This year, rather than going to a tax professional as I originally planned, I rolled my own return by using TurboTax Online. Apparently, there was a security leak last week. One woman was able to view tax returns from two other people with the same last night, presumably by tweaking a URL and guessing the password.
Well, this backdoor has been fixed, and the company claims that no other users have been affected.
Despite all the fear about identity theft through internet-related technology, I still believe SSL encryption is the safest way to fly. Low tech identity theft is much easier.
Subscribe
2:06 pm (reply)
I’m in agreement with you on the issue, plus I also am using TurboTax online to file this year. You may want to let your users know that if you have a State Farm insurance account, you can log in online to reach a link for free online TurboTax filing—federal and state, it appears. I discovered it by happenstance as I was checking my policies and so now I’m “rolling my own” too.
I paid $450 last year for a local accountant to do my taxes, and am just not feeling it this year.
I did see the story about the security flaw and lots of enraged user responses as I was looking for a tip in the TurboTax forums, but I felt it was somewhat of an overreaction as well. After all, it’s not like someone couldn’t get all the same information plus someone’s official signature and maybe even a free stamp for reuse just by intercepting paper tax forms on their way to the post office. If your own mailbox doesn’t place you at risk, some disgruntled or paid off postal worker might.
Granted, I do think companies which handle our financial, medical, and other personal information should pursue every possible measure to keep this information safe, so maybe the scolding and bad PR help that. Or maybe they just cause companies to spend more on their own PR and the same on upgrades, programmer training and server support. Food for thought.
I was just amused by all the huffy people skulking off to paper-file their taxes so it’d be secure.
3:39 pm (reply)
I worry about identity theft as well but the reality is that the highest risk place for having your identity stolen is offline. My company has lost multiple laptops containing employee information. I have credit monitoring paid for by my company because they had a laptop stolen with my information on it (since recovered).
I think one of the other areas of risk are companies that store my data unencrypted on their servers.
I believe they need to make it mandatory for people to be able to put freezes on their credit. It seems crazy to me that we aren’t allowed to do that permanently and with little effort.
3:51 pm (reply)
Absolute agree with Hazzard that anyone should easily be able to freeze their credit. Your elected representatives being toadies to the credit reporting agencies is the reason this hasn’t happened. It is unconscionable that this easy fix hasn’t been mandated except for a few states.
5:24 pm (reply)
Is anyone presently petitioning for this right? Sounds like a good idea—I’d be willing to support this.
9:00 pm (reply)
I also used Turbo Tax this year to file my taxes. What amazes me is that people are always so worried about strangers getting their information on the Internet when what they really should be concerned about is their friends and relatives.
I worked in online banking for 7 years and in all that time we only had 5 cases (out of 12,000 users)where someone attempted or actually gained unauthorized access to a customer’s online banking account and in every case it was an ex-spouse, ex-girlfriend/ex-boyfriend, relative or roommate who was able to do it because they knew the customer’s social security number and had access to the customer’s paper statements.
We never had a case where a stranger hacked in and got someone’s information. It was always someone the customer knew and even in those situations the people who gained unauthorized access couldn’t do anything. The account numbers were masked and they couldn’t transfer funds to themselves and all they managed to do was see someone else’s account balance.
So I don’t worry too much about doing all my financial stuff online, but I do go to a whole lot of trouble to hide all my credit cards, bank statements, checkbooks, etc. whenever I have any of my sleazy relatives come by for a visit.
11:24 am (reply)
SSL is just an ad-hoc tunneling protocol that encrypts traffic between two systems on the internet. SSL only protects data-in-motion. Data-at-rest, which may be stored in a file or database is not protected by SSL. Furthermore, SSL has nothing to do with this vulnerability and it doesn’t help one bit if the systems at either end are compromised.
Always remember that your data is unencrypted on your local system, so any spyware or virus that may be on your local system can see it when it leaves you system. At the same time, once the data travels through the SSL tunnel, it is unencrypted on the web server to which you sent your data. If that system is compromised, it can be siphoned off there as well. I’m not even going to go into problems with actually storing the data insecurely on the website or backend systems.
The problem here was simple URL manipulation which anyone with a web browser can do. Along with SQL injection and cross-site scripting, they are some of the most pervasive problems on the internet today. Literally millions of websites have these problems today. Plenty of financial institutions have had web application issues like these uncovered in the past and I would wager that plenty more problems will be uncovered in the future.
I’m not trying to “scare” anyone into not using the Internet for their financial dealings. In fact, I handle most of my finances online. But I felt that the quote, “SSL encryption is the safest way to fly” suggested that SSL was the be-all-end-all of being safe on the Internet. While SSL is important and I wouldn’t log into a financial institution or submit a CC number without it, there are plenty more threats out there that the readers should consider aside from whether the little padlock appears at the bottom of their browser or not.
-Toby
2:25 pm (reply)
Great points!
11:22 pm (reply)
You might want to re-consider believing their assurances after reading the following:
http://it.slashdot.org/comments.pl?sid=230439&cid=18697947
Apparently this (or a similar) issue has been known for more than three months and not been fixed!
6:20 am (reply)
10:04 am (reply)
11:46 am (reply)
heh. That’s why I’m mailing mine in. (j/k!) The one very clear case of ID theft I know about happened to one of my cousins. A friend of his in college stole his mail and opened a few credit cards in his name. Because he didn’t find out about it till it was too late, his credit was ruined. This happened about 10 years go, and I think most of the after-effects are over now, but it still sucked for a while till everything got resolved.
Low-tech vulnerability is where the most risk is, but you’ve got to be vigilant about everything.
5:29 pm (reply)
For those that are interested in keeping their financial data secure (static files), you can just do what I do. Triple zip the file (or your file compression algorithm of choice) with passwords…a different one for each zip level. Not impossible to break, but pretty tough for most.
4:07 pm (reply)
Well this is all very interesting as I used Turbo Tax on-line for the first time, at the very time you all posted your comments above (April 2007) to do my 2006 taxes… And now as I just approached the deadline yesterday (April 15, 2008) to do my 2007 income taxes the same way on-line through Turbo Tax, I come to find someone had stolen my identity and filed my taxes for me back in January of this year. To top it off at the twelfth hour yesterday, I was dealing with the WORST Turbo tax customer service, on the phone for three hours straight (the majority of the time on hold), and then they finally told me to go mail my taxes, after it was already past five o’clock to make a local mailbox. I had to drive 60 miles, and I told the rep a million times if we wasted all this time to get no where and they tell me to go mail my taxes when it is already too late, that I would be even more upset. The guy assured me it wouldn’t happen, that the outcome they were seeking was solely in my favor, and they’d be able to get my taxes electronically to the IRS. It was all BS, they were just trying to find ways to not look responsible for the situation. Worst experience. What I have ahead of me know is even more daunting. I’d never use Turbo Tax again, and even more so because of the way their rep, Marshall Anderson, very rudely handled the situation. Someone has all my personal info because of their security issue.