Sixty percent of Internal Revenue Service employees were duped into giving control of their passwords to unauthorized callers, according to an inspection report that found lingering problems with computer security years after they were supposed to have been corrected.
Sixty-one of 102 employees telephoned by the Treasury Inspector General for Tax Administration were fooled by undercover inspectors posing as computer support help desk representatives. The inspectors asked for help with correcting a computer problem and requested the employees to provide their user names and temporarily change their passwords to the ones suggested by the inspectors.
The majority of them complied. Only eight of the employees reported the incident to either the audit team, TIGTA's Office of Investigations or the IRS's own computer security people as they were supposed to do.
The IRS was supposed to have educated employees on the dangers of giving up control of their passwords after it flunked two similar tests back in 2001 and 2004. In the 2001 test, 71 of 100 employees changed their passwords to the ones suggested by the TIGTA undercover team. In 2004, the employees seemed to have learned better, with only 35 of 100 employees giving up control of their passwords. The latest test seems to indicate some backsliding.
Employees gave various reasons why they went along this time. The scenario sounded legitimate and believable to 21 of them. Ten of the employees thought that changing their password wasn't as bad as giving out their password. Seven of the employees had previously had computer problems, so the calls seemed legitimate.
TIGTA is recommending that the IRS continue with its security awareness activities to remind employees of the potential for hackers to exploit "social engineering" methods of penetrating computer security. The inspectors also want the IRS to conduct social engineering tests of its own to make sure employees are complying.
