tricks. In fact, researchers made 102 phone calls to agency employees, including managers and a contractor, and posed as computer support help desk workers. The callers told the employees that to correct a computer problem, they needed to provide their user names and to change their passwords to one the investigators suggested.

Out of the 102 people contacted, 61 complied with the request, according to the Inspector General's report. That's a 60% success -- or in this case, failure -- rate.

The report also showed that only eight out of the 102 people contacted appropriate administrators to report the test calls or check to see if they were legitimate.

"The above conditions were particularly alarming because we had conducted similar social engineering test telephone calls in August 2001 and December 2004," wrote Michael R. Phillips, deputy inspector general for audits, in his report. "Our 2001 and 2004 test calls yielded 71% and 35% noncompliance rates, respectively. In response to these two prior audits, the IRS took corrective actions to raise awareness of password protection requirements and social engineering attempts. However, the corrective actions have not been effective."

This isn't the agency's first bad security report this year.

In April, the government reported that the IRS lost 490 computers between 2003 and 2006, and is not adequately protecting sensitive taxpayer information. Treasury's Inspector General said in a report last month that the IRS is not only losing hundreds of computers and storage devices, but is failing to encrypt data and is using weak passwords.

This earlier audit also reported that because of the missing computers, personal information was compromised for at least 2,359 U.S. taxpayers. But the total can't be calculated because records don't list what information was stored on many of the machines.

The IRS, which has 100,000 employees, annually handles 220 million tax returns, which contain personal financial and identifying information, like addresses and Social Security numbers. The agency has issued 47,000 laptops to employees.

In the latest report, Phillips noted that researchers also asked the IRS employees why they didn't comply with the agency's password security policies. Some workers responded that the call sounded legitimate, while others said they didn't think changing their password was the same as disclosing it.

"Based on the results of this audit, we conclude employees either do not fully understand security requirements for password protection or do not place a sufficiently high priority on protecting taxpayer data in their day-to-day work," Phillips added.

The report also noted that when employees are susceptible to social engineering attempts, the IRS is put at risk of providing hackers access to computer resources and taxpayer information. And when attempts at social engineering are not reported to appropriate personnel, the agency cannot investigate the attacks and take steps to curb any breaches.

The auditors recommended that the IRS continue its employee training efforts, conduct periodic internal social engineering tests, and discipline employees security violations spring from carelessness or negligence.