(Mis)Uses of Technology

by Mike Masnick

Filed Under:
security, social engineering


Study Finds IRS Very Susceptible To Social Engineering

from the change-this-password-now dept

The IRS has had problems modernizing their computer system in the past, but no matter how modern your computer system is, security is weak if your employees are easily duped through social engineering techniques. A new study found that 60% of the employees they tested were willing to hand over sensitive info to a person calling and posing as IRS tech support. This type of social engineering happens all the time, but it seems especially worrisome that so many IRS employees would be so willingly giving out info when they have access to so much confidential info and should be especially aware of the threat. In fact, the report notes that similar tests were done in 2001 and 2004 and the IRS promised to put in place measures to prevent these types of tricks from working. Apparently, that hasn't really happened.

Reader Comments (rss)

(Flattened / Threaded)

  1. identicon
    trashmem, Aug 3rd, 2007 @ 5:50pm


    They are a bunch of dinos wadja expect???

    reply to this | link to this | view in thread ]

  2. identicon
    urmmmm, Aug 3rd, 2007 @ 7:01pm


    I hope you are not so naive to think this is only a problem with the irs.. are you?
    First, I give them kudos for testing and being aware of the threat of social engineering. My company performs pen testing for fortune 500 and many still want to ignore this and provide very little training to their employees to avoid and report it. Many compromises we investigate can be sourced to this attack vector but many still focus on the “technical” solution. Well, no form of technology will help you here.
    You may be surprised to find just how helpful people are willing to be given the right circumstances and you are just as vulnerable as they. Don’t forget Sally at your credit card company, your school admin office, former employer, old girlfriend, mother …

    reply to this | link to this | view in thread ]

  3. identicon
    The Swiss Cheese Monster, Aug 3rd, 2007 @ 7:07pm

    I find it comforting that people who have the ability to put us in prison are not smart enough to keep our information private.

    reply to this | link to this | view in thread ]

  4. identicon
    Hopeless Charm, Aug 3rd, 2007 @ 7:13pm

    It's a Confidence Scam

    Why is this type of scam still being given the legitimate-sounding name of "Social Engineering" as if it was part of an engineering discipline at a university ?! Why, just because Mitnick so named his endeavors that ? Ridiculous. This should be referred to as a Confidence Scam or "Con" because that's what it's always been known as and still is. It only further encourages unschooled fools to pursue such activities when the Press perpetuates the fallacy of terming this as "social engineering". Stop the idiocy, people!

    reply to this | link to this | view in thread ]

  5. identicon
    Anonymous Coward, Aug 3rd, 2007 @ 8:47pm

    Re: It's a Confidence Scam

    Reverse engineering can have a negative connotation, but you don't hear people complaining about that.

    If you're willing to say that the current name it has is going to have some significant impact on how widespread it becomes or why it isn't dying out, well, thats just ignoring the problem and giving it a different name.

    It's called social engineering because the terms used actually make sense. Something shouldn't have its name changed just because you think it makes it sound too good.

    reply to this | link to this | view in thread ]

  6. identicon
    Anonymous Coward, Aug 3rd, 2007 @ 8:51pm

    Re: It's a Confidence Scam

    Good point. Language counts. Orwell knew it, and todays politicians and corporate crooks do also.

    For instance, what they now euphemistically call "ethnic cleansing" (sounds antiseptic doesn't it?) is actually genocide.

    Maybe if people would read a little, they'd recognize it.

    reply to this | link to this | view in thread ]

  7. identicon
    P, Aug 4th, 2007 @ 3:12am

    Re: It's a Confidence Scam

    This Post reminded me of something. If you havent read this Google the bold

    08:05 AM

    User called to say they forgot password. Told them to use password retrieval utility
    called FDISK. Blissfully ignorant, they thank me and hang up. God, we let the people
    vote and drive, too?

    reply to this | link to this | view in thread ]

  8. identicon
    Evil Mike, Aug 4th, 2007 @ 12:21pm

    Re: It's a Confidence Scam

    In a con, you come face to face with your victim(s). Social engineering is similar, but can be done from far away, and can even be automated--hence phishing, phreaking, and such. While farcical sounding, it is a legitimate verbiage for the activity.

    reply to this | link to this | view in thread ]

  9. identicon
    Jasper, Aug 4th, 2007 @ 4:00pm

    Idiots in the government

    One, the government or any organization that handles peoples personal data should not be hiring people who need to be taught about social engineering or technology, they should know these things up front. We live in a data driven society and have been for at least the last 20 years...come on.

    Two, the government only hires the most mediocre of personnel. Because they use and outdated system to hire those individuals (special preferences). I know this, because I have 17 years experience with government hiring practices, or the lack thereof.

    Three, we live in a data driven society. If you don't understand the basics of computing, you need to go to school and learn it. It is not an employers responsibility to teach you computing, you should know it (before being hired). However, it is the employer's responsibility to recognize that a prospective hire is totally computer illiterate. To solve this problem you need to have employers that are not computer illiterate, in order to be able to tell if the hire is computer illiterate. There are to many people in middle/upper management that know very little about technology, and wouldn't know if someone is computer illiterate or not, because most of them are.

    Four, when it comes to my personal data, I want only the most skilled technologists in the field working on and protecting my data. That costs money, and lots of it, to hire that type of talent. Employers don't want to spend that type of money, because it cuts into the bottom line. They don't consider law suites, penalties or lose of customer good will, until after the fact. It costs them more in law suites, fines and consumer trust than it would ever cost them in salaries, but their willing to take the chance to increase profits.

    Five, until there is a complete change in the focus of government and business, from profits and special interests, to securing our personal data. Things will only get worse. The burden will be ours to handle, in the form of cleaning up our credit etc...

    reply to this | link to this | view in thread ]

  10. identicon
    AskTheAdmin, Aug 5th, 2007 @ 6:11am


    Soooo Im mike from tech support do me a favor and enable a inbound connection and read me your password and userid off of that post-it...

    Ahh i'm in thanks and btw youve been ROOTED!

    Good to know - thanks from AskTheAdmin

    reply to this | link to this | view in thread ]

  11. identicon
    Anonymous Coward, Aug 5th, 2007 @ 11:02am

    Re: Re: It's a Confidence Scam

    i wouldn't call "ethnic cleansing" a euphemism. i'd say it still has the same negative response from people. anyone who knows what it is doesn't think that it sounds any less worse than genocide.

    reply to this | link to this | view in thread ]

  12. identicon
    leah, Aug 5th, 2007 @ 7:27pm

    IRS social engineering comic

    there's a funny comic about this story here. The artist re-imagines the IRS study as an event involving Harry Potter in a business suit.

    reply to this | link to this | view in thread ]

  13. identicon
    Chuck Norris' Enemy (deceased), Aug 6th, 2007 @ 7:09am


    I used to live in Fresno, CA where there was an IRS building. They would hire part-timers for the tax months. Do you expect a part-time employee to care or have the training necessary to know when they are being scammed/conned?

    reply to this | link to this | view in thread ]

  14. identicon
    Darrell Young, Aug 6th, 2007 @ 6:59pm

    Social Engineering...

    Like it or not, many of you have been using these techniques for years. Mitnick merely puts them into an easy to read book (I recommend it entirely).

    You guys are developing split ends over this phrase and it really doesn't matter. The truth is, its an accurate description of what is happening.

    I'll bet good money inbound call agents are at least, advised about these techniques and to be a little more sensitive when conversing with someone about sensitive data.

    reply to this | link to this | view in thread ]

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Insider Shop - Show Your Support!

Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Report this ad  |  Hide Techdirt ads
Recent Stories
Report this ad  |  Hide Techdirt ads


Email This

This feature is only available to registered users. Register or sign in to use it.