Filing Taxes Online this Year? Consider Some of these Security Safety Tips

Disclaimer: I do not (nor will I ever) file my taxes 100% online, ala TurboTax Online

Some of you may know that my day job is in information security.  As we all look at filing our taxes this year, I wanted to give you some tips if you choose to use one of the online services.  I don’t mean using the desktop version of the software and then e-filing, but using a web browser only to complete and file your taxes.  Although, some of these rules are applicable to many instances, your social security number(s) and tax information in combination make it very easy for opportunistic thieves to steal your identity.

Luckily, to my knowledge, Intuit – at least – has never had a breach of their e-filing systems – and they are a clearinghouse for e-filing, so they’ve got that information already.  (Although, I am a bit surprised, because that’s a *lot* of sensitive information just waiting to be attacked…)  Not that it can’t happen, but it hasn’t happened yet.

TL;DR Version (also the I don’t want to know what can happen, so I’ll stop here version)

  1. Don’t use a “public” computer (public library) to file your taxes
  2. Don’t use a “public” wireless connection (airport, hotel, coffee shop) to file your taxes
  3. Update your system and use anti-virus before starting on your taxes

What To Do

So, if you’ve been getting all your Internet access from the public library computers, what do you do?  If you have a good friend you trust, ask if you can use their computer and Internet access.  If you don’t have that good of a friend, ask your library (or other access point) what they are doing to make sure you are safe when using their computers.

Determining whether a wireless access point is secure is more difficult, and requires some technical knowledge, but it can be done.  First, make sure that you are connecting to an “Access Point (AP)”, not an ad hoc network.  When you look at the list of networks, the icons indicate whether it’s an AP or ah ad hoc network.  Ask the provider what the network name is supposed to be.  Attackers sometimes set up “fake” APs to lure you into connecting to them instead of the “real” access point.  Consider using your cell phone connection (tethering) if you’re in a public location.

If you have a VPN available to you through your job, consider using it to further protect yourself (check company policies first!).

The Reasoning

Now, for the longer version.  This gets a little technical, but I’ve tried to link to “layman’s” articles describing the possible attacks in detail.

Background

“Identity Thieves” steal credit card numbers left and right – it’s really not that big of a deal, just an annoyance.  When’s the last time you were able to open an account or take out a loan based only on one of your credit card numbers?  Generally, you need your social security number, address and phone number to open such accounts – you may or may not need your actual mother’s maiden name – that’s just setting up a (poor) shared secret.  What’s on your tax return?  Your full social security number and address – and if you’re married or have dependents, your family’s information as well.  When’s the last time you pulled a credit report on your kids to make sure no one’s opened an account in their name – without you knowing?  I thought so.  Go do it now – they get free reports every year just like adults do.

When you do your taxes 100% online, you are sending that information to the provider over a secured (SSL) connection.  But, you are using a web browser to do so.

Don’t use a “public” computer

Public computers are “dirty” (not just in a physical sense), and you don’t know where they’ve been or who has been using them.  Most places that offer computers for public use have IT staff on hand to watch for suspicious activity or hardware, but not always.  Almost all use some kind of “kiosk” software to wipe the machine back to a known state between uses – if you see other people’s documents on the desktop or downloads folder, it’s likely not running kiosk software.

An attacker can install a keylogger (physical or software) on the machine and log every keystroke you make – including usernames, passwords, and social security numbers.

An attacker can install a proxy which forces all of your web traffic through a machine they control.  Yes, you can proxy SSL traffic – very easily when you have control of the users’ endpoint/desktop.

Don’t use a “public” wireless connection

Like public computers, public wifi is “dirty”.  You are sharing all of that bandwidth with every other person using that AP.  So, anything unencrypted can be seen by anyone who can connect.  And just because there’s a password on it, doesn’t mean much – those passwords can be cracked with about 4GB of data – under 10 minutes on a very busy network.

Your machine is also available to be attacked by anyone else on the network.  Have file sharing turned on?  It’s available without much effort to anyone else on the network.  Make sure you’ve got your firewall turned on and blocking everything possible!

The general recommendation is to make sure that you are using SSL when connecting to any web site, but recent vulnerabilities make an SSL Man-in-the-Middle (MITM) attack possible – sometimes without your knowledge.  SSL depends on a trusted infrastructure of a bunch of people doing the right thing, a bunch of policies, and a bunch of technology (read more about Public Key Infrastructure).  In the last few months, attacks have weakened SSL (Heartbleed, and Poodle).  There’s quite a bit of discussion in the security community on whether SSL is still “good enough” to continue using or if we should consider another protocol (TLS is one, but very similar to SSL).

Update your system and use anti-virus

This are basic tenants of computer security.  Some of the attacks described above depend on “broken” software.  For the particular ones described above, they’ve all been patched by the respective vendors.  Keeping your system up-to-date helps alleviate the chances of an attack succeeding.  Keeping anti-virus software installed (and running!) can also detect things like keyloggers.

If your public computer provider is doing these two things, they’ve gone a long way towards making you safer online.

Detailed Financial Picture – January 2015

December’s Numbers

As of January 12, 2014, we are $13,500 in debt without a mortgage to speak of (yet).  We currently have $546,471.98 in assets.  Our investment accounts are at $425,862.38. Our Net Worth is $532,971.98, up from $522,285.88 last month (2.05% increase).

I almost forgot to include our HSA into the above values.  I only included the amount that’s in the “investment” side under investments and the remaining as cash.  Part of the large increase in assets was the 2250 that was contributed to our HSA for us by Dad’s company.  That won’t happen any more this year, but we’re contributing $367/mth which with a small change in December (to $363) will max out our HSA.  I’ve got it set up that 2250 stays in the “cash” account, and anything else above that gets swept into the investment piece.  We can then use it for medical expenses if we need to.  There’s a minimum balance of 2k in the “cash” part of the account.

The markets have been up and down since Christmas, and so have our balances.  I am enjoying the lower gas prices though!

We toured our half finished house on Friday, and the production manager is thinking we might move in in early March (about one month ahead of schedule).  It depends on when the hardwood flooring is delivered and if we have any more extreme cold snaps.  He said if the flooring is there by the end of the first week of February, it’s very likely we’ll be moving in at the end of February or early March.  Normally, I love cold weather, but this time I’m going to hope for mild weather so that we can move out of my mother’s house sooner!

The money for closing is sitting in our bank account, but if we close in February rather than march, we might have to float the cost of the refrigerator on our line of credit until we get the credit from the storage company.  We can already float the move for 30 days on our credit card (and get cash back!), which may be all we need.

Debt (in the order we’re paying it down):

  • Line of credit (8.75%): $0.00
  • Chase (4.99% for life): $ 0.00 
  • Student loans (aggregated 4.21%):  $0.00 
  • Car loan (0%): $13,500 (-500.00)
  • Mortgage (4.125%): $0.00 

Total paid off in December:  $500

December 2014 Early Retirement Progress

We contributed $4,797.72 this month to our retirement accounts  We lost $2,275.18 in investment value this month. 

I did realize that my end of year numbers don’t quite match up with the actual balances in our accounts – the statements don’t include dividends in the “investment gain”.  So our actual end of year balances are almost 10k higher than my value.  I need to figure out how to make sure those dividends get added into the calculations for 2015.

We did really well this year, and I may contribute another $500 to my Roth for 2014 if we fall under the AGI limits.  I have $9500 in there, and another $500 would let me qualify for Fidelity’s advantage class of mutual fund, dropping my investment expenses for that account. I need to do our taxes first before I can see if we can do that this year.

2014 Totals

In 2014 we contributed $45,689.7 (114.22% of our goal of 40k), and we’ve made $29,804.04 in investment gains (147.10% of our planned total).

Our ending account balance (according to my numbers) was $413,181.62 (vs a planned $397,949.15)

2014 Goals – Massive Fail

I made a few goals for 2014, almost none of which worked out.  Oh well, I wasn’t expecting to pick up and move either!

Health Goals

Massive Fail here.

  • I gained 20lbs instead of losing 15: FAIL.
  •  I started out the year exercising, but then we moved, and I haven’t gotten back into it other than trying to make 10k steps per day via my Fitbit: FAIL
  • Eating 3 servings of fruits or veggies day?  Nope: FAIL  I’m lucky to get one at dinner…

Financial Goals

Technically failure, but only because we sold our house and lost that asset, although it may have been close if we hadn’t sold the house.

  • Pay off all non-mortgage debt that carries interest.  Everything but the car (at 0% interest) is paid off: SUCCESS
  • Get to 650k Net Worth.  We are sitting about 550k, which without the house is really darn good. If we hadn’t sold the house, we’d have been above 650k based on Zillow’s current estimate of our old house.  FAIL
  • Increase our assets to 1.2 million.  Without the house, we’re down over half a million.  We might have made it to 1.2 million with the house.  FAIL

Household/Parenting Goals

  • Get rid of diapers – we have stopped using her cloth diapers – they don’t fit her any more, so we’ve had to move to pull-ups for at night.  At least we’re completely out of diapers during the day with very few accidents!  I have a feeling we’ll not be buying any more pull ups though, we’re starting to have a couple of nights where she wakes up dry. We’re also not really pushing diaperless at night because of the moving. I’m gonna call this one a (technical) SUCCESS
  • Get rid of another 365 things in 365 days.  We got rid of way more, both via donations and taking things to the dump.  I am already starting a list of things to get rid of once it’s out of storage: SUCCESS
  • Finish the tile in our basement project.  I paid someone to do this, but it was done ($750 including painting!) to show the house:  SUCCESS

The good thing is that we’ve made a serious commitment to saving more for our early retirement this year.  I’ve increased my salary, we’ve upped our contributions to max out our 403(b)s in 2015, as well as contributing to an HSA and hopefully two Roths next year.  Our retirement accounts have increased significantly (from $337,687.88 in January to $423,630.36 at the beginning of December), even if our Net Worth didn’t.

Early next year, I’ll be posting my goals to fail at for 2015.  Have a happy and safe New Year!

Year End Dividends – Happy Holidays!

Fidelity paid out their end of year distributions on 12/19 this year.  We received just over 5k in the December payouts, bringing us to a total of just over 9k of payouts for the year (vs just over 5k last year).  Unfortunately, all but $60 of that is in tax-advantaged accounts and not available to us yet.  It’s nice to know what our yearly “income” is from our investments though.

Once those payments cover our basic living expenses, we can definitely retire and never need to withdraw our principal.  Of course 9k, covers one month of expenses at the moment, but we’ll be adding more money into the account over the next ten years, and will hopefully pump that up.  In our ideal situation, the dividends/capital gains from our mutual funds completely cover our expenses, but I’m prepared to withdraw principal at a 3% rate as well.

Maybe next year we’ll get almost 20k!  I’ll be happy at 15k, but at the new rate we’re putting in money, we should see a significant increase this year.

Have a Happy and Safe Holiday Season!

Geographic Arbitrage of State Taxation in Retirement

We’ve come into a very interesting situation since moving states: Pennsylvania taxes all contributions to a “tax-deferred” account (like a 401(k)/403(b) or Traditional IRA).  BUT, it does not tax withdrawals on those accounts.  We have about 400k that we won’t have state taxation on if we stay in the Commonwealth of Pennsylvania – AND we didn’t pay state tax in VA on that amount either.  However, over the next ten years, we’ll be paying PA state tax on about 750k of contributions to our retirement accounts.  If we then move to a state that taxes retirement withdrawals (like Virginia, Colorado, etc), we’ll end up being “double taxed” on that 750k.  If we don’t want to double pay state taxes, we’re stuck with retiring in states that don’t have an income tax or don’t tax retirement withdrawals.

However, it does present a potential for geographic arbitrage if you are so inclined – you may never have to pay state taxes on your retirement money.  Earn it in a state where you can deduct it (following federal rules), and then withdraw it in a state that doesn’t tax it.  Note, I didn’t say *spend* it in that state necessarily….  I have some ideas percolating on how to withdraw all of it prior to leaving the state of PA.  It also bolsters my argument for moving to a state like Wyoming to retire – sorry, most of the other non-tax states are too far south for my tastes!

Disclaimer: I am not a CPA, and this is just my interpretation of PA’s taxation rules.

Have you considered what moving in retirement may do to the taxation of your “tax-advantaged” money?

To rollover or not – the importance of choice and fees

When you leave a job, you generally have the option to rollover your 401(k)/403(b) to an IRA or to your new 401(k)/403(b) plan.  In our history, I’ve always rolled over our accounts to a Fidelity Rollover IRA.  Dad and I each have one – collecting all of our previous employer plans into one.  They’re at Fidelity because that’s where my first 401(k) was and it’s been convenient.  And currently, Dad’s 403(b) and 401(a) are through Fidelity.

For the majority of my working career, I had a SIMPLE IRA through Fidelity – I was able to buy/sell *anything* Fidelity offered for a $25/year fee (plus commissions, mutual fund fees, etc).  I learned early on to just buy NTF (no transaction fee) funds and save myself that fee, but I didn’t understand mutual fund expense ratios.  I just picked what looked good and was recommended – yeah, I was naive.  Over the years though, I’ve learned better.

When my company moved from a SIMPLE IRA to a “real” 401(k), we had some pretty pathetic choices, I had already learned about mutual fund expense ratios by then, and the lowest possible fee was 0.23% for a Russell 3000 Index private fund (seriously, there was no public ticker symbol for it).  I put 100% of my money into that fund, and made up the rest of our allocation in our Rollover IRAs and in Dad’s 403(b).  What if I didn’t have another option?  I would have had to try to make up my desired allocation from high fee funds ( > 1%) and would have spent dearly for it.

Most recently, up until yesterday, we had had a 5% allocation in REITs – and Dad’s 403(b) offered a REIT fund with what I thought was a halfway decent fee: 0.77% (CSRIX).   With all of our other expense ratios being less than 0.25% (most in the 0.05-0.07% range), I was seriously considering eliminating our real estate allocation.  I did some more research on whether I wanted to keep the real estate in my allocation enough to continue paying the fee.  I also looked through Fidelity’s offerings, and found FSRVX at a 0.09% net and 0.19% gross ER – I pay .09% until Fidelity decides to not discount it anymore.  It gave us exposure to real estate for a lot less.  I sold the CSRIX shares in dad’s 403(b) account and bought FSRVX in my Rollover IRA. We have an agreement that my account maintains higher risk than his does, so I get things like REITS, small cap, emerging markets, etc and his focuses more on bonds and total market.  Since we balance our allocation across multiple accounts, it really doesn’t make any difference.

How do fees play into this?

Most people would agree that a fee of 0.19% is better than a fee of 0.77%, but by how much?  If the fund’s performance was 6% annually, then the fund with .19% fees would actually return 5.81% and the fund with .77% fees would return 5.23% – which would you rather have?  Over 10 years, that’s a huge difference.  The charts below assume a starting contribution of 10k, and no continuing contributions (meaning “the real world” has an even larger difference).

Hypothetical Growth of 10k

 

Interest Rate: 5.81 5.23
After Year: 10000 10000
1 10581 10523
2 11195.7561 11073.3529
3 11846.22953 11652.48926
4 12534.49547 12261.91444
5 13262.74965 12903.21257
6 14033.31541 13578.05059
7 14848.65103 14288.18263
8 15711.35766 15035.45459
9 16624.18754 15821.80886
10 17590.05283 16649.28946

As you can see, there’s a $940 difference at the end of ten years.  It grows to a difference of $4441 if you contribute 10k each year.  And that’s the difference of 0.58% in fees – imagine what you’re paying if you have fees over 1%!

If you have the opportunity to roll over an old workplace plan – unless you’ve got stellar choices already – it sometimes pays to do so.  Most brokerages offer rollover IRAs – pick your favorite low-fee broker and put everything together.  You’ll have access to their full range of funds, and there are very few online brokerages which don’t offer NTF funds of some sort, although Vanguard is well known for their low cost index funds (in my opinion, Fidelity’s Spartan funds are pretty darn close and not worth moving everything).  You’ll still have to pick the best options in your employer plan, but you’ll have the flexibility to buy cheaper funds elsewhere (but still tax advantaged).

And I would be remiss in not mentioning this, but if you have a rollover IRA hanging around – I really don’t recommend trying a backdoor Roth, you’ll get royally screwed on taxes.  This disadvantage can be overcome by rolling any IRA you have into a current employer’s plan.

Cash Back Shopping Apps

And I don’t mean the credit card kind.  I mean the apps that are available like ibotta, checkout51 and Walmart’s new Savings Catcher.

I don’t earn a lot, but in the last few months, I’ve earned about $20 between the three of them.  Sometimes, I earn a “cash back” on one item multiple times through the different apps – it depends on what it is.

Ibotta especially focuses on name brand items, but occasionally has “generic” items available, like milk, bread and eggs.  Checkout51 pretty reliably has bananas every week, as well as the occasional milk and bread. Ibotta is store specific, ALDI’s isn’t an option there, but Costco (and the local liquor store) is.  Checkout51 doesn’t care where the receipt is from as long as it’s pretty obvious that you bought the item in question.

The WalMart Savings Catcher is a relatively recent addition to my phone – it “scans” through published ads and matches them to items on your receipt – so you don’t have to remember your ads or remember to ask them to match.  From what I can tell, it doesn’t cover WalMart’s entire ad matching policy (doesn’t allow non-branded items like produce and meat), but it gets the rest.   Other than Costco, WalMart is my primary grocery store, so it was worth looking at (and I can still get ibotta/checkout51 rebates on the same receipt).

I’m not hugely brand loyal, so I don’t get a lot of money from these things, but if you are brand loyal or even brand agnostic, you might be able to “make” more than I do.  I don’t even bother to look at the apps until after I’ve already purchased my groceries, so I don’t tailor my shopping to meet their lists. I get the brand I want or the cheapest option – the 25-50 cents that I get from the apps doesn’t make up for the price differences usually.

Disclaimer: I just use these apps, I have no affiliation with them in anyway.  I also know that they are recording what some people refer to as sensitive information, and folks aren’t OK with that.  As I see it, the stores can already trace my purchases back to me via my credit card, so it’s not a privacy issue for me.

Does anyone else use the cash back shopping apps?  Or am I the only one willing to take pictures of my receipt and scan barcodes for some cash back?  Any other apps I should look at?

Detailed Financial Picture – December 2014

November’s Numbers

As of December 4, 2014, we are $14,000 in debt without a mortgage to speak of (yet).  We currently have $536,285.88 in assets.  Our investment accounts are at $423,630.36. Our Net Worth is $522,285.88, up from $504,813.87 last month (3.46% increase).

November was a relatively quiet month.  We spent more than usual because we bought all our Christmas gifts (but it was only about $600 more than usual), but still quite low spending for us (yay no house!).  We’re paying storage fees at the moment, and our mortgage plus “escrow” will be almost twice the storage fees.

Dad had his annual review a few days ago and will be getting a nice  bonus and 2.something% raise.  We might open a Roth for 2014 for him if our AGI allows us to.  Or we might use it to fully fund our HSA at the beginning of the year.  Dad doesn’t get to contribute to his HSA via payroll deductions, so we have to manually contribute after-tax dollars and then claim the deduction on our taxes.  I’m debating on whether to contribute to the HSA his company uses (Optum bank) or open our own separate one for our contributions.  We can’t get access to the investment options or documents until we open the account, and we can’t open the account until 2015 when we’re covered by the new plan – not that I’ve been able to find anyway. Anyone have an HSA “bank” they’re particularly happy with?

Debt (in the order we’re paying it down):

  • Line of credit (8.75%): $0.00
  • Chase (4.99% for life): $ 0.00 
  • Student loans (aggregated 4.21%):  $0.00 
  • Car loan (0%): $14,000 (-500.00)
  • Mortgage (4.125%): $0.00 

Total paid off in November:  $500

November 2014 Early Retirement Progress

GOAL!

We contributed $4,817.72 this month to our retirement accounts  We gained $6,479.76 in investment gains this month. 

We’ve now contributed over our annual goal of $40k into our accounts – one month early.  One big thing that helped us is that my company match changed from 4% to 8%.  The other thing that helped is that both Dad and I are now maxing out our 403(b) plans.

I learned something interesting during open enrollment for Dad – he has a “mandatory” 2% contribution to a 401(a) plan – and it doesn’t count “against” the IRS limit of 17,500 (for 2014).  The IRS limit is for “elected” contributions, and the 2% isn’t elective, so he’s really getting to put aside almost $20,000 through his company’s plan this year.  We just clicked the “take the maximum out” checkbox in February and left it at that.  And as of January 1, 2015, he’ll be fully vested in his 401(a)/403(b) plans.  I still have to wait three years to be vested in my 8% match.

Next year, we’re hoping to contribute up to $70k via company plans, Roths, an HSA and our taxable accounts.  We *might* squeak out $75k.  I’m inordinately excited about how much we can save towards our retirement next year! That makes me weird in a good way right?

2014 Totals

So far, for 2014, we’ve contributed $40,891.98 (102.23% of our goal of 40k), and we’ve made $32,079.22 in investment gains (158.33% of our planned total).