Posted on 03/14/2003 10:30:23 AM PST by wallcrawlr
Accounting Web:
Leading tax preparation software companies Intuit (TurboTax) and H&R Block (TaxCut) may be producing software that puts customer tax data at risk, according to some data security experts. Both TurboTax and TaxCut leave taxpayer data files unencrypted and thus unprotected from hackers, and some people are concerned about the possibility of identity theft. Security Firm PivX Solutions has issued a warning about the hacker potential. Here's how the tax information is stored: TurboTax stores taxpayer information in files that end in a .tax extension. These files, while not readable by a standard word processing program, can be opened and read by anyone with a TurboTax program. TaxCut stores taxpayer information files in regular text files that can be read by word processing programs, including Wordpad and Notepad.
"An identity thief would have all the information they needed to open a line of credit in a victim's name," said Geoff Shively of PivX Solutions. He expressed concerns about the vulnerability of tax files stored on shared network drives, and he also noted that anyone can sit down at a computer and open a tax data file using the appropriate tax software program without entering a password.
"Our clients know it's their responsibility to protect tax data on their computers," said Tom Linafelt, communications manager at H&R Block.
Intuit's Scott Gulbransen agrees. "We always suggest customers use the standard methods to protect their PCs - not just their TurboTax file - from viruses, hackers, etc."
Intuit has no plans to change security measures in the near future. H&R Block indicated it is considering full encryption of tax files in future versions of TaxCut.
TechTV:
Using common tax filing software could be hazardous to your identity.
Security Firm PivX Solutions has released two advisories warning users that the data entered into tax programs H&R Block's TaxCut and Intuit's TurboTax is stored as an unencrypted file on the user's hard drive.
The H&R Block files with .sbr extensions can be opened with a plain text editor, and easily viewed in programs such as Notepad or Wordpad. The .tax files from TurboTax can only be fully viewed if opened in TurboTax with no password necessary. Opening the TurboTax .tax files with a text editor will only net a name and social security number, which can itself be fodder for an identity thief.
Last year, some 15 million people filed their returns electronically using TurboTax, according to the Internal Revenue Service. Tonight on "Tech Live," find out how to protect yourself from identity thieves who could prey on taxpayers using these programs, which are critical to electronically filing tax returns to the IRS.
P2P could open the door
PivX Solutions' Geoff Shively warned of a worst case scenario in which a misconfigured peer-to-peer file-sharing application could make tax data files available to anyone searching for the correct file extensions.
"If someone made their entire drive available to file-sharing services or accidentally put the .sbr or .tax files in their shared folder, an identity thief would have all the information they needed to open a line of credit in a victim's name," Shively said.
Opening your data up to such theft would be a major oversight, and something all users of P2P applications should be wary of.
Over the weekend I searched KaZaA, Morpheus, and LimeWire for tax data and found only four files: one TaxCut file and three .tax files produced by TurboTax. Although millions of people use file-sharing programs, the fact that I could only find four files points to the relative obscurity of this problem. However, it should not go unchecked.
Information in the open
Scott Gulbransen of Intuit says that in all the years the company has sold TurboTax, it's never had users contact it with problems of data theft as a result of unencrypted files. He said the company warns users to take care of their digital tax data.
He said, "Putting your tax data files in your P2P shared files is like leaving the paper copies of your tax return on a table in a restaurant." Gulbransen insists that the overall security of data on a consumer's PC is always something the company thinks about.
"That's why we always suggest customers use the standard methods to protect their PCs -- not just their TurboTax file -- from viruses, hackers, etc," he said. "Firewall software and antivirus software are something we always suggest to our customers to protect everything from their private letters to their sensitive financial information."
The idea of encrypting or password-protecting files has not been embraced by Intuit. Gulbransen said, "The next step in security would be to use some sort of password-type technology. That would be much more cumbersome for our customers, and we're not hearing any desire for that much security from our loyal customer base."
Other possible vulnerabilities
The P2P file-stealing issue is scary, but not as frightening as the threat of viruses that could install a Trojan horse program to transmit tax data from a victim's computer. An identity thief could use that data to get identification documents and credit cards in a victim's name.
In addition to these forms of remote data theft, anyone who has physical access to the machine can access data from unencrypted tax files.
Tom Linafelt, communications manager at H&R Block, said the company has had no customer complaints that hackers have accessed data from their hard drives.
"Our clients know it's their responsibility to protect tax data on their computers," Linafelt said. He continued, saying data from customer surveys has never pointed to a desire for more security from the software.
"We feel our current level of security is sufficient," he said. "During the e-filing process we encrypt all transmitted data using 128-bit SSL encryption. We also password-protect data within the TaxCut program. Although you can open data files without that password using a text editor, you have to know what files you are looking for."
Linafelt added that H&R Block is considering the full encryption of files in future versions of TaxCut.
Check your configurations
Geoff Shively of PivX advises tax software users to check the configuration of their P2P file-sharing programs, turn off file sharing, store data files on removable media, and using a free encryption file to lock down persona data.
I recommend Easy Crypto Deluxe to password-protect your sensitive data. You can download the program here.
File-sharing basics
File sharing is the act of letting users on multiple computers access documents through a network. The software is great for businesses and families that want to share printers, or for co-workers who want to access, modify, read, or print the same document at the same time. But file sharing is also an easy way for hackers to access your system.
Computers on a network using Microsoft file sharing open up the directories on their hard drives to others on the network. With file sharing enabled, Susan in accounting can access an expense report on a computer in a different department, even though it may be at a different desk. Similarly, a remote attacker can access the files on your hard drive at home through the file-sharing feature.
Microsoft ships its Windows operating system with file sharing turned on as a defaut. This is a problem, since most of us aren't networking our computers and don't need this feature. Here's how to turn it off.
Turn off file-sharing
Click Start. Choose Settings. Open the control panel, and click Network. Toward the bottom of the window that pops up, click on the button labeled "File and Print Sharing." Uncheck the two options for files and printer(s) so that the boxes are empty. Click OK twice to close the Network windows. Restart your computer if prompted to do so.
"Shakour also hacked into a computer of Mathews, N.C.-based Cheaptaxforms.com, and obtained credit card information that he used to purchase more than $7,000 worth of items."
This year, of course, you have to have connectivity to the internet in order to get TurboTax activated, just like so many other products. I reimage my PC, setup my dialup connection and TT, get activated and get the product updates and that's it. From then on - everything is done off-line.
This workaround will only work for a few more years though. I am sure TT will go the route of having to be totally on-line to do your taxes. At that point, I will go back to the old fill-out-the-forms method.
Ah yes, the typical familiar "let the customer beware -- it's not our problem" attitude... which completely disregards the risks of misconfigured P2P software, forgotten files on old discarded machines, and sneakernet.
Tax returns contain some of the most sensitive personal information any person owns. Why not just shut up and give the customer the tools he needs to keep his personal information secure?
Kudos to H&R Block for at least considering this. We already know that Intuit doesn't respect its customers.
I'll try to find the link. May not be able to post it until tomorrow, though.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.