Schneier on Security
A blog covering security and security technology.
« Nuclear Terrorism False Positives |
| France Makes Finding Security Bugs Illegal »
March 22, 2005
Social Engineering and the IRS
Social engineering is still very effective:
More than one-third of Internal Revenue Service (IRS) employees and managers
who were contacted by Treasury Department inspectors posing as computer technicians provided their computer login and changed their password, a government report said Wednesday.
This is a problem that two-factor authentication would significantly mitigate.
Posted on March 22, 2005 at 9:54 AM
• 12 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Wait a minute, what happened to your warnings about two-factor authentication? The IRS might think it a panacea... :)
Apparently somebody at Treasury read Kevin Mitnick's "The Art of Deception" which gives illustrative examples of this. The book should be required reading for anyone holding an account.
"Wait a minute, what happened to your warnings about two-factor authentication? The IRS might think it a panacea... :)"
I continually fight against both ends: X is a panacea, and X is useless. In general, X is useful in some circumstances and not others.
perhaps there was an unmentioned offer of free chocolate that lead to such disclosure...
That X stuff sound great! Where can I get me one?
Forget that X stuff, where can I get the free chocolate?
I'm not even sure that typical two-factor authentication would help here. If you can get close to a terminal before making your call, you could get the user to change his password and then just ask for the number the SecurID token is displaying.
Using a card that you need to swipe to log in, along with a password, would help, though.
And maybe spreading some rumours of people who got fired for revealing their passwords....
Uh huh; so ChoicePoints DB was "broken into" by hackers? Here I thought they freely gave up the data without so much as a verifying phone call. And the LexisNexis case is an entirely different security breach animal when compaired to CP.
Or have I been living at high altitudes too long?
Daemons@Santa Fe ~Faithfully ACKnowledging our SYNs~
It's funny how one day you are knocking two-factor authentication and the next you are touting its praise.
I know what the intent and meaning is behind both blog posts but the mass media/populous who picks up your newsbytes does not.
You can call it a failure on the part of the journalist but some responsibility lies in the source.
Thomas the free chocolate is available by providing a random word to the interviewer...
For goodness sake. Did you people actually read Bruce's essay on "The Failure of Two-Factor Authentication"?
Two-factor authentication solves some problems and not others. This is a problem that two-factor significantly mitigates against. There are other problems (Bruce specifically mentions MITM and Trojans) that need other mitigations.
We call this "Defence In Depth" and there have been a lot of very good essays written on the subject.
I guess it was the title of the blog entry that did it. I wouldn't say that two-factor authentication has "failed" because it doesn't protect against Trojans. By this sort of measure, every security measure "fails," in that there's something it won't protect against.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.