A Potentially Tax-ing Problem
For most Americans out there, April marks our most hated time of year - tax season. While I understand this topic may be a good two weeks past its prime, I couldn't shake a nagging feeling after filing my taxes. With the IRS recently adoption of eFiling as the defacto standard for filing taxes, has society yet again forsaken security for speed?
Sure, you can still file the old fashion way, good ol' snail mail. This of course, comes with a few more weeks of waiting for your return (if you're lucky enough to get one) and tends to be more error prone than the online alternative. Therefore, its no surprise that more and more Americans are filing electronically. Sure, electronic filing has it benefits - no one will argue that. However, I would be remiss to state that the benefits out way the potential harmful consequences.
Taking a step back, last week as I was reading through my tradition sites, I noticed a story on digg informing users that Valve was hacked. Turns out that a friend of mine had an account with them. When he found out, his first reaction was that he needed to cancel his credit card. Smart move.
Now what would happen if a tax server were successfully hacked? You can't simply call up the government and request to cancel your social security number (well... you can, but they offer very few SSNs every year, and even if you get one, you literally start your life over - e.g. no credit history, etc). Let's take a second and think about this: What information is required when filling out taxes? Name, address, SSN, birthday, marital status, work history, salary, etc, etc, etc. Seems like a delicious amount of PII (Personally Identifiable Information). Identity theft anyone?
Am I too paranoid? I think not. I admit I file my taxes online (yes, I know I probably shouldn't - unfortunately it's too late for me), and this year I couldn't remember my password. "Forgot Password"? Why yes, yes I did. Of course, I was a little surprised to find the following email in my inbox:
Yes, they did indeed send me my password in plain text. Of course, this means they more than likely store it on their servers as plain text. Even entry level college courses stress the need to hash passwords to keep the information from hackers as well as 'curious' employees. On top of that, many mail clients do not connect over SSL, which then leaves open the possibility of sniffing the email. I would honestly like to see more from a company holding that much of my information.
Needless to say, I have my concerns.
5 comments:
Hence the reason why I am writing my article about hacking everyday college students. If I were to "acquire" someone's email password, I have access to their entire email (inbox, outbox, saved drafts, etc.) most people never delete email and I find many other venues for attack. I mean no level headed individual would have the admin account to a website they were designing for a company in any email....oh wait they did.
I agree with your points Steve (J), but snail-mail filing isn't what I would call a safe solution either. Mailbox and post office theft has been a problem for many decades, and is still a concern - that's why you are never supposed to send cash in the mail. If the USPS were to "lose" someone's tax return, that could be a very serious problem. Or if someone broke into a big blue mailbox, or took yours out of your home's box when the flag was up...etc. All this to say, eFiling has the potential to be much safer than snail-mail if even a few basic principles were kept in mind.
I'm not sure I agree with you, Tim. If you were to file your taxes ahead of time via snail mail, the odds of someone grabbing it would be pretty low since a) early filing would avoid the end rush and b) there would be only a few people touching it as it gets delivered. When your taxes are saved on a server online, EVERYONE can try to get their hands on it. I like snail mail's odds a lot better.
Thieves aren't looking for just your taxes, and they don't only hunt during the normally scheduled tax season.
Post a Comment