Schneier on Security
A blog covering security and security technology.
« Nuclear Terrorism False Positives |
| France Makes Finding Security Bugs Illegal »
March 22, 2005
Social Engineering and the IRS
Social engineering is still very effective:
More than one-third of Internal Revenue Service (IRS) employees and managers
who were contacted by Treasury Department inspectors posing as computer technicians provided their computer login and changed their password, a government report said Wednesday.
This is a problem that two-factor authentication would significantly mitigate.
Posted on March 22, 2005 at 9:54 AM
• 13 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Wait a minute, what happened to your warnings about two-factor authentication? The IRS might think it a panacea... :)
Apparently somebody at Treasury read Kevin Mitnick's "The Art of Deception" which gives illustrative examples of this. The book should be required reading for anyone holding an account.
"Wait a minute, what happened to your warnings about two-factor authentication? The IRS might think it a panacea... :)"
I continually fight against both ends: X is a panacea, and X is useless. In general, X is useful in some circumstances and not others.
perhaps there was an unmentioned offer of free chocolate that lead to such disclosure...
That X stuff sound great! Where can I get me one?
Forget that X stuff, where can I get the free chocolate?
I'm not even sure that typical two-factor authentication would help here. If you can get close to a terminal before making your call, you could get the user to change his password and then just ask for the number the SecurID token is displaying.
Using a card that you need to swipe to log in, along with a password, would help, though.
And maybe spreading some rumours of people who got fired for revealing their passwords....
Uh huh; so ChoicePoints DB was "broken into" by hackers? Here I thought they freely gave up the data without so much as a verifying phone call. And the LexisNexis case is an entirely different security breach animal when compaired to CP.
Or have I been living at high altitudes too long?
Daemons@Santa Fe ~Faithfully ACKnowledging our SYNs~
It's funny how one day you are knocking two-factor authentication and the next you are touting its praise.
I know what the intent and meaning is behind both blog posts but the mass media/populous who picks up your newsbytes does not.
You can call it a failure on the part of the journalist but some responsibility lies in the source.
Thomas the free chocolate is available by providing a random word to the interviewer...
For goodness sake. Did you people actually read Bruce's essay on "The Failure of Two-Factor Authentication"?
Two-factor authentication solves some problems and not others. This is a problem that two-factor significantly mitigates against. There are other problems (Bruce specifically mentions MITM and Trojans) that need other mitigations.
We call this "Defence In Depth" and there have been a lot of very good essays written on the subject.
I guess it was the title of the blog entry that did it. I wouldn't say that two-factor authentication has "failed" because it doesn't protect against Trojans. By this sort of measure, every security measure "fails," in that there's something it won't protect against.
Hi all, simply just changed into mindful of the blog page through Bing, and located that it is genuinely informative. I'm want to watch out for the city. We will be relieved if you ever go on this specific in future. Many men and women might be benefited from your own writing. Many thanks!
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.