Schneier on Security

A blog covering security and security technology.

« Nuclear Terrorism False Positives | Main | France Makes Finding Security Bugs Illegal »

March 22, 2005

Social Engineering and the IRS

Social engineering is still very effective:

More than one-third of Internal Revenue Service (IRS) employees and managers who were contacted by Treasury Department inspectors posing as computer technicians provided their computer login and changed their password, a government report said Wednesday.

This is a problem that two-factor authentication would significantly mitigate.

Posted on March 22, 2005 at 9:54 AM • 12 Comments • View Blog Reactions

To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.

Comments

Wait a minute, what happened to your warnings about two-factor authentication? The IRS might think it a panacea... :)

Posted by: Davi Ottenheimer at March 22, 2005 10:34 AM

Apparently somebody at Treasury read Kevin Mitnick's "The Art of Deception" which gives illustrative examples of this. The book should be required reading for anyone holding an account.

Posted by: Roy Owens at March 22, 2005 10:39 AM

"Wait a minute, what happened to your warnings about two-factor authentication? The IRS might think it a panacea... :)"

I continually fight against both ends: X is a panacea, and X is useless. In general, X is useful in some circumstances and not others.

Posted by: Bruce Schneier at March 22, 2005 12:21 PM

perhaps there was an unmentioned offer of free chocolate that lead to such disclosure...

Israel Torres

Posted by: Israel Torres at March 22, 2005 1:37 PM

That X stuff sound great! Where can I get me one?

Posted by: Xavier Ashe at March 22, 2005 4:12 PM

Forget that X stuff, where can I get the free chocolate?

Posted by: Thomas Sprinkmeier at March 22, 2005 4:39 PM

I'm not even sure that typical two-factor authentication would help here. If you can get close to a terminal before making your call, you could get the user to change his password and then just ask for the number the SecurID token is displaying.

Using a card that you need to swipe to log in, along with a password, would help, though.

And maybe spreading some rumours of people who got fired for revealing their passwords....

Posted by: Curt Sampson at March 22, 2005 7:54 PM

Uh huh; so ChoicePoints DB was "broken into" by hackers? Here I thought they freely gave up the data without so much as a verifying phone call. And the LexisNexis case is an entirely different security breach animal when compaired to CP.

Or have I been living at high altitudes too long?
.................
Daemons@Santa Fe ~Faithfully ACKnowledging our SYNs~

Posted by: waynesworld at March 22, 2005 8:08 PM

It's funny how one day you are knocking two-factor authentication and the next you are touting its praise.

I know what the intent and meaning is behind both blog posts but the mass media/populous who picks up your newsbytes does not.

You can call it a failure on the part of the journalist but some responsibility lies in the source.

Posted by: Mike at March 22, 2005 9:58 PM

Thomas the free chocolate is available by providing a random word to the interviewer...

Posted by: Ben Smyth at March 23, 2005 5:07 AM

For goodness sake. Did you people actually read Bruce's essay on "The Failure of Two-Factor Authentication"?

Two-factor authentication solves some problems and not others. This is a problem that two-factor significantly mitigates against. There are other problems (Bruce specifically mentions MITM and Trojans) that need other mitigations.

We call this "Defence In Depth" and there have been a lot of very good essays written on the subject.

Posted by: Andrew Stephen at March 23, 2005 3:58 PM

I guess it was the title of the blog entry that did it. I wouldn't say that two-factor authentication has "failed" because it doesn't protect against Trojans. By this sort of measure, every security measure "fails," in that there's something it won't protect against.

Posted by: Curt Sampson at March 23, 2005 10:03 PM