Online payroll management firm Greenshades.com is an object lesson in how not to do authentication. Until very recently, the company allowed corporate payroll administrators to access employee payroll data online using nothing more than an employee’s date of birth and Social Security number. That is, until criminals discovered this and began mass-filing fraudulent tax refund requests with the IRS on large swaths of employees at firms that use the company’s services.
Jacksonville, Fla.-based Greenshades posted an alert on its homepage stating that the company “has seen an abnormal increase in identity thieves using personal information to fraudulently log into the company’s system to access personal tax information.”
Many online services blame these sorts of attacks on customers re-using the same password at multiple sites, but Greenshades set customers up for this by allowing access to payroll records just by supplying the employee’s Social Security number and date of birth.
As this author has sought repeatedly to demonstrate, SSN/DOB information is extremely easy and cheap to obtain via multiple criminal-run Web sites: SSN/DOB data is reliably available for purchase from underground online crime shops for less than $4 per person (payable in Bitcoin only).
The spike in tax fraud against employees of companies that use Greenshades came to light earlier this month in various media stories. A number of employees at public high schools in Chicago discovered that crooks beat them to the punch on filing tax returns. An investigation into that incident suggested security weaknesses at Greenshades were to blame.
The Milwaukee Journal Sentinel wrote last month about tax fraud perpetrated against local county workers, fraud that also was linked to compromised Greenshades accounts. In Nebraska, the Lower Platte North Natural Resources District and Fremont Health hospital had a number of employees with tax fraud linked to compromised Greenshades accounts, according to a report in the Fremont Tribune.
Greenshades co-CEO Matthew Kane said the company allowed payroll administrators to access W2 information with nothing more than SSN and DOB for one simple reason: Many customers demanded it.
“There’s a valid reason to have what I call weak login credentials,” Kane told KrebsOnSecurity. “Some of our clients clamor for weaker login credentials, such as companies that have a large staff of temporary workers.”
Kane said customers have a “wide range of options” to select from in choosing how they will authenticate to Greenshades.com, but that the most secure option currently offered is a simple username and password.
When asked whether the company offers any sort of two-step or two-factor authentication, Kane argued that corporate email addresses assigned to company employees serve as a kind of second factor.
“In this case, the second factor would be having access to that corporate inbox,” Kane reasoned. He added that Greenshades is working on rolling out a 2-factor authentication feature that may not be optional going forward.
Kane said that although Greenshades heard from a “significant number” of its customers about unauthorized access to employee records, the company believes the overall percentage of affected employees at individual customer organizations was low.
However, in at least some of the reported incidents tied to this mess at Greenshades, the overall percentage has been quite high. In the case of the Lower Platt North NRD, for example, 90 percent of employees had their taxes filed fraudulently this year.
It’s remarkable that a company which specializes in helping firms manage sensitive tax and payroll data could be so lax with authentication. Unfortunately, shoddy authentication is still quite common — even among banks. In February, Pittsburgh, Pa.-based First National Bank alerted customers gained through a recent merger with Metro Bank that they could access the company’s bill pay and electronic banking portal by supplying their Metro Bank username and the last four digits of their Social Security number.
Relying on static data elements like SSNs and birthdays for authentication is a horrible idea all around. These data points are no longer secret because they are broadly available for sale on most Americans, and companies have no business using them for authentication.
Why do so many people get it wrong?
The thing that identifies you is NOT the thing that proves who you are.
@MichaelK Well said!
So are there any fines or other financial punishment levied upon companies who so flagrantly disregard the protection people’s personal information & data which any reasonable individual would expect to be kept securily & only accessed by those with explicit need?
Or is it left up to individuals using the legal system after such a failure?
So who at Greenshade’s IT infrastructure gave control over corporate IT and data security policies to upper management? LOL.
I think you will find that is fairly normal in the biz world, most upper mgmt hates IT and laugh at the idea of a breach. NEVER TRUST A SUIT.
Its the world we live in…
I’m confused. Is Greenshades using the corporate payroll administrator’s SSN/DOB as his login credential, so that the crook has to find said administrator’s SSN/DOB but can then see all the company’s employees’ records? Or can a crook knowing an employee’s SSN/DOB extract that employee’s record without having to login otherwise? The first interpretation seems to make more sense, but isn’t it hard to figure out who is a corporate payroll administrator with an account at Greenshades? Or does the crook just attempt a large number of Greenshades logins with SSN/DOB pairs bought at random?
Typically you can adjust your withholding.
It should be the second interpretation, each employee of a company that used this vendor’s product would have their own individual account, which was apparently generally (at the request of that company’s payroll person) set to account=ssn, pass=dob.
I have a Greenshades login for my work paycheck stubs; indeed it’s as simple as ‘last name + last 4 SSN’ for the login. I’m surprised I HAVEN’T been compromised yet.
Well, maybe you have, but you just don’t know it yet… :S
I went and checked my employer’s payroll portal. Using my SSN/DOB, I got my username. Then, using the username, I requested a new password, which wasn’t emailed to me, it was just given to me right on the page. I then logged in with the username and password acquired from knowing my SSN/DOB. They never sent any email alerts that my password was reset by them or changed by me.
So, I’m vulnerable, too. I sent a pointed email to my employer’s HR department and CIO explaining the vulnerability. Hopefully they can apply some pressure to the payroll company.
Please privately contact @Brian and indicate which vendor this was.
This blog is incredibly useful at shaming / pushing vendors to improve.
Greenshades… “Let us mishandle that”
Hey! I have an idea! Why don’t we just let people login with their names. That’s it. No username, password, SSN, or DOB. Just their names. After all, they should be secret, right? Nobody can just guess names at random. What could possibly go wrong.
So easy is why!!!
I dislike the wording regarding defrauding: unless your legislation is quite awful it is tax office who is being defrauded not the individual. Surely they should be obliged to pay out on the genuine tax rebate claim. The tax office should bear the loss not the individual.
D’oh!
It is defrauding as we are the taxpayers who have to make up for the losses at some point. Additionally Greenshades tries to blame payroll administrators however the security setup choices are drop down boxes and all of them are some form of SS# and dob combination, dictated by the software.
“…Kane argued that corporate email addresses assigned to company employees serve as a kind of second factor”
In much the same way that this crumpled kleenex in my pocket serves as a kind of ballistic armor.
All this in the name of “simplicity”… Our customers asked for a dummy and totally unsecure authentication method, so we just gave it to them!
If this guy is Co-CEO, I could probably be POTUS…
Banks are notorious for this. Most banks still issue last 4 of SS as a password for IVR access (even for commercial accounts). some people may not even know they have an IVR account. The financial houses may institute other “security” controls like only allowing transfers to other “same bank” accounts or to accounts where signer is the same but if your bank account is known and the last 4 of your SS is known then your IVR account is probably vulnerable to attack.
Before there was IVR, there was Touch-Tone interactive (or whatever it was called). I was surprised to find, in 1994, that my account at a savings and loan was already enabled for access by tone sounds with the PIN being the last 4 digits of my social security number – a teller told me after I asked. So I went home and changed the PIN immediately.
I wish the PIN could be made longer; I still remember certain telephone numbers from the 1970s that could serve as PINs.
lol, these guys are a vendor of my company, and I have warned them before that their security and entire setup is garbage.
Unfortunately for everyone greenshades literally does millions of filings.
I see a lot of banks, accounting firms, and other financial firms sending tax documents as PDFs. BUT they use the last four of your SSN as a passcode thinking that is helpful to protect your info.
I discussed it at length with one and the comments were along the lines of “But how will they know your last four?” I explained that since there was no rate limiting (how could there be) that they could check all 10000 combinations in a few seconds if they have captured the pdf. They have since changed their policy, but there are 1000s of more firms doing it thinking they are perfectly safe in doing so.
The number people not knowing anything about security (or level of incompetence) is astounding.
And how many shades of green did their IT and security team turn after discovering this?
Checking our payroll security now…
Based on what their CEO has said, their IT is not to blame. But they’ll likely take the fall anyway, because this is how Corporate America works.
I like to put it this way: “shared secret” is an oxymoron
This is nothing more than people blindly following authority RE: https://en.wikipedia.org/wiki/Milgram_experiment