Web Based Turbo Tax Disclosure Vulnerability Found

Anonymous MPLS Coward writes "Looks like the web-based Turbo Tax was allowing some users to look at other user's tax return information. Reports state that things like bank routing information was available as well as SSNs. Turbo Tax software was unaffected; the bug is in the web-based Turbo Tax service."

Penalty for the developers

[davidmillions.com]

Companies should be penalized for something so severe to let them know that they need to do a better job in the future.

Re:Exaggerated synopsis

[HomelessInLaJolla]

Nothing is ensured, though. If one random user can happen to stumble across a flaw then there are probably ten or twenty other flaws which can be found by more detailed analysis of the code.

The original software authors probably already know most of them and are happily passing that information along to their friends in political office--or to their cohorts on IRC.

Wearing Jackets with Bull's Eyes

[bill_mcgonigle]

The Turbotax.com offering really does sound like a good idea, for the taxpayer, but I still bought the boxed version and won't E-File. These guys are taking perhaps millions of people's sensitive data online, into a database that's Internet accessible. Even if their admins have done the best possible job (let's assume they have) their software has undiscovered vulnerabilities, at least as far as the whitehat community is concerned.

Now, factor in the fact that there is a smart blackhat community and this database is about the most delicious thing an high-tech organized-crime-sponsored identity thief can imagine - and sometimes it just doesn't make sense to walk around wearing a jacket with a bull's eye painted on the back, even if you're not a coward.

As far as not E-filing, it also costs the IRS more to process, so that at least helps to keep one more negative about the income tax on the board.

Re:Exaggerated synopsis

[LighterShadeOfBlack]

If this was actually in the wild, or exploited, that'll be big

How do you know it wasn't? This isn't the kind of thing where if it's being exploited people would know it. If the wrong person discovered this first then obviously they wouldn't be running around telling people that they'd found a security hole which they were currently exploiting for their own personal profit.

Re:Wearing Jackets with Bull's Eyes

[Jose]

Now, factor in the fact that there is a smart blackhat community and this database is about the most delicious thing an high-tech organized-crime-sponsored identity thief can imagine

yep, that's a pretty juicy target...a more juicy target would be the IRS's DB, which must be at least somewhat available online (think e-filing). Even if you don't e-file, your data is going to end up in a DB at some point, so don't feel too safe.

Re:Until...

[maxume]

You have to balance a punishment like that against encouraging disclosure. Personally, if my data is lost, I'd rather be sure I hear about it than have the government make a buck.

I'll never go near turbo tax again.

[Darth_brooks]

I overpay my taxes every year. It's a few extra bucks out of my check that I don't notice, and I get a nice refund from the government. Yeah, I know I lose money on the deal based on inflation, since the money I let the feds hold doesn't earn interest. But it works out to a couple dollars a year at most based on what I'm paying, and getting the extra check works out well for me at the beginning of the year.

So two years ago I was filing with turbo tax. I'd been using it for a couple years with no problems. My taxes are simple; no house, no kids, no tax shelter investments. Just a handful of numbers on a W2, to the point where I could just as easily fill out the forms by hand, but I liked the convenience. Now, I overpay by ten bucks every week. 40 bucks a month * 12 months = $480 per year that I should get back (based on my tax bracket at the time) no matter what. My average refund was usually a couple hundred over that, and had been for the years prior. I've cut the feds a check exactly once since I started working 12 years ago.

So what did I get when I used turbo tax that year? They had me paying an additional 280 bucks! I went over that return with a fine tooth comb. All my numbers were right, every box was checked, every i was dotted and t was crossed on my end, and the software was up to date, but Turbo Tax said I owed the feds money. I broke out the disaster recovery computer (also known as a pen & paper), and did my taxes by hand and by the book. Result? My usual refund of around 700 bucks. On a lark I tried Taxcut. Same result, $700-ish refund.

Tax software (at my level anyway) should be no more complicated than a freaking spreadsheet. If they can't get that right for me, I shudder to think what kind of screw ups they've had for people who have real returns to file. At least I got a good lesson in double checking someone else's math.

Re:Exaggerated synopsis

[uofitorn]

If this was actually in the wild

Well, it was in the wild. It was on their production website, accessible to the public. Any number of less well intentioned individuals could have taken advantage of the flaw before it was actually reported to Turbo Tax.

If it was in beta or development code, and the flaw was found internally, then it would be as you say.

Re:Wearing Jackets with Bull's Eyes

[ceejayoz]

As far as not E-filing, it also costs the IRS more to process, so that at least helps to keep one more negative about the income tax on the board.

Huh? You do realise that in the governmental mind "costs more to process" translates to "collect more taxes to cover it", not "maybe we should abolish income tax", right?

Re:I'll never go near turbo tax again.

[ptbarnett]

You probably made a data entry error in TurboTax -- not necessarily entering the wrong amount, but clicking the "yes" button when you should have clicked "no" (or vice versa).

Based on the difference in taxes ($280 owed vs. $700 refund = net $980) and presuming a 28% marginal tax rate, the difference in taxable income was $980 / 0.28 = 3,500).

The personal exemption was $3,100 for tax year 2004. All you had to do was enter the personal exemption incorrectly (as in accidentally tell it you could were being claimed as a deduction on someone else's return), and you would have gotten the results you observed.

If your taxes were that simple, just looking at the generated 1040 (or 1040A) would have revealed whatever error (yours or theirs) that was occuring. So, I'm skeptical of your claim.

Re:Wearing Jackets with Bull's Eyes

[Red Flayer]

As far as not E-filing, it also costs the IRS more to process, so that at least helps to keep one more negative about the income tax on the board.

Ah, yes, the old we-don't-like-government-waste-so-we'll-add-some-m ore-voluntarily.

The security concerns about e-filing are real (which is why I don't do it either). But is it really likely that the government will stop collecting taxes just because it's more expensive than not collecting taxes? No -- the collection cost will just continue to be passed on to us.

Re:Penalty for the developers

[Propaganda13]

I haven't used an Intuit program since they installed the C-Dilla malware with Turbo Tax. That was a greater breach of trust than this slip-up. There's a good chance that any company will have a problem sooner or later. It's the frequency of the problems, how they handle the problems, and their overall view of their customers that matters.
Two companies that I won't buy from
Intuit - adding malware to tax software - I'd be annoyed if a game did this, but having financial software do this crosses the line.
Iomega - defective hardware is bad enough, but settling a lawsuit with rebates to buy more hardware from you - you've got to be kidding.

My 2 cents

[Jsox]

I actually work for Turbotax in the Technical Support Division. Actually to be specific I work for another company and they outsource their support through us. They do the same for many other offices through different companies, including outsourced Sales people in India, and an office in the Phillipines. Most chat agents are from India.

I've been using Turbotax over the past 5 months for roughly 600 hours and there's a few things I can say about the program. First and foremost, it's very rarely wrong. I've taken 2057 calls (On 2058 right now) and in all these I have seen 1 calculation error, and it was a number getting transferred between Federal and State incorrectly. Most calls fall into the following categories: Password resets, how-do-I-enter, where-is-this-number-coming-from, and Installation. We also get run of the mill save errors, questions about how to transfer information, and so on. Calls that are prefaced with "Your program is doing this wrong..." always make me roll my eyes, because as far as calculations go, the program is almost exclusively correct, and alleged calculation errors are actually a result of someone entering it in wrong. And its just a piece of software, really just a big calculator, and it's only as smart as the data that gets put into it. That being said, while it is wonderful in performing calculations correctly, it is very quirky when it comes to navigation and sometimes outright bizzare.

For example, once you've gone through the State portion, revisiting it at any point takes you straight to the end, without allowing you to review the information. If you want to change something, you need to get to a very specific page and click "Topic List", then "What's new for 2006. If you click on the topic named "State Interview", it completely skips to the end of the State Interview. Makes a lot of sense, eh? Also, checking certain boxes will generate certain forms or worksheets that will not be deleted if you go back and uncheck them, which causes the Error Check feature to freak out and tell you that you have 9000 errors because the form is blank. Also, due to the way Turbotax calls on some functions (namely XML) if it doesnt like your XML configuration, it will randomly give you errors and there's essentially no way you'll be able to use the Desktop version without reinstalling your OS or IE.

Online is more of the same, but with even more lovable "features". If you check one of those boxes that I mentioned above, and it generates a form, if it's in the state interview, there's no way to delete it; it's stuck there forever. You can delete the entire state and start again, or we can import the data into the Desktop version to remove it. Also, some pages simply refuse to load in either Firefox and IE. Short of ripping and fully reinstalling windows or drastically modifying internet settings (something most of the agents wouldn't even know how to do) the only option is to switch browsers. Simple fix, but it shouldn't be necessary.

This all being said, the bottom line is that Turbotax calculates things wonderfully but is lacking in most other areas. When this story 'broke', all of us agents were told basically to keep our mouths shut and if any customer had any questions beyond us telling them that we were fixing the issue, to foreward their request to the Corporate Office.

I've seen customers do some very retarded things, both in trying to access their account and enter or manipulate data. Is it possible that this was a one-time isolated incident? If someone was able to stumble on this information on accident, how hard would it be to do deliberately? The page with Vault access has been up for almost 5 months and this was only recently discovered, has it been abused before? I don't know the answers to these questions, but I don't get a fuzzy feeling thinking about them. People should know if their data was possibly compromised, but I don't blame them for trying to keep it quiet. In this day and age of information security and data protect

Re:Penalty for the developers

[j1m+5n0w]

According to capitalist theory, good companies with solid products should be preferred by consumers and dominate the market.

The trouble with the theory is that consumers are, in most cases, unable to evaluate whether the companies that make the products they use employ good security practices (and will continue to do so in the future). See information asymmetry [wikipedia.org].