Online Turbo Tax ease vs uneasy (paranoid)

[Zero]

I did not see a similar discussion but I would appreciate opinions on the relative safety of using Turbo Tax Online as a means of filing. I am a little uneasy about supplying tons of personal financial information to a server at Intuit and not knowing how that data is stored, secured and eventually destroyed.

By supplying my SSN, giving direct access to my brokerage, pension, and bank accounts, and other details, it seems like a database well worth hacking.

Anyone have similar reservations?

 

[Bestwifeever]

No.

 

[freebird5825]

Yes.
I always get the downloadable version for this very reason. dh2b is a telecomm guy and very savvy about computer security. His feeling about voluntarily supplying a full set of highly personal info online is a big
Who am I to argue with someone who w*rks in the business ?

 

[MichaelB]

Does TT store that info?

 

[ziggy29]

Yeah, I don't really trust the security of the "cloud" just yet. Maybe some day, but not now.

 

[Texas Proud]

Just curious.... I did not DO my return online, but since I was getting a big refund (which will be delivered in 8 to 10 days instead of many weeks if e-filed), I e-filed...

I was wondering if they keep THAT info for a long time....

 

[Bestwifeever]

So do you mail your forms in to the IRS or transmit it electronically? Is that information not already stored on a database there, and do you trust government security more than a for-profit enterprise that focuses solely on software and has everything to lose if it doesn't keep its security up to date?

I can see why people worry but is there a failsafe electronic storage place you would never worry about? Other than the iPad

 

[Rustward]

If you are paranoid then do not enter your data anywhere.

But . . . that won't keep your data off of servers. It is all over -- banks, brokerages, credit card companies, social security administration, your employer (if you have one or had one), your pension administrator, telephone company, credit bureaus, insurance company. . . I am dead sure that the IRS enters the data from paper forms into their systems. How else could they manage it?

But if it makes you feel better, then don't enter personal data anywhere that you don't have to.

 

[Zero]

Does TT store that info?

Yes, I watched a friend do his (he asked for my help with some decisions) and he had to put in everything online. TT then pulled in all his data from his bank, his brokerage and from his pension provider (State Street). Then TT comes back and let's you review all the data, and make changes, and when you are satisfied, it will charge you the fee ($56) and let you print and efile. But the whole time the date is in their data base, not yours. All the data is being churned on their computers.

Kinda freaked me out.

On a large server somewhere inside Intuit is a copy of that data. Because they allow you to come back and amend.

Rustward, I know lots of places have "some" portion of my details but none of the ones you mention know the totality. After a session on Turbo Tax they know, name,address, occupation, bank account # and details, brokerage account # and details, pension provider account # and details. I guess they are the ultimate big brother at that point.

 

[MichaelB]

I used the desktop version of TT and accessed my financial accounts online, but changed the passcode for each - before and after - 'cause I'm trusting, but not so much.

So do you mail your forms in to the IRS or transmit it electronically? Is that information not already stored on a database there, and do you trust government security more than a for-profit enterprise that focuses solely on software and has everything to lose if it doesn't keep its security up to date?

Good point.

 

[Rustward]

So do you mail your forms in to the IRS or transmit it electronically? Is that information not already stored on a database there, and do you trust government security more than a for-profit enterprise that focuses solely on software and has everything to lose if it doesn't keep its security up to date?

I can see why people worry but is there a failsafe electronic storage place you would never worry about? Other than the iPad

A lot (but certainly not all) of government data center operations are outsourced to service providers in the private sector.

Here's a quote from Wikipedia: "Perot Systems is a worldwide provider of information technology services and business solutions, serving the specific needs of its clients in healthcare, government, manufacturing, banking, insurance and other industries. [4]"

Edit to add: Just picked Perot as an example. Some others: ACS, CSC, EDS, just to name a few.

 

[Zero]

So do you mail your forms in to the IRS or transmit it electronically? Is that information not already stored on a database there, and do you trust government security more than a for-profit enterprise that focuses solely on software and has everything to lose if it doesn't keep its security up to date?

I can see why people worry but is there a failsafe electronic storage place you would never worry about? Other than the iPad

Well, unfortunately I am required to give the info to the IRS and NO, I do not trust them any more than Intuit. Not every employee of any company is honest and all it would take is one dishonest person with access to a backup DAT tape with all of the tax forms and he's got a very valuable item.

 

[Rustward]

Well, unfortunately I am required to give the info to the IRS and NO, I do not trust them any more than Intuit. Not every employee of any company is honest and all it would take is one dishonest person with access to a backup DAT tape with all of the tax forms and he's got a very valuable item.

DAT is not generally used at the enterprise level, and whatever they are using is encrypted. Lots of backups now are done with remote mirrors either asynchronously or synchronously, sometimes at multiple sites. The backups are much more current than shipping tapes to a vault on a truck. In the case of a synchronous mirror, the backup is 100% current. I have 34 years in Information Technology about 7 of which was with a disaster recovery vendor.

Fully agree that every employee is not honest and some of them are out to get us.

 

[Zero]

I used the desktop version of TT and accessed my financial accounts online, but changed the passcode for each - before and after - 'cause I'm trusting, but not so much.

Hmmmm, now you have me wondering. When you accessed your accounts online do you know if you went into your account (say Fidelity or Vanguard) directly?

Heck now I am paranoid. Somebody is out to get us. Just imagine, we give them:
1. Our CC number.
2. Our name, address, occupation.
3. Our account details and financial information.
4. Our password and account name.
5. Then "ACCESS" to extract info from the accounts.

And, AND, they store it because you can update the details from last year's return.

Hmmm, one paper copy return coming up. At least only that info is exposed.

 

[Zero]

...SNIP... I have 34 years in Information Technology about 7 of which was with a disaster recovery vendor.

Fully agree that every employee is not honest and some of them are out to get us.

Thanks, the encryption factor is a bit soothing but to recover data after a disaster did that require breaking the encryption?

Encrypted data is not much use unless someone knows the method (key) to decrypt. That's the guy who could get us.

 

[JBmadera]

used on TT online for 3-4 years and I've never had an issue. Actually I figure that their security is tighter than my PC's security so in a sense I feel safer with my data in the cloud ( I print a copy for my files).

cheers,

jb

 

[Rustward]

It is impractical to break an encryption technique. Notice I said impractical, not impossible. Kinda hard to prove that an encryption cannot be broken -- proving a negative. What is impractical today may be practical at some point in the future.

Not an encryption expert here, but seems like most use shared keys. I believe it is a best practice that no one person has access to the entire key; so it takes collaboration to put the keys together. I guess you can go further. For example, if I have been entrusted with a key which may or may not be a partial key. The key itself may have been encrypted before it was given to me. So now I have what is only likely a partial key, and it has been encrypted, so it will need to be decrypted before it can be used. Once it has been decrypted I would also need to know where it fits in the key string. There are key management hardware devices that manage most keys used in an organization. However separate keys are required to extract keys from a key management device, and those keys need to be highly secured. These devices are tamper-resistant and self destruct (render themselves unusable) if physically tampered with.

Whole careers have been built on this. I just know a little on the edges.

 

[Zero]

used on TT online for 3-4 years and I've never had an issue. Actually I figure that their security is tighter than my PC's security so in a sense I feel safer with my data in the cloud ( I print a copy for my files).

cheers,

jb

jb, I have used it since about 1999 but always as a CD, doing the work in my own computer, and printing to file. Last year, I did "efile". But this year, the TT site invites you to do it FREE and then if you want to print or efile it, you pay with a CC.

So the question is, say you pass all that information over, including the CC number to buy it, does that data ever go away out of Intuit's computer? Or better yet, who all gets access to it? That's my worry. I can crush my own HD when I ditch my laptop but I can't crush Intuits.

 

[JBmadera]

jb, I have used it since about 1999 but always as a CD, doing the work in my own computer, and printing to file. Last year, I did "efile". But this year, the TT site invites you to do it FREE and then if you want to print or efile it, you pay with a CC.

So the question is, say you pass all that information over, including the CC number to buy it, does that data ever go away out of Intuit's computer? Or better yet, who all gets access to it? That's my worry. I can crush my own HD when I ditch my laptop but I can't crush Intuits.

that's how i did it this year, other than paying after i used the product it didn't appear any different than if i had paid up front and then used online TT to prepare and file my taxes. so far i cannot see that they've sold my "info" to any telemarketers, etc. maybe i'm a bit naive, but i really felt like the process was secure from start to finish, just my 2 cents...

 

[freebird5825]

These posts are excellent contributions from what I can tell are knowledgable IT folks. This is not my area of technical knowledge, but I have been close enough to cybersecurity to be able to follow along.
Thanks for the info

It is not a question of paranoia...it is more a question of voluntarily submitting a COMPLETE set of personal data to one repository. Hackers are very sophisticated, no doubt about it. They have broken into some of the best protected private sector and govt systems, and will continue to do so.

But just because someone is "holding a gun" doesn't mean I have to "hand them the bullets".

 

[Zero]

Thanks for the great replies, and agreeing with Freebird, lots of knowledge passed on from IT folks and users of TT.

A hacker has to be out there right now working on this because it was the first thing I thought of when I saw how they were doing it. Even if a hacker were just monitoring my inputs from hacking me, it's enough to make me wonder.

Probably 99.99966% safe. But I'm usually the loser getting the 0.00034% kick in the groin.

Appreciate the opinions.

 

[Gotadimple]

Unless one is only willing to submit their tax forms in paper format, you are using someone's database to submit your taxes. The only exception is actually filing while on the IRS web site.

That is, even when you prepare on your computer and do e-file, there is a vendor who is actually doing the submitting for you. I'm pretty sure the IRS doesn't allow just anyone to dump 'data' in their repository and that there are both technical and security details that need to be met before they gain access.

About the vendor mining your personal information:. I imagine that it's prohibited.

Rita

 

[Rustward]

Took a look at the Tax Act privacy policy: TaxACT Privacy Policy Statement
...
All information you enter while using TaxACT is used strictly by 2nd Story Software, Inc. to provide the services requested by our customers. We maintain physical, electronic, and procedural safeguards that comply with applicable law and federal standards. All data is stored on 2nd Story Software servers and is backed up to prevent the loss of data. Electronically filed returns, which are further encrypted, are sent directly from 2nd Story Software to the IRS via a secure connection. ...

I imagine these tax software companies have to go through a qualification process and audit as defined by the IRS before they are allowed to submit returns.

 

[donheff]

I have been using TT and TaxAct to track filings this year in anticipation of using them next year or the following year when our tax situation will be simpler than it is today. I enter everything by hand but have been curious about the ability to download information. I just assumed you had to enable your financial servicing organization to release the info with some sort of restricted access. The software isn't using full access usernames and passwords are they? As to the security of encrypted systems, they are as secure as the users. Encrypted DBs will prevent a hacker who somehow access a copy of the data from opening it. But private keys, tokens, etc can be compromised if users don't protect them or, as was pointed out above, if users are malicious.

 

[Walt34]

Yes.
I always get the downloadable version for this very reason. dh2b is a telecomm guy and very savvy about computer security. His feeling about voluntarily supplying a full set of highly personal info online is a big
Who am I to argue with someone who w*rks in the business ?

Agreed. I did computer forensics for a long time and part of that job entailed breaking passwords and encryption. It is difficult, but not impossible, to break any encryption now known and it will get easier with faster processors and distributed attacks. It boils down to factoring large prime numbers, giving each computer a "piece of the pie" to munch on, similar to the concept behind the SETI screensaver project. And it depends on how many resources you want to throw at it.

In the words of one of the early guys doing that work in the late '80's "The only way to make a computer absolutely secure is turn it off."

An interesting read is The Code Book by Simon Singh, about the history of cryptography.