Security Review: Online Taxes
For the last couple of years, I have done my taxes online. Compared to doing them by hand on paper, the online method takes far less time to fill out. However, it also brings with it the host of security risks associated with entering sensitive data over the internet. To successfully file your tax return, the online system must take your social security number, as well as all your personal and financial information.
Assets / Security Goals
One clear asset that needs to be protected is the user’s sensitive personal information. If an attacker can read this data, they can effectively steal the user’s identity.
Another desirable security goal is that accurate information must go to the government. Inaccurate sending of information could lead to either the user owing more money than they should, or the IRS performing an audit on the user.
Adversaries / Threats
One threat could come from someone sitting between the company building your tax return and the IRS. Someone in this position might be able to intercept and modify the return when it is transmitted to the IRS.
Another threat could be from a disgruntled employee at the company building your tax return. To make their services as easy to use as they are, these companies must store all the information you enter each year so that you don’t have to re-enter your personal information again the next year. A disgruntled employee might be able to steal this data and sell it to the highest bidder.
Weaknesses
One possible weakness could be cross-site scripting vulnerabilities. These are often caused by easy to miss bugs, and their consequence could be as serious as having all the user’s sensitive data stolen.
Another weakness comes from the combination of sensitive data being stored for an extended period of time (1+ years) and the user using their account very infrequently (likely only once per year). This allows for both inside or outside attackers plenty of time to launch quite extensive attacks, which the user will likely know nothing of for a very long time
Defenses
The main key to defending against cross-site scripting vulnerabilities is to check everything going into and out of the server side script is sanitized. This includes not charging blindly on in the case of invalid values.
As for the data retention weakness, not storing the sensitive data from year to year would definitely be the most secure option. However, this does mean a sacrifice in convenience that users may find worth a small decrease in security. Assuming the data must be kept, ideally it should be kept in such a way that not even the company would be able to look at it without being given some secret by the user. This could work by having the user know a password that the company only knows the secure hash of. This password could then also be used to generate a secret key that could then encrypt the user’s sensitive information on the company’s computers. This way, when the user is not accessing the data, the company’s computers do not have enough information to recover the user’s password, the secret key generated by their password, or their sensitive data. But they would be able to quickly verify that a user’s password is correct, and from that correct password, generate the secret key to temporarily unlock their data. The downside to this system is that it is now only as strong as the user’s password, and user’s are notoriously bad at choosing strong passwords.
Risks / Conclusion
The main risks in doing taxes online lie in the possibility of identity theft and tax fraud. I would imagine that companies providing online tax services likely know of and have defenses for attacks coming from the outside. What has me a little bit more worried is the threat of an inside job. A single disgruntled employee, or even just an unpatched computer that gets a virus could likely bypass most defenses against outside attacks if they are not considered. One thing that does sooth my worries some is that as reputable companies wishing to continue making money, these companies would likely work hard to mitigate the effects of any attack on the user, otherwise they might get a reputation for screwing people over.