Please Don't Ask IRS Agents To Change Their User Name Or Password

If you ask nicely, thoughtless, gullible, IRS agents are willing to give you their user name and change their password, according to a recent report from the Treasury Inspector General. The report condemns our tax collectors for failing to observe the most basic security measures, despite recent entreaties for employees to be extra vigilant about protecting sensitive taxpayer data. From the AP:

    “Only eight of the 102 employees contacted either the inspector general’s office or IRS security offices to validate the legitimacy of the caller.

    The report said the IRS took measures to improve security after two similar test telephone calls in 2001 and 2004. “However, the corrective actions have not been effective,” it said.”

The IRS does not dispute the report’s accuracy.

Computer Security Problems Found at IRS [AP]
(Photo: Mrs. Reed)


Edit Your Comment

  1. Grrrrrrr, now with two buns made of bacon. says:

    “Social Engineering” is still the easiest way for people to gain passwords to access to unauthorized information. Humans are, and will always be the weakest link in computer security.

    I’d even bet half the IRS agents use “audit” for a password. (Listens for the sound of agents scrambling to change their passwords).

  2. synergy says:

    This bit was poorly worded. For a bit there until I read further I thought the IRS agents gave their own info to callers. I thought that was stupid, but really only the IRS agent’s problem when they get their identity stolen. Oh! You mean they’re giving away any old person’s info? OK, that’s a problem.

  3. GTB says:

    I can confirm that they specifically brought this up at a recent training meeting I attended. The access that doing something like this grants you is somewhat limited, unless you have also managed to get the password of somebody fairly high up the ladder. Most “grunt” type clerks are both carefully monitored and locked out of information not directly relating to their jobs. Likewise, most are limited to “read only” access. Not that accessing somebody’s records isn’t damaging.. but it would be worse if it could be CHANGED.

    Additionally: the IDRS computer system (which is what they are talking about here, I think) has a very draconian password process. “audit” won’t work, for instance. I don’t really want to go into detail, but it requires a specific number of characters that aren’t alpha (letters), and checks your password against actual words before it will accept it. So you would almost HAVE to get somebody to give it to you.

  4. Cowboys_fan says:

    The dunce cap fits perfectly. Don’t ever give your computer info to anyone, ever(except maybe your spouse). There is no need. IT can reset your password on thier own if needed, and set restrictions on your passwords(8 characters, contains 1 letter, 1 capital letter, no dictionary words, etc), plus they’d already know your username. Absolute STUPIDITY! Every one of these people who gave info should be fired. I wouldn’t want these idiots going over my taxes.

  5. zolielo says:

    I can see why it happened. I would bet that the agents rarely if ever get calls from outside of a close circle of co-workers. They most likely thought that it was out of the realm of possibility.

    As for me just about no one has my personal line, I nearly never get direct calls from outside my office (the people in the front direct public calls to me), and I do not have caller ID so I cannot see where the call if coming from. Plus I know only the director of the IT department and none of his employees. If someone somehow got my direct number or called my extension internally I think that if they sounded as I expected, I might be fooled.

  6. zolielo says:

    @wftm: It should also have limited logins and a time period exparation date.

  7. Buzz Lightyear says:

    Why aren’t they using some type of additional authentication (i.e. a SecurID keyfob)?

    (No I don’t work for RSA, just have a token on my keychain…)

  8. Onouris says:

    Ok so a bunch were called and asked to change their password? and only 8/102 called someone to check up on the person asking?

    What about the people that just said ‘no’ and didn’t need to call someone else?

  9. GTB says:

    @zolielo: It does, yes.

    Buzz: For the same reason IAP now handles the file services for the IRS. Money. The government doesn’t just say “ok, from now on, we’re going to have these little keychain things, and you’ll need one to access your computer.” and then hand them out. There has to be an “initiative” and then many meetings, and they have to hire a whole new tech department to handle it, etc etc. Lets remember that the majority of the people who work for the IRS (at least in my experience, which is admittedly limited) are old, bitter, and hate “new things” especially technology.