Press "Enter" to skip to content

PayMaster HCM & Security


This has been an interesting week in the world of information security.

On Tuesday, Brian Krebs blog site, KrebsOnSecurity, posted an article detailing how a number of self service accounts were hijacked from ADP.  In short, due to a weak registration process and a far too lackadaisical approach to stale accounts (i.e., accounts that were never activated by employees) on ADP’s part, as well as the inadvertent posting of sensitive registration codes on the part of a number of clients including a large commercial bank, U.S. Bancorp, victimizers were able make self service accounts for a considerable number of dormant accounts.  In turn, the intruders used those accounts to gain access to W-2 information and possibly more from the compromised user accounts.

Yesterday, researchers at Hold Security ( announced that they had recovered more than 250 million stolen credentials from a Russian hacker who’s been branded as The Collector.  Details are scant on how the information was collected and there’s no indication that it was due to a breach at the source, but such a vast cache of credentials is worthy of note regardless of how it was accumulated.

As these stories clearly indicate, information security remains a treacherous landscape.  Although the value of educated and vigilant users can never be emphasized enough, systems need to play a role too and PayMaster HCM assertively does so.

Multi-Factor Authentication is Required

Multi-factor authentication (MFA) is slowly, but surely becoming just as ubiquitous as the password.  If you’re unfamiliar with the terminology, the idea is really simple: to authenticate in such an environment, you need your password as well as a code that’s sent to a device (smartphone) or an external account (email address) you own.  The effect is that an intruder must know your password *and* have access to your device or external account in order to access your data.  Having one or the other alone won’t do.

Far too often, this easy to use, low burden security feature is added to systems as an option.  In PayMaster HCM, it’s required.

Changes to Multi-Factor Authentication Details Require Approval

Contact information doesn’t change much.  When it does and that information is used almost as something like a secondary password, a change to it is worthy of alarm.  PayMaster HCM will require that an administrative user approve any changes to multi-factor authentication details.

New Accounts are Subject to a Grace Period

It’s common for users to be able to register themselves on a variety of websites by providing a wealth of intimate information thus proving their identity and subsequently gaining access to their personal data and PayMaster HCM is no exception.  However, due to the chronological nature of all things related to Human Capital Management, it’s only sensible to apply a timeline to that type of functionality.  There’s a major difference in the level of security when comparing an unregistered user account to one that is registered and locked down with a strong password and the aforementioned multi-factor authentication.  We want to strongly encourage that everyone be a part of the latter of those two groups.

Anytime a new user account is added to PayMaster HCM, a clock starts ticking.  After 15 days, if the user doesn’t register, the new account will be locked and will only become available for registration again after administrative action.  This somewhat short, but respectable period of time provides ample opportunity for someone to register while virtually guaranteeing that social engineering hacks and other information gathering techniques (e.g., phishing, Google dorking, etc.) will not have an immense population to test their plundered data against.

Other Noteworthy Security Features of PayMaster HCM

In addition to those highlighted above, PayMaster HCM also supports:

  • IP Address Filtering – Used to limit access to your portal to specific places (e.g., your office).
  • Account Locking – Accounts will be locked for several reasons revolving around invalid attempts to login.
  • Account Notifications – Changes to accounts are broadcasts via email notification to the user affected as well as administrative users on some occasions.


The recent theft from ADP is a reminder that sensitive information must be protected by all parties.  It’s also a reason to find comfort in New Account Grace Period policy in PayMaster HCM.  Leaving only new and relevant accounts available for registration is a great way of lessening an otherwise vast attack surface.

While stolen usernames and passwords can provide quite a scare, the occurrence can be quite mitigated with the use of multi-factor authentication.  With multi-factor authentication enabled, someone with your username and password would not be able to access your account without access to something you own as well.  Since multi-factor authentication is required with PayMaster HCM, you don’t have to worry about whether it’s on or off, or how you enable it, etc.  You’re protected the very moment you log in.

Interested in learning more about PayMaster HCM?  Contact us.

Leave a Reply