Social Engineering and the IRS

Social engineering is still very effective:

More than one-third of Internal Revenue Service (IRS) employees and managers
who were contacted by Treasury Department inspectors posing as computer technicians provided their computer login and changed their password, a government report said Wednesday.

This is a problem that two-factor authentication would significantly mitigate.

Posted on March 22, 2005 at 9:54 AM12 Comments


Roy Owens March 22, 2005 10:39 AM

Apparently somebody at Treasury read Kevin Mitnick’s “The Art of Deception” which gives illustrative examples of this. The book should be required reading for anyone holding an account.

Bruce Schneier March 22, 2005 12:21 PM

“Wait a minute, what happened to your warnings about two-factor authentication? The IRS might think it a panacea… :)”

I continually fight against both ends: X is a panacea, and X is useless. In general, X is useful in some circumstances and not others.

Israel Torres March 22, 2005 1:37 PM

perhaps there was an unmentioned offer of free chocolate that lead to such disclosure…

Israel Torres

Curt Sampson March 22, 2005 7:54 PM

I’m not even sure that typical two-factor authentication would help here. If you can get close to a terminal before making your call, you could get the user to change his password and then just ask for the number the SecurID token is displaying.

Using a card that you need to swipe to log in, along with a password, would help, though.

And maybe spreading some rumours of people who got fired for revealing their passwords….

waynesworld March 22, 2005 8:08 PM

Uh huh; so ChoicePoints DB was “broken into” by hackers? Here I thought they freely gave up the data without so much as a verifying phone call. And the LexisNexis case is an entirely different security breach animal when compaired to CP.

Or have I been living at high altitudes too long?
Daemons@Santa Fe ~Faithfully ACKnowledging our SYNs~

Mike March 22, 2005 9:58 PM

It’s funny how one day you are knocking two-factor authentication and the next you are touting its praise.

I know what the intent and meaning is behind both blog posts but the mass media/populous who picks up your newsbytes does not.

You can call it a failure on the part of the journalist but some responsibility lies in the source.

Andrew Stephen March 23, 2005 3:58 PM

For goodness sake. Did you people actually read Bruce’s essay on “The Failure of Two-Factor Authentication”?

Two-factor authentication solves some problems and not others. This is a problem that two-factor significantly mitigates against. There are other problems (Bruce specifically mentions MITM and Trojans) that need other mitigations.

We call this “Defence In Depth” and there have been a lot of very good essays written on the subject.

Curt Sampson March 23, 2005 10:03 PM

I guess it was the title of the blog entry that did it. I wouldn’t say that two-factor authentication has “failed” because it doesn’t protect against Trojans. By this sort of measure, every security measure “fails,” in that there’s something it won’t protect against.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.