Turbo Tax Security Question

[BBQ-Nut]

So, I'm using Turbo Tax for doing a 'mock' joint return to see if I can match what our CPA comes up with for this year, with my plan of going it alone for 2015 if I can match or beat the CPA's results.

My DW has a lot of after tax brokerage accounts using Sharebuilder.

It sure would be easy if I could get her to log into her brokerage account and let Turbo Tax suck in the tax data, but she is reluctant to do this.

Does anyone know if the login info and password for these downloads while in Turbo Tax are session based/temporary and not retained by Turbo Tax so that I can allay the concerns (valid ones I admit) of my DW?

Thanks!

 

[Kabekew]

Does anyone know if the login info and password for these downloads while in Turbo Tax are session based/temporary and not retained by Turbo Tax so that I can allay the concerns (valid ones I admit) of my DW?

Thanks!

I don't know about that part, but I do know Turbotax online anyway has a MASSIVE security hole that I did inform them about and they were very responsive (I'm sure it's been fixed, but if they were that lax about security, where else are they as well you wonder)?

In my case somebody had filed a fake return on Turbotax using my SSN and name/address. Later I happened to decide to use Turbotax for the first time and went to create an account. It said I already had one with that SSN, so I said I forgot my user name, password, as well as email. It let me in anyway. Right there was the fraudulent return the person had filed.

Well, what if I was the bad guy? Anybody knowing your SSN, name and address could get on and get your tax information, at least way they had it running until I told them. They stored it all online.

That doesn't answer your question exactly, but just shows how little attention was paid to security. I don't trust this whole "cloud" thing.

 

[Midpack]

I think many of us assumed TT was secure until this year. The jury may be out now, and evidently Congress thinks so too as noted in other threads.

 

[MichaelB]

Does anyone know if the login info and password for these downloads while in Turbo Tax are session based/temporary and not retained by Turbo Tax so that I can allay the concerns (valid ones I admit) of my DW?

Thanks!

One thing she can try is to change her password, then use TT to log in and download the transactions, then change the password again to the previous one.

 

[BBQ-Nut]

I think many of us assumed TT was secure until this year. The jury may be out now, and evidently Congress thinks so too as noted in other threads.

Yeah - even I now have doubts on its security posture.

One thing she can try is to change her password, then use TT to log in and download the transactions, then change the password again to the previous one.

I thought of that too - still got the raised eyebrow of resistance.

I may just have to bang in the info one holding at a time....well - in theory I have ample 'spare time' now in FIRE, right?

 

[Chuckanut]

Unfortunately, many of us have seen our personal information, credit cards, etc. compromised not by our own foolishness but by the big corporations to whom we have entrusted our information. Thus, it pays to keep one's passwords and other information to ourselves. It's a shame.

 

[BBQ-Nut]

Unfortunately, many of us have seen our personal information, credit cards, etc. compromised not by our own foolishness but by the big corporations to whom we have entrusted our information. Thus, it pays to keep one's passwords and other information to ourselves. It's a shame.

Agreed.

Just came across this news link about Lenovo computers and purposely installed malware
BBC News - Lenovo taken to task over 'malicious' adware

Self-signed certs that can intercept what were thought to be secure sessions....

I think this is one of my biggest fears of using e-transactions....one day I will log into my retirement account and find a zero balance, cuz I was 'hacked'

 

[Chuckanut]

Agreed.

Just came across this news link about Lenovo computers and purposely installed malware
BBC News - Lenovo taken to task over 'malicious' adware

Self-signed certs that can intercept what were thought to be secure sessions....

And these corporations will then complain about 'more government regulation, more bureaucracy, etc. What do they expect? A pat on the back?

http://blog.chron.com/techblog/2015...nicle/techblogfulltext+(TechBlog+-+Full+Text)

as security researchers have discovered, Superfish does this by creating its own security certificates that replace those of legitimate sites with encrypted connections.

 

[Chuckanut]

If you own a recent Lenovo computer you can spend all your free time doing this, you lucky devil!

Forbes has instructions for how to find out if you have the Superfish certificate on your Lenovo system:

To find out if you’re affected, locate Windows’ list of trusted certificates by opening up the Control Panel and searching for “certificates”. This will bring up Administrative Tools and a “manage computer certificates” option. Click on the “Trusted Root Certification Authorities” option and then “Certificates”. This will bring up a list of certificates. If you see one with Superfish Inc attached to it, you may be vulnerable.
​

You can uninstall Superfish, but to be sure you’re safe, security experts advise wiping the drive and installing a clean version of Windows.

 

[meierlde]

Actually installing from scratch would make sense but MS made it far more difficult since windows XP when you got the MS cd as part of the computer. Now you have to buy the os at around $130 to $150. Having done a good number of reinstalls on Xp it just takes time, but is not terribly hard. (Have not tried it on windows 8/8.1). I wish MS would provide a way to buy a cd for $20 that only uses the windows activation code on the computer bios. I would then wipe and get a nice clean system.

 

[audreyh1]

Years ago - early 2000s I think - Fidelity contacted us because there had been some kind of security breach with downloading tax information from Turbotax. And they made us change our passwords. I think maybe the passwords had be sent over an insecure link or something. But we never got that kind of notice again, so I figured it had been fixed.

Since we don't use online Turbotax to do our tax return, I didn't worry about them having the tax return information. That was one reason we do NOT do our taxes online.

And I don't know if they can actually get a look at your tax return when you are eFiling. I have assumed they don't, but now I'm not so comfortable.

I can't answer for the download Fidelity info into the program security anymore. We've done that every year. Maybe we should change our passwords every year after using Turbotax?

It sounds like they've been way more stupid and careless than I imagined. They are just sitting ducks for the very clever hackers out there. Just like Anthem was a sitting duck.

We'll be following this stuff much more carefully now. I am really upset by the Anthem breach even though (knock on wood!!!) I don't think we've been victims.

 

[Chuckanut]

We'll be following this stuff much more carefully now. I am really upset by the Anthem breach even though (knock on wood!!!) I don't think we've been victims.

You have every right to be upset. The criminals got just about everything they needed to engage in identity theft. Not so good.

 

[audreyh1]

One thing she can try is to change her password, then use TT to log in and download the transactions, then change the password again to the previous one.

Hey - that's a really good idea!!! Thanks!

 

[audreyh1]

Intuit: Anti-fraud Improvements by IRS Fuel Up To 3700 Percent Rise in Phony State Filings. The Rise in State Tax Refund Fraud - Krebs on Security

It looks like the IRS at least has managed to reduce fraudulent filing at the Federal level, and the huge rise in state fraud is because that was the next target for cybercriminals!

In an interim report on the 2014 tax filing season, TIGTA said the IRS identified and confirmed 28,076 fraudulent tax returns involving identity theft. That was down significantly from a year earlier, when the IRS identified and confirmed 85,385 fraudulent tax returns involving identity theft.

Intuit has shut down filing of "unlinked" state returns:

However, so far in this year’s tax filing season, Intuit has seen between three and 37-fold increases in unlinked, state-only returns. Convinced that most of those requests are fraudulent, the company now blocks users from filing unlinked returns via TurboTax.

From a comment after the article - apparently Turbotax was the only company allowing filing of unlined state-only returns this year, which is why it looked like all the fraud was coming from them.

The current wave of fraud - account takeovers:

But Kodukula said that over the past 18 months, Intuit has watched fraudsters shift from SIRF to account takeovers, wherein scammers compromise TurboTax credentials by exploiting human nature: The tendency for people to re-use passwords across multiple sites. This technique works because a fair percentage of users re-use passwords at multiple sites. When a breach at one site exposes the email addresses and passwords of its users, fraudsters will invariably try the stolen account credentials at other sites, knowing that a small percentage of them will work.

We don't use the online system, so we don't log into any account as far as we know. Updates don't require an account. We just have what we used to purchase software occasionally, and that doesn't have SS# or bank #s or whatever.

So it's confusing when they say things like:

Intuit is encouraging all previous and current TurboTax customers to log into their accounts to see if there has been a return fraudulently filed. The company also is encouraging users to verify their bank account information and be sure that hasn’t been changed, as well as any other contact information associated with the account. Customers who detect errant changes can call TurboTax customer service at 800-944-8596. The company says it’s also offering free credit monitoring service for customers that have had account compromises.

Why do they say "all" customers. Not all customers do their taxes online and so shouldn't have this information in the Turbotax system. The lack of specifics in their language is very confusing.

 

[SJ1_]

...
Anybody knowing your SSN, name and address could get on and get your tax information, at least way they had it running until I told them. They stored it all online. ..

With the IRS it is worse than that. All someone needs if your SSN and DOB.

"The IRS estimates that it sent out nearly three million fraudulent refunds to con artists last year. And according to a new report from the Government Accountability Office out tomorrow, it cost tax payers $5.2 billion."

"For this fraud all you need is a laptop, someone's social security number, date of birth, not even their name. "

"You would think that the IRS computers would notice that they were sending thousand of checks to a handful of addresses. But they didn't. And you might expect that the IRS would match taxpayer returns with legitimate W-2 forms filed by employers. It doesn't do that either because the law requires refund checks to be sent out within six weeks and employer W-2s are often not available until months later. "

Biggest IRS scam around: Identity tax refund fraud - CBS News

 

[cranberryjoe]

Actually installing from scratch would make sense but MS made it far more difficult since windows XP when you got the MS cd as part of the computer. Now you have to buy the os at around $130 to $150. Having done a good number of reinstalls on Xp it just takes time, but is not terribly hard. (Have not tried it on windows 8/8.1). I wish MS would provide a way to buy a cd for $20 that only uses the windows activation code on the computer bios. I would then wipe and get a nice clean system.

Microsoft allows you to download the Windows images so you can reinstall using the activation code that you already have.

How to download Windows 7 and 8.1 setup media legally

 

[meierlde]

Microsoft allows you to download the Windows images so you can reinstall using the activation code that you already have.

How to download Windows 7 and 8.1 setup media legally

Interestingly for $99 Microsoft will now take your computer and do a clean install on it of Windows 8.1 no vendor bloat ware. (Often the vendor apps just duplicate the features in windows itself). For example on Dell there is the MS way of getting a recover USB stick and doing a system backup and a distinct Dell Backup solution (because they can sell a full featured version as well). Another item is you can buy Windows 8.1 pro and do without the Cyberlink media suite (The pro version includes media player which does do dvds)