Online payroll management firm Greenshades.com is an object lesson in how not to do authentication. Until very recently, the company allowed corporate payroll administrators to access employee payroll data online using nothing more than an employee’s date of birth and Social Security number. That is, until criminals discovered this and began mass-filing fraudulent tax refund requests with the IRS on large swaths of employees at firms that use the company’s services.
Jacksonville, Fla.-based Greenshades posted an alert on its homepage stating that the company “has seen an abnormal increase in identity thieves using personal information to fraudulently log into the company’s system to access personal tax information.”
Many online services blame these sorts of attacks on customers re-using the same password at multiple sites, but Greenshades set customers up for this by allowing access to payroll records just by supplying the employee’s Social Security number and date of birth.
As this author has sought repeatedly to demonstrate, SSN/DOB information is extremely easy and cheap to obtain via multiple criminal-run Web sites: SSN/DOB data is reliably available for purchase from underground online crime shops for less than $4 per person (payable in Bitcoin only).
The spike in tax fraud against employees of companies that use Greenshades came to light earlier this month in various media stories. A number of employees at public high schools in Chicago discovered that crooks beat them to the punch on filing tax returns. An investigation into that incident suggested security weaknesses at Greenshades were to blame.
The Milwaukee Journal Sentinel wrote last month about tax fraud perpetrated against local county workers, fraud that also was linked to compromised Greenshades accounts. In Nebraska, the Lower Platte North Natural Resources District and Fremont Health hospital had a number of employees with tax fraud linked to compromised Greenshades accounts, according to a report in the Fremont Tribune.
Greenshades co-CEO Matthew Kane said the company allowed payroll administrators to access W2 information with nothing more than SSN and DOB for one simple reason: Many customers demanded it.
“There’s a valid reason to have what I call weak login credentials,” Kane told KrebsOnSecurity. “Some of our clients clamor for weaker login credentials, such as companies that have a large staff of temporary workers.”
Kane said customers have a “wide range of options” to select from in choosing how they will authenticate to Greenshades.com, but that the most secure option currently offered is a simple username and password.
When asked whether the company offers any sort of two-step or two-factor authentication, Kane argued that corporate email addresses assigned to company employees serve as a kind of second factor. Continue reading →