By Greenshades Security
Year-End is here once again, and with it comes the return of a host of checklists, activities, and must-do tasks that all compete for time. We ask that you carve out time to assess the security settings on your GreenEmployee.com portal. Please make it a priority for your IT and security teams to review all of the Employee Access and Administrator Access settings before uploading your 2017 W-2 tax forms. This review is especially important this year, as identity thieves and scammers have a fresh set of data from the recent Equifax breach. While all portal settings should be reviewed, two especially important settings are described below:
When an employer decides to host employee information on GreenEmployee.com, they also specify how GreenEmployee.com should validate a new visitor as one of their employees. This validation happens as part of a new account setup and/or account access process. This step is required by GreenEmployee.com as well as other similar employee service websites, including portals from each of the major payroll service providers.
The identity confirmation settings, found here, govern how GreenEmployee.com can determine whether a new user is a valid employee and not an imposter. Each employer owns the settings on this page (since each employer knows how to best validate their employees’ identities). Greenshades recommends that employers record employee cell phone numbers in their accounting system and upload that information to GreenEmployee (or, for employers using an Excel Upload option for their Year-End Forms functionality without synchronizing their full payroll details, the phone numbers would need to be present in their Excel spreadsheet). Then, when a new user claims to be one of your employees, GreenEmployee can text a security code to the number that you have provided to verify that this visitor is truly the employee in question. This one of the most secure and recommended options on the identity confirmation settings page.
However, we know that many of you are unable to collect and record these numbers, which is why there are a handful of additional confirmation options. Caution must be taken when enabling and configuring these additional options to ensure they make sense for each individual employer. Providing custom security questions that hinge on personal information is not an acceptable security control when identity thieves may come to the portal already equipped with personal information from Equifax and other large-scale breaches.
Public Search for Portal
Each employer using GreenEmployee is assigned a unique prefix, also known as a “company code,” to their GreenEmployee link, for example “ABC.GreenEmployee.com.” Employees must visit this link or else provide their employer’s company code to see the login page for their employer’s portal. Employers should communicate their unique GreenEmployee link to their employees and only their employees. Historically, some employers are unable or unwilling to distribute company codes to their employees and have asked for their unique link to appear in a directory of GreenEmployee portals that can be searched by company name or phone number. This is the “Public Search for Portal” option found here. Employers who have enabled this option should verify that they have no way to distribute unique links and truly need this option.
While it is true that the public search allows employees to find an employer’s portal, it also allows anyone else to locate it as well: an identity thief who already has an individual’s personal information can search the internet for that individual’s employer, and then use this public search to find their GreenEmployee portal. Once at the portal, the thief can then attempt to set up an account by passing the identity confirmation stage described above. However, if an employer does not have this public search enabled, then the identity thief will not be able to use it find the employer’s portal. Extreme caution is recommended if an organization already publicly posts a portion of their staff directory online (such as many medical institutions, government agencies, and educational institutions), since these directories make it easier for identity thieves to match their stolen identities to their employers.
If an organization has previously registered themselves on the public portal and wishes to de-register, it is highly recommended that the organization also changes their company code as well. This will ensure that identity thieves who have bookmarked the original portal link will find it non-functional.