|
|
|
|
|
|
by alias_neo
1859 days ago
|
|
|
Ouch that sounds painful. If I'm not mistaken, all/most Americans have to interact with the IRS regularly? So this is an issue for many of you? By that I mean as a Brit who is salaried (PAYE) and doesn't own a business I have never had to interact directly with HMRC so even if it was as bad (it's not) it would be an infrequent experience. |
|
|
Individuals have been migrated a few times and a few different logins.
IRS had a "get transcript" service. It had things like super secure passwords and password rotations, but password reset and setup could be done with social security + some real basic info from credit reports (ie, where did you live etc) and didn't not timeout.
So think - 100's of thousands of fake accounts for the hackers, and pain for the real users.
That's pretty common in the US for govt systems - the password reset process is often ridiculously easy because some systems have so many reset requests you can't function with anything careful.
Imagine folks in govt - 10 systems, 90 day password rollover and there was a move for a while to 12 character passwords with no reuse and upper / lower / special / numbers (but special characters are limited so password generators often error out). It got so bad there was one reset process that was outsourced to a third party AND all you had to provide was the username which was derived from the users full name. They then gave you a new password over the phone. It was honestly easier to reset then even fight the system. You have a new intern whose forgotten their password, IT just calls reset help desk for a new one.
The security problems in all this are
1) reset process so weak
2) everyone - and I mean everyone, writes these passwords down in a text file on computer
3) because new account setup can be ridiculously long - a fair bit of password sharing, so these passwords tend to end up all over the place (training documents etc etc) which then of course end up online somewhere.
I could go on.