Web Based Turbo Tax Disclosure Vulnerability Found 110
Anonymous MPLS Coward writes "Looks like the web-based Turbo Tax was allowing some users to look at other user's tax return information. Reports state that things like bank routing information was available as well as SSNs. Turbo Tax software was unaffected; the bug is in the web-based Turbo Tax service."
Exaggerated synopsis (Score:4, Informative)
Re:No! (Score:4, Informative)
* Date/time of original request
* "Teller ID" (I called them to ask how to do this and they gave me this bit of information)
* Member name
* Member number (this is embedded in the routing number for my savings account)
* Daytime phone
* Amount
* Information on who gets the money
* Signature
The only parts of this which could be used for authentication:
* The fact that I called
* My name
* My member number
* My phone number
* My signature
Given my tax forms, one could easily find my name and phone number, and if I had chosen the option to wire to or from my checking account, my member number as well. (This is why I would have sent a check, although that doesn't help particularly since the number is still written on the check. I got a refund, however, so they'll be sending me a check instead and I don't have to worry about that particular hole.)
Calling them is easily doable by someone who isn't me. My signature, as much as I hate to admit it, is awful and pretty easily forgeable.
So, in summary: the information on a tax return is a significant fraction of what is needed to withdraw money from someone else's account. It may not be enough. But it certainly helps.
This is nothing new (Score:4, Informative)
Re:Here's a genius idea (Score:2, Informative)
H&R Block (Score:2, Informative)
news.com.com article [com.com]
Businessweek article [businessweek.com]
not fixed (Score:3, Informative)
Removing a link to a web page takes the "feature" away on the server...? Idiots.
Re:Here's a genius idea (Score:2, Informative)
Re:Penalty for the developers (Score:5, Informative)
If you want American (Score:4, Informative)
I share the caution about Indian programmers. I just dropped checking and savings accounts with Ameriprise (formerly Amex Bank), because in the several years since they shipped the programming off to India they still haven't gotten their site to work reliably in its basic operations. Even before security is considered, the incompetence is amazing. Now I'm seeing a downgrading in the usability of CitiBank's Website, where there's also been extensive recent offshoring - they can't be bothered to test for obvious JavaScript bugs that block Mozilla, for example, even though previously they'd officially and effectively supported Mozilla/Netscape for years. (Hell, I do work for financial firms in NYC that don't even allow their own people to browse with IE.)