Filing Taxes Online this Year? Consider Some of these Security Safety Tips

Disclaimer: I do not (nor will I ever) file my taxes 100% online, ala TurboTax Online

Some of you may know that my day job is in information security.  As we all look at filing our taxes this year, I wanted to give you some tips if you choose to use one of the online services.  I don’t mean using the desktop version of the software and then e-filing, but using a web browser only to complete and file your taxes.  Although, some of these rules are applicable to many instances, your social security number(s) and tax information in combination make it very easy for opportunistic thieves to steal your identity.

Luckily, to my knowledge, Intuit – at least – has never had a breach of their e-filing systems – and they are a clearinghouse for e-filing, so they’ve got that information already.  (Although, I am a bit surprised, because that’s a *lot* of sensitive information just waiting to be attacked…)  Not that it can’t happen, but it hasn’t happened yet.

TL;DR Version (also the I don’t want to know what can happen, so I’ll stop here version)

  1. Don’t use a “public” computer (public library) to file your taxes
  2. Don’t use a “public” wireless connection (airport, hotel, coffee shop) to file your taxes
  3. Update your system and use anti-virus before starting on your taxes

What To Do

So, if you’ve been getting all your Internet access from the public library computers, what do you do?  If you have a good friend you trust, ask if you can use their computer and Internet access.  If you don’t have that good of a friend, ask your library (or other access point) what they are doing to make sure you are safe when using their computers.

Determining whether a wireless access point is secure is more difficult, and requires some technical knowledge, but it can be done.  First, make sure that you are connecting to an “Access Point (AP)”, not an ad hoc network.  When you look at the list of networks, the icons indicate whether it’s an AP or ah ad hoc network.  Ask the provider what the network name is supposed to be.  Attackers sometimes set up “fake” APs to lure you into connecting to them instead of the “real” access point.  Consider using your cell phone connection (tethering) if you’re in a public location.

If you have a VPN available to you through your job, consider using it to further protect yourself (check company policies first!).

The Reasoning

Now, for the longer version.  This gets a little technical, but I’ve tried to link to “layman’s” articles describing the possible attacks in detail.

Background

“Identity Thieves” steal credit card numbers left and right – it’s really not that big of a deal, just an annoyance.  When’s the last time you were able to open an account or take out a loan based only on one of your credit card numbers?  Generally, you need your social security number, address and phone number to open such accounts – you may or may not need your actual mother’s maiden name – that’s just setting up a (poor) shared secret.  What’s on your tax return?  Your full social security number and address – and if you’re married or have dependents, your family’s information as well.  When’s the last time you pulled a credit report on your kids to make sure no one’s opened an account in their name – without you knowing?  I thought so.  Go do it now – they get free reports every year just like adults do.

When you do your taxes 100% online, you are sending that information to the provider over a secured (SSL) connection.  But, you are using a web browser to do so.

Don’t use a “public” computer

Public computers are “dirty” (not just in a physical sense), and you don’t know where they’ve been or who has been using them.  Most places that offer computers for public use have IT staff on hand to watch for suspicious activity or hardware, but not always.  Almost all use some kind of “kiosk” software to wipe the machine back to a known state between uses – if you see other people’s documents on the desktop or downloads folder, it’s likely not running kiosk software.

An attacker can install a keylogger (physical or software) on the machine and log every keystroke you make – including usernames, passwords, and social security numbers.

An attacker can install a proxy which forces all of your web traffic through a machine they control.  Yes, you can proxy SSL traffic – very easily when you have control of the users’ endpoint/desktop.

Don’t use a “public” wireless connection

Like public computers, public wifi is “dirty”.  You are sharing all of that bandwidth with every other person using that AP.  So, anything unencrypted can be seen by anyone who can connect.  And just because there’s a password on it, doesn’t mean much – those passwords can be cracked with about 4GB of data – under 10 minutes on a very busy network.

Your machine is also available to be attacked by anyone else on the network.  Have file sharing turned on?  It’s available without much effort to anyone else on the network.  Make sure you’ve got your firewall turned on and blocking everything possible!

The general recommendation is to make sure that you are using SSL when connecting to any web site, but recent vulnerabilities make an SSL Man-in-the-Middle (MITM) attack possible – sometimes without your knowledge.  SSL depends on a trusted infrastructure of a bunch of people doing the right thing, a bunch of policies, and a bunch of technology (read more about Public Key Infrastructure).  In the last few months, attacks have weakened SSL (Heartbleed, and Poodle).  There’s quite a bit of discussion in the security community on whether SSL is still “good enough” to continue using or if we should consider another protocol (TLS is one, but very similar to SSL).

Update your system and use anti-virus

This are basic tenants of computer security.  Some of the attacks described above depend on “broken” software.  For the particular ones described above, they’ve all been patched by the respective vendors.  Keeping your system up-to-date helps alleviate the chances of an attack succeeding.  Keeping anti-virus software installed (and running!) can also detect things like keyloggers.

If your public computer provider is doing these two things, they’ve gone a long way towards making you safer online.

Tell me your thoughts