Like the old saying, there are only two things certain - death and taxes. And, tax deadline is looming ahead. On top of that, as if there wasn't enough to worry about the taxes, now we have to worry about filing taxes online. Last year, more than 70 million taxpayers electronically filed returns last year. No one knows for sure how many of these were compromised for sure because hackers steal data and don't announce it. But, you have to ask the question - why wouldn't hackers attack these sites? After all, aren't these sites the perfect place for hackers to go with all of your sensitive information including your social security numbers, address, spouse's name and information, bank account, etc. stored in one place? The quick answer is yes. Just like the old Al Capone quote of why he attacked the banks - "because that's where the money is", hackers go where the information is. And, although the sky is not falling (yet), an educated consumer is always the smart consumer. It's good to know what you don't know. Many sites, especially the larger ones have taken significant measures to secure their sites but there are still a lot of holes that hackers can exploit. Here we present five thing that your online tax filing provider might not want you to know and can help you in making the right choice as you unwillingly dive into your tax filings.
# 1 - Security Seals provide a false sense of security
Most of the seals on the web sites provide a false sense of security. These seals are usually not certifying about application security but more about the authenticity of the server it's connecting to. So, for example, a Secure Socket Layer (SSL), although has its own valid purpose is only certifying that the server the browser is talking to is the genuine site and not an imposter and also provides encryption of data being transmitted. One of the most common seals out on the most web sites is from VeriSign. These seals have a purpose and do provide some level of security. However, hackers still come through forms and fields that consumers use, to exploit the applications underneath.
# 2 - Privacy policy doesn't imply security
Although privacy policy is important to have for companies so they don't share your information with third parties or for spamming you with emails on their marketing promotions, it does not provide security for your information stored in their databases and applications. Most consumers assume that by having a privacy policy companies are guaranteeing that their information will be secure from hackers. Not true.
# 3 - Servers in a locked facility doesn't stop hackers
Many online tax service providers tout their physical security and the fact their servers are locked away in a secure facility. Good for them. However, even though it's an important element of physical security, it doesn't prevent hackers from coming in through the web site, getting into the database, and stealing information. It's like putting all your cash in a locker but leaving the key on top so anyone can open it.
# 4 - Sessions don't always expire
So, you are in the site, used your user id and password, complete your return and you think you are done. But, if you didn't log out of the site, your session might still be active and can easily be stolen by hackers. Although more and more sites are cognizant of this issue and are making sure that sessions expire, some sites still might be vulnerable to this issue. Make sure that you log out of the site and don't just close your browser.
# 5 - They are not liable for anything
Read the fine print in the terms (the ones that you are supposed to check at the bottom and you never read). Almost all of these providers, including the big ones, have a disclaimer for security. It goes something like this - "..Company X doesn't warrant that software or services are secure……." and in their Limitation of Liability clause, their liability is limited to the amount paid by you for the software or services. Whoopie - all $14.95 or $29.95 of it!! What about all your personal information that's stolen by hackers and used to create fake identities or hack into your bank accounts. None of that is covered.
Solutions
What can you do as a consumer? - Ask your provider specifically what they are doing about securing their web applications that sit underneath the web sites. Not SSL. Not network firewalls. But, web applications. How secure are they? What are their processes to secure? What happens if hackers get the information etc.? If nothing else, this will force the companies to start thinking about it.
What can you do as an online provider? - Do a thorough testing of your web applications and find the vulnerabilities. There are automated solutions available, both as a software and a Software as a Service (SaaS) that can quickly point to the major security holes. Once you find them, prioritize based on their criticality and help your developers get the right resources to start fixing them as soon as possible. It's never too late to start.
- Mandeep Khera, Cenzic
Comments