Slashdot Mirror
Web Based Turbo Tax Disclosure Vulnerability Found
Anonymous MPLS Coward writes "Looks like the web-based Turbo Tax was allowing some users to look at other user's tax return information. Reports state that things like bank routing information was available as well as SSNs. Turbo Tax software was unaffected; the bug is in the web-based Turbo Tax service."
Companies should be penalized for something so severe to let them know that they need to do a better job in the future.
My Own Millions Blog
The synopsis makes it seem like this was a bigger deal than it is. If this was actually in the wild, or exploited, that'll be big -- but as the article is written, one person stumbled across this problem, reported it, and Intuit fixed it.
You can have my taxes when you pry them from my cold dead fingers.
The Turbotax.com offering really does sound like a good idea, for the taxpayer, but I still bought the boxed version and won't E-File. These guys are taking perhaps millions of people's sensitive data online, into a database that's Internet accessible. Even if their admins have done the best possible job (let's assume they have) their software has undiscovered vulnerabilities, at least as far as the whitehat community is concerned.
Now, factor in the fact that there is a smart blackhat community and this database is about the most delicious thing an high-tech organized-crime-sponsored identity thief can imagine - and sometimes it just doesn't make sense to walk around wearing a jacket with a bull's eye painted on the back, even if you're not a coward.
As far as not E-filing, it also costs the IRS more to process, so that at least helps to keep one more negative about the income tax on the board.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Pen and paper have the added advantage of making people think you are crazy.
Nerd rage is the funniest rage.
Not my bank routing number!
Someone please fix this before someone finds out how to deposit money into my account!
If moderation could change anything, it would be illegal.
Think of it more as a useful, undocumented feature. Not only can you do your own tax return online, now you can do other people's! Well done to the good folks at Turbo Tax for coming up with it.
Karma police, arrest this man. He talks in math. He buzzes like a fridge. He's like a detuned radio.
I just filed my taxes with TurboTax Online! Great, now I'm going to be hacked, and then audited and the IRS is going to repossess all of my belon
NO CARRIER
CAn'T CompreHend SARcaSm?
You can have my cock when you pry it from your mother's cold, dead fingers.
Until penalties for data breach has some serious teeth (say, for every dollar of loss inflicted on the customer, fine the offending company ten dollars) companies will never take the security of customer data seriously.
ELOI, ELOI, LAMA SABACHTHANI!?
Mr pain and punishment, I bet you're just achin to spank some bacon, YOU BAD BOY
I don't need no instructions to know how to rock!!!!
Great job linking to a picture of a pumpkin, failure.
I overpay my taxes every year. It's a few extra bucks out of my check that I don't notice, and I get a nice refund from the government. Yeah, I know I lose money on the deal based on inflation, since the money I let the feds hold doesn't earn interest. But it works out to a couple dollars a year at most based on what I'm paying, and getting the extra check works out well for me at the beginning of the year.
So two years ago I was filing with turbo tax. I'd been using it for a couple years with no problems. My taxes are simple; no house, no kids, no tax shelter investments. Just a handful of numbers on a W2, to the point where I could just as easily fill out the forms by hand, but I liked the convenience. Now, I overpay by ten bucks every week. 40 bucks a month * 12 months = $480 per year that I should get back (based on my tax bracket at the time) no matter what. My average refund was usually a couple hundred over that, and had been for the years prior. I've cut the feds a check exactly once since I started working 12 years ago.
So what did I get when I used turbo tax that year? They had me paying an additional 280 bucks! I went over that return with a fine tooth comb. All my numbers were right, every box was checked, every i was dotted and t was crossed on my end, and the software was up to date, but Turbo Tax said I owed the feds money. I broke out the disaster recovery computer (also known as a pen & paper), and did my taxes by hand and by the book. Result? My usual refund of around 700 bucks. On a lark I tried Taxcut. Same result, $700-ish refund.
Tax software (at my level anyway) should be no more complicated than a freaking spreadsheet. If they can't get that right for me, I shudder to think what kind of screw ups they've had for people who have real returns to file. At least I got a good lesson in double checking someone else's math.
There are some people that if they don't know, you can't tell 'em.
I've been doing my own taxes on paper since I was 16 (and back then I was having to file self-employments taxes and commercial schedules). This year, in the interest of getting my refund sooner (not that I really needed it fast) and avoiding transcription typos at data entry, I files electronically online, using the free TurboTax Online.
This is what I get.
On-line websites have been a major source of information security breaches. A few years ago I was able to perform reverse-directory lookups on Verizon customers. Their DSL registration website was one such problem. After a customer entered his/her telephone number to verify DSL availability, the website displayed the corresponding customer's name and billing address, asking "is your information correct?"
signature pending slashdot approval
The Canada Revenue Agency sets up security rules here in Canada for third-party e-filers:n f
http://www.efile.cra.gc.ca/eol-security-e.html#co
The article didn't mention what sort of security rules are enforced in the US.
Does the IRS have similar rules to what we have in Canada?
Why doesn't he government provide online tax processing website? That way, if the site gets hacked its the government's problem. And your hard-earned tax dollars go towards a service that you can ACTUALLY use. Nay sayers, might say well what about the tax software industry? How many jobs will be lost? And I say to you, screw that. The tax software industry has milked the cash cow dry. Then again, I might be dreaming and this will never happen.
Corporate Gadfly
Jonathan Archer: the most beaten up Enterprise captain in Star Trek history
It is very scary to see how much value Intuit seems to put to customer's data and how much they learn from past mistakes...
On January 6th this year I received an email from TurboTax Online with the subject
"TurboTax User ID Enclosed: Online Products Now Available!"
Problem being that - in addition to my UserID - it also contained two other (seemingly random) UserID including a live link to their login pages. I tried to be nice and alert them of their security problem but it was not easy. After hunting through the website for a feedback/support link I could only find an online chat with one of their support people. It took me close to an hour to tell her about the problem (it somehow didn't seem to fit into her questionnaire flow chart...) and she promised that she would pass the information on to the tech department and that they would get back to me (yeah, right!). I also asked her repeatedly to delete my account including all data and she said it couldn't be done and that I wouldn't have anything to worry about as the data would be safe on their servers - apparently not.
Guess I should have been a little more aggressive and tell some news outlet about the problem than thinking that their internal procedures and security audits would be sufficient without additional pressure. I decided after that email to never again use the online TurboTax version (I never actually filed from it before as it was a little too limited) and looks like I made a smart choice.
Of course, TurboTax's web based form is one of the few options for Linux users.. .... well actually they did,
I tried a bunch of different sites; of course there's no excuse for a purely web-based
service to be incompatible, but of course they mostly are! In contrast,
I have had good experiences with Turbotax for the past couple years. And so far
the contents of my bank account haven't vanished
but that was because I spent all the money...
Any recommendations for full-featured tax services that work well on
firefox under linux?
- Jonathan
H&R Block had a similar issue with their online tax prep software back in February:
news.com.com article
Businessweek article
"This message is composed of 100% recycled electrons."
In Germany many people put their bank routing information on their letter head, so that people can easily transfer money to them.
They claim to have REMOVED THE LINK.
Removing a link to a web page takes the "feature" away on the server...? Idiots.
As for the web based tax preparation - I've never used it. I prefer to keep that kind of data behind my firewall and backed up on my CDRs...
I don't suppose their is a way someone could steal my SSN, Name, address, etc.. and somehow use all this information to pay my taxes for me this year could they?
If so I'm going to recomend Turbo Tax to all my friends!
I have always done my rather complicated taxes by hand. I would prefer e-filing if I could do it directly with the IRS/FTB. And sure enough, this year I used Calfile (on unsupported software, too: Firefox 1.5/linux).
That's how taxes should be filed! Enter 5 or so numbers, check 5 or so boxes. Nothing to sign or send (I didn't owe). I hope the IRS will copy the Calfile system so I can move to efiling completely. For the record, it took me 15 minutes to do Calfile (from when I found it on the FTB web site), 45 minutes for the 1040 with pen and calculator and an hour and a half for the freaking 8801!
I'm pretty upset reading this article due to the fact that I have been faithfully using Turbo Tax for 7 years now, this year included, and I have yet to receive an email form them along the lines of "Your information might have been compromised." Shouldn't the customers be the first ones to hear about this? Thank god I read Slashdot.
There's one tax software company doing their programming entirely in America, TaxAct (2nd Story Software. I haven't used their Web version, but their Windows version runs nearly flawlessly under Wine on Linux (there are minor problems with checkbox and drop-down list display on screen while filling out forms, but those show up correctly in the print preview and output). I've used TaxCut and TurboTax in past years; TaxAct doesn't have silly videos included, but it's efficient and effective.
I share the caution about Indian programmers. I just dropped checking and savings accounts with Ameriprise (formerly Amex Bank), because in the several years since they shipped the programming off to India they still haven't gotten their site to work reliably in its basic operations. Even before security is considered, the incompetence is amazing. Now I'm seeing a downgrading in the usability of CitiBank's Website, where there's also been extensive recent offshoring - they can't be bothered to test for obvious JavaScript bugs that block Mozilla, for example, even though previously they'd officially and effectively supported Mozilla/Netscape for years. (Hell, I do work for financial firms in NYC that don't even allow their own people to browse with IE.)
"with their freedom lost all virtue lose" - Milton
I may be a crusty old Luddite, but this is why I do my taxes the old fashioned way -- with TurboTax on my personal machine. (I tried TaxCut the year that Intuit put DRM on, even though I use a Mac, and found it buggy and inferior). I want the data to remain as much under my control as possible. I send it in on paper, too, though that's because I'm too cheap to spend my money to reduce their costs rather than a concern over a compromise of the E-file database.
It's true that the data is still vulnerable at the IRS. But that's a risk I cannot avoid. Web-based tax returns are one that I can.
I actually work for Turbotax in the Technical Support Division. Actually to be specific I work for another company and they outsource their support through us. They do the same for many other offices through different companies, including outsourced Sales people in India, and an office in the Phillipines. Most chat agents are from India.
I've been using Turbotax over the past 5 months for roughly 600 hours and there's a few things I can say about the program. First and foremost, it's very rarely wrong. I've taken 2057 calls (On 2058 right now) and in all these I have seen 1 calculation error, and it was a number getting transferred between Federal and State incorrectly. Most calls fall into the following categories: Password resets, how-do-I-enter, where-is-this-number-coming-from, and Installation. We also get run of the mill save errors, questions about how to transfer information, and so on. Calls that are prefaced with "Your program is doing this wrong..." always make me roll my eyes, because as far as calculations go, the program is almost exclusively correct, and alleged calculation errors are actually a result of someone entering it in wrong. And its just a piece of software, really just a big calculator, and it's only as smart as the data that gets put into it. That being said, while it is wonderful in performing calculations correctly, it is very quirky when it comes to navigation and sometimes outright bizzare.
For example, once you've gone through the State portion, revisiting it at any point takes you straight to the end, without allowing you to review the information. If you want to change something, you need to get to a very specific page and click "Topic List", then "What's new for 2006. If you click on the topic named "State Interview", it completely skips to the end of the State Interview. Makes a lot of sense, eh? Also, checking certain boxes will generate certain forms or worksheets that will not be deleted if you go back and uncheck them, which causes the Error Check feature to freak out and tell you that you have 9000 errors because the form is blank. Also, due to the way Turbotax calls on some functions (namely XML) if it doesnt like your XML configuration, it will randomly give you errors and there's essentially no way you'll be able to use the Desktop version without reinstalling your OS or IE.
Online is more of the same, but with even more lovable "features". If you check one of those boxes that I mentioned above, and it generates a form, if it's in the state interview, there's no way to delete it; it's stuck there forever. You can delete the entire state and start again, or we can import the data into the Desktop version to remove it. Also, some pages simply refuse to load in either Firefox and IE. Short of ripping and fully reinstalling windows or drastically modifying internet settings (something most of the agents wouldn't even know how to do) the only option is to switch browsers. Simple fix, but it shouldn't be necessary.
This all being said, the bottom line is that Turbotax calculates things wonderfully but is lacking in most other areas. When this story 'broke', all of us agents were told basically to keep our mouths shut and if any customer had any questions beyond us telling them that we were fixing the issue, to foreward their request to the Corporate Office.
I've seen customers do some very retarded things, both in trying to access their account and enter or manipulate data. Is it possible that this was a one-time isolated incident? If someone was able to stumble on this information on accident, how hard would it be to do deliberately? The page with Vault access has been up for almost 5 months and this was only recently discovered, has it been abused before? I don't know the answers to these questions, but I don't get a fuzzy feeling thinking about them. People should know if their data was possibly compromised, but I don't blame them for trying to keep it quiet. In this day and age of information security and data protect
There is a post on the TurboTax site (http://turbotax.intuit.com/tax_products/turbotax_ advantages/secure.jhtml;jsessionid=FQK0HSUDKCVCMCQ IAURRYUQKBACREF4K) disclosing and providing more facts on this issue. The issue does NOT affect the TurboTax Online application.
Bob Meighan
VP, TurboTax
"The original software authors probably already know most of them and are happily passing that information along to their friends in political office--or to their cohorts on IRC."
So that's what programmers think about each other? Glad I'm not in your profession. The back-stabbing must be terrible.
I'd imagine that the monitoring around those systems is massive, and the security/setup is top-notch
t s/200720048fr.htmlt Layout
You'd think so, but what evidence we have doesn't confirm your optimism:
http://www.treas.gov/tigta/auditreports/2007repor
http://www.fcw.com/article98135-04-03-07-Web&prin
The first article covers unsecured taxpayer information on IRS laptops, a problem the audit agency raised in 2003 which has yet to be addressed fully by the IRS. The second discusses more general security issues and reports that, "The tax agency experiences gaps in access controls related to user identification and authentication, authorization, encryption, monitoring, and physical security. Data is at risk from weaknesses in configuration management, segregation of duties, media destruction and disposal, and personnel security controls." For instance, the IRS backup tapes were unencrypted and stored at facilities where they were physically available to non-IRS personnel.
I recently had a first-hand experience with the quality of IT procedures at the IRS. One of my clients is a well-known consumer law organization whose inbound mail I scan for viruses and spam. One of their attorneys contacted me the other day saying that she was unable to receive email from attorneys at the IRS. Now some of you may have encountered the various forms of viruses and phishing scams that use forged @irs.gov addresses. In an effort to combat such stuff, I added a rule to my inbound mail server requiring that messages claiming to from someone@irs.gov actually be sent from a server in *.gov. Notice I didn't limit these messages just to servers in irs.gov; to cut down on the potential for false positives the rule allowed any such messages that originated on any server in the Federal government. Most of the illegitimate "irs.gov" messages I've seen come from spambots on residential and office networks and would be blocked by this otherwise quite permissive rule.
Well, these legitimate IRS messages were blocked because they originated on a server that had no reverse-DNS resolution configured. Without reverse-DNS my server couldn't determine the sending server's domain and thus blocked these legitimate irs.gov messages. Even if I hadn't had this rule in place, these messages might well have been tagged as spam. I give hosts with no reverse-DNS entries a pretty high SpamAssassin score, though not one that alone would result in the message being tagged as spam.
We later confirmed that this server was, in fact, an official outbound mail server for the IRS's attorneys, and perhaps for many other of its bureaucrats as well. Having reverse resolution configured for an SMTP server is pretty much de rigueur these days if you want to insure your messages get delivered. Apparently this knowledge did not extend to the IT staff at the Internal Revenue Service.