{"id":124,"date":"2008-02-10T17:08:23","date_gmt":"2008-02-11T01:08:23","guid":{"rendered":"http:\/\/cubist.cs.washington.edu\/Security\/2008\/02\/10\/the-online-tax-system-is-safe-to-use-well-if-the-government-thinks-that-you%e2%80%99re-unimportant-that-is\/"},"modified":"2008-02-10T17:08:23","modified_gmt":"2008-02-11T01:08:23","slug":"the-online-tax-system-is-safe-to-use-well-if-the-government-thinks-that-you%e2%80%99re-unimportant-that-is","status":"publish","type":"post","link":"https:\/\/secblog.cs.washington.edu\/Security\/2008\/02\/10\/the-online-tax-system-is-safe-to-use-well-if-the-government-thinks-that-you%e2%80%99re-unimportant-that-is\/","title":{"rendered":"The online tax system  is safe to use.  Well, if the government thinks that you\u2019re unimportant, that is."},"content":{"rendered":"<p>Yesterday I was looking through Schneier\u2019s blog and found a link to an interesting article about the UK and online taxes <a href=\"http:\/\/www.telegraph.co.uk\/news\/main.jhtml?xml=\/news\/2008\/01\/26\/ntax126.xml\">(Article)<\/a>.  According to the article in the UK, \u201cThousands of \u2018high profile\u2019 people have been secretly barred from using the online tax return system amid concerns that their confidential details would be put at risk.\u201d  This revelation has upset many as reportedly more than three million people use the online computer system to file tax returns.  Those barred from using the online system have to submit hard copy forms.  The following question has been raised.  If the system is not safe for \u201cimportant\u201d people, why does the government still use the system?  Has the government created a class of people that gets preferential treatment?<br \/>\n<!--more--><\/p>\n<p>So for my security review, I am going to take a look at the online tax system in the US.<\/p>\n<p><strong>Assets<\/strong><\/p>\n<ul>\n<li>Confidentiality of wages (potential employers may find this information useful)<\/li>\n<li>Personal information such as social security number and expenses<\/li>\n<li> Bank account and investing information<\/li>\n<li> IRS reputation or the reputation of online tax companies in regards to safety<\/li>\n<\/ul>\n<p><strong>Potential Adversaries<\/strong><\/p>\n<ul>\n<li> Someone desiring to commit fraud<\/li>\n<li>Foreign governments<\/li>\n<li>Personal enemies or potential employers<\/li>\n<li>The online tax companies or their employees (against the customers or the customers of another company)<\/li>\n<\/ul>\n<p><strong> Potential Weaknesses<\/strong><\/p>\n<ul>\n<li>For online taxes to work, information must be stored in two different locations.  First: servers owned by the online tax company that helps you with the taxes, since they allow for saving forms before submitting.  Second: servers owned by the IRS that receives data from the online tax companies.  This allows an adversary two different locations to attack.  The online tax companies databases are both write and read, since saved information can be retrieved at a later time for completion. This means that in addition to insiders within the company, outsiders may be able to retrieve information about other\u2019s taxes.  The IRS database may be write only from the outside.  However if read capabilities are allowed for online tax companies, then employees at an online tax company may be able to gather information on any person they desire by claiming that the victim is a current client.<\/li>\n<li> Several sites recommended by the IRS website do not use https for logons.<\/li>\n<li>One site recommended by the IRS website does not use https for new user registration where username, password, name, email, phone number, zip code, and even social security number were to be entered by the user.<\/li>\n<\/ul>\n<p><strong> Potential Defenses<\/strong><\/p>\n<ul>\n<li>Always use https for all pages where any personal information is gathered.<\/li>\n<li> Only allow online tax companies to push information to the IRS database and not pull information.<\/li>\n<li> Force all online tax companies\u2019 websites to pass a security check.  Also logging and submission to the IRS of how information is used by a company and what information is accessed by employees may provide enough incentive to protect data adequately.<\/li>\n<\/ul>\n<p><strong>Conclusion<\/strong><br \/>\nThe tax information contains a wealth of information for the unscrupulous.  The damage done to consumers could be tremendous.  I would imagine that the IRS database would provide a harder target to access than the online tax companies for outsiders and the retribution much harsher, so the threat may be greater against the companies.  Also the limited use of https by some companies leads me to believe that this may the first angle of attack by an outsider.  (The website that didn\u2019t use https for new user information also appeared to give too much information about the internal structure when random URLs were used.)<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Yesterday I was looking through Schneier\u2019s blog and found a link to an interesting article about the UK and online taxes (Article). According to the article in the UK, \u201cThousands of \u2018high profile\u2019 people have been secretly barred from using &hellip; <a href=\"https:\/\/secblog.cs.washington.edu\/Security\/2008\/02\/10\/the-online-tax-system-is-safe-to-use-well-if-the-government-thinks-that-you%e2%80%99re-unimportant-that-is\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":36,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[80],"class_list":["post-124","post","type-post","status-publish","format-standard","hentry","category-security-reviews","tag-taxes"],"_links":{"self":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts\/124","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/users\/36"}],"replies":[{"embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/comments?post=124"}],"version-history":[{"count":0,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts\/124\/revisions"}],"wp:attachment":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/media?parent=124"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/categories?post=124"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/tags?post=124"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}