“The auditors called 100 IRS employees and managers, portraying themselves as personnel from the information technology help desk trying to correct a network problem. They asked the employees to provide their network logon name and temporarily change their password to one they suggested.
‘We were able to convince 35 managers and employees to provide us their username and change their password,’ the report said.
That was a 50 percent improvement when compared with a similar test in 2001, when 71 employees cooperated and changed their passwords.
‘With an employee’s user account name and password, a hacker could gain access to that employee’s access privileges,’ the report said.
‘Even more significant, a disgruntled employee could use the same social engineering tactics and obtain another employee’s username and password,’ auditors said.
With some knowledge of IRS systems, such an employee could more easily get access to taxpayer data or damage the agency’s computer systems.”
Hmmm…things get more and more interesting. I wonder what will be done about this? Choice Point and Bank of America are under major investigation for problems that stemmed from similar ‘social engineering’ tactics.
* Originally on a Yahoo! News article, had to change it to the SFGate originating article.
NOTE: Originally posted: March 2005 (recreated from mangled original bambismusings.blogspot.com)