BugTraq
Back to list
|
Post reply
RE: response to tax software not encrypting tax info
Mar 14 2003 08:47PM
Ken Williams esecurityonline com
Hi,
I have read both of the original advisories, and all of the replies
on this subject, and nobody yet has properly assessed AND
emphasized the actual risk associated with this tax software.
Lots of software programs do not encrypt sensitive data, but what
makes this tax software different, and what increases the
associated risk *substantially*, is that so much of your sensitive
personal and financial information is contained, unencrypted, IN
ONE PLACE. Your full name, address, date of birth, phone number,
social security number, bank account numbers, employment
information, income information, credit card numbers (if making tax
payment with CC), stocks, bonds, other investments, business
information, etc - ALL IN ONE PLACE. If you are married filing
jointly, or have children or dependants on your tax return, then
the personal and financial info for even more people is exposed.
All of the information is guaranteed to be current and correct too.
This is a gold mine for identity thieves. Identity theft is one of
the fastest growing crimes in the US right now too.
Reference: http://www.consumer.gov/idtheft/
Vendors of tax software should not allow users to leave all of this
data in one place unencrypted; the risk is too great.
Note also that other tax software programs not mentioned in the
original advisories are also vulnerable to this issue (thanks for
noting those issues, kjk). I'm not at liberty to discuss those
other tax software packages though.
Regards,
ken
Ken Williams ; CISSP
eSecurityOnline - an eSecurity Venture of Ernst & Young
ken.williams (at) ey (dot) com [email concealed] ; www.esecurityonline.com ; 1-877-eSecurity
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
I have read both of the original advisories, and all of the replies
on this subject, and nobody yet has properly assessed AND
emphasized the actual risk associated with this tax software.
Lots of software programs do not encrypt sensitive data, but what
makes this tax software different, and what increases the
associated risk *substantially*, is that so much of your sensitive
personal and financial information is contained, unencrypted, IN
ONE PLACE. Your full name, address, date of birth, phone number,
social security number, bank account numbers, employment
information, income information, credit card numbers (if making tax
payment with CC), stocks, bonds, other investments, business
information, etc - ALL IN ONE PLACE. If you are married filing
jointly, or have children or dependants on your tax return, then
the personal and financial info for even more people is exposed.
All of the information is guaranteed to be current and correct too.
This is a gold mine for identity thieves. Identity theft is one of
the fastest growing crimes in the US right now too.
Reference: http://www.consumer.gov/idtheft/
Vendors of tax software should not allow users to leave all of this
data in one place unencrypted; the risk is too great.
Note also that other tax software programs not mentioned in the
original advisories are also vulnerable to this issue (thanks for
noting those issues, kjk). I'm not at liberty to discuss those
other tax software packages though.
Regards,
ken
Ken Williams ; CISSP
eSecurityOnline - an eSecurity Venture of Ernst & Young
ken.williams (at) ey (dot) com [email concealed] ; www.esecurityonline.com ; 1-877-eSecurity
[ reply ]