UW Computer Security Research and Course Blog

Yesterday I was looking through Schneier’s blog and found a link to an interesting article about the UK and online taxes (Article). According to the article in the UK, “Thousands of ‘high profile’ people have been secretly barred from using the online tax return system amid concerns that their confidential details would be put at risk.” This revelation has upset many as reportedly more than three million people use the online computer system to file tax returns. Those barred from using the online system have to submit hard copy forms. The following question has been raised. If the system is not safe for “important” people, why does the government still use the system? Has the government created a class of people that gets preferential treatment?

So for my security review, I am going to take a look at the online tax system in the US.

Assets

• Confidentiality of wages (potential employers may find this information useful)
• Personal information such as social security number and expenses
• Bank account and investing information
• IRS reputation or the reputation of online tax companies in regards to safety

Potential Adversaries

• Someone desiring to commit fraud
• Foreign governments
• Personal enemies or potential employers
• The online tax companies or their employees (against the customers or the customers of another company)

Potential Weaknesses

• For online taxes to work, information must be stored in two different locations. First: servers owned by the online tax company that helps you with the taxes, since they allow for saving forms before submitting. Second: servers owned by the IRS that receives data from the online tax companies. This allows an adversary two different locations to attack. The online tax companies databases are both write and read, since saved information can be retrieved at a later time for completion. This means that in addition to insiders within the company, outsiders may be able to retrieve information about other’s taxes. The IRS database may be write only from the outside. However if read capabilities are allowed for online tax companies, then employees at an online tax company may be able to gather information on any person they desire by claiming that the victim is a current client.
• Several sites recommended by the IRS website do not use https for logons.
• One site recommended by the IRS website does not use https for new user registration where username, password, name, email, phone number, zip code, and even social security number were to be entered by the user.

Potential Defenses

• Always use https for all pages where any personal information is gathered.
• Only allow online tax companies to push information to the IRS database and not pull information.
• Force all online tax companies’ websites to pass a security check. Also logging and submission to the IRS of how information is used by a company and what information is accessed by employees may provide enough incentive to protect data adequately.

Conclusion
The tax information contains a wealth of information for the unscrupulous. The damage done to consumers could be tremendous. I would imagine that the IRS database would provide a harder target to access than the online tax companies for outsiders and the retribution much harsher, so the threat may be greater against the companies. Also the limited use of https by some companies leads me to believe that this may the first angle of attack by an outsider. (The website that didn’t use https for new user information also appeared to give too much information about the internal structure when random URLs were used.)