Taxpayers expect their data to be kept confidential and safe when using government systems. In fact, they often assume that the government’s systems will be protected more effectively than commercial systems. Residents of South Carolina were taken by surprise when social security numbers, credit card numbers, and more were stolen from the Department of Revenue’s tax system.
There are a few interesting take-aways when we look at what happened. First, an employee inadvertently compromised the system to malware by clicking on an embedded link. The attacker gained the employee’s user credentials and logged into the system correctly, masquerading as an employee. It’s worrisome to consider that this could have happened nearly anywhere (South Carolina jokes aside). The attacker continued to infiltrate the system for 2 months before he was discovered. In the end, the discovery came from an outside agency.
There are a host of deficiencies represented here, but the critical fact is that employees can divulge their login credentials too easily in most systems. Alphanumeric passwords are subject to key logging, shoulder surfing, pure and simple sharing, and guessing. Mutual authentication, multi-factor authentication, triangulation of data, and systems that make it challenging to share a password are all methods by which attacks like this one could have been prevented. We can look back all we want on what has been done in the past, but until we use systems that anticipate and prevent further attacks, we’ll continue to read news about users’ and employees’ credentials being misused and abused.