I’ve often told people that I could break in to most company’s computer networks by performing a simple task: Call a random (non-IT) employee in the firm, pretend to be an IT technician, and ask for their username/password. It’s simple…
Me: “Hello, I’m trying to reach Joe User.”
User: “This is Joe.”
Me: “Hi, Joe. This is Steve from the IT department. I’m sorry for the inconvenience, but we might have found some corruption in your e-mail box.”
User: “I haven’t had any problems.”
Me: “You may not have, but we want to make sure nothing happens. Could you spare a moment with me?”
[Proceed to ask the user to reboot, then ask them to log back in to their computer and go to their e-mail “inbox.”]
Me: “How many messages are in your inbox?”
Me: “That’s very odd — I am showing 99. Would it be OK if I connected to your e-mail box to verify this? I assure you I will not view, open, or delete any messages.”
User: “Sure, no problem.”
Me: “OK, I need your username/password…”
Apparently, the IRS – that stalwart government organization which knows about everyone’s finances – is just as gullible as the typical company. As reported by the Associated Press (and read on sfgate.com):
The auditors called 100 IRS employees and managers, portraying themselves as personnel from the information technology help desk trying to correct a network problem. They asked the employees to provide their network logon name and temporarily change their password to one they suggested.
“We were able to convince 35 managers and employees to provide us their username and change their password,” the report said.
How reassuring is that?