The Straight Dope

Go Back   Straight Dope Message Board > Main > In My Humble Opinion (IMHO)

Reply
 
Thread Tools Display Modes
  #1  
Old 03-13-2006, 11:04 AM
ralph124c ralph124c is offline
Guest
 
Join Date: Mar 2002
Is TURBOTAX (Online) safe?

I'm seriously thinking of using it..but is it safe and secure? You are online, typing in SS numbers, financial data , addresses, etc. can't some hacker break in and steal you info? What is TT's liability if this happened?
Reply With Quote
Advertisements  
  #2  
Old 03-13-2006, 11:10 AM
EEMan EEMan is offline
Guest
 
Join Date: Nov 2002
I use TurboTax PC (then file via E-file)...

I don't know anything about the 'online version'...

That said.. I can do a credit search with your name and come back with a lot of the things you will be inputting anyway...

The E-file data is sent with 128-bit encryption.. which you COULD sniff off... but then you would have to break it... easier to use public information for the same effect
Reply With Quote
  #3  
Old 03-14-2006, 07:20 AM
tomndebb tomndebb is offline
Mod Rocker
Moderator
 
Join Date: Mar 1999
Location: N E Ohio
Posts: 36,271
This is more of a poll for information/opinions.

Off to IMHO

[ /Moderating ]
Reply With Quote
  #4  
Old 03-14-2006, 10:45 AM
ftg ftg is offline
Guest
 
Join Date: Feb 2001
There are two main aspects of concern (and a million secondary ones):

1. The communication. If Intuit has done things right, then everything is sent back and forth securely using a simple encryption scheme. Notice the "If". Programs are routinely flawed and there is no way to ensure things are done right. Also, the current SSL encryption schemes are not considered "long term" safe. I.e., someone can capture your bytes as they travel along the Net and in some X number of years, decode them. X might be as short as 1 year, but who knows?

2. Intuit will have copies of your data lying all over the place. No doubt they make lots of claims about security and such but it's all PR. The programs are no doubt flawed, employees make mistakes or deliberately copy things, and you have no protection against anyone in the future getting their hands on it. What if you're a big contributer to political party X and someone at Intuit who supports party Y browsing thru the files (which of course they aren't supposed to be able to do, Ha!) sees your name. Now your tax records belong to the enemy.

Every day there are examples of people's personal info being stolen and those are just the reported cases. Figure a 100 to 1 ratio on unreported cases. There's a big scandal concerning debit cards with stolen PIN numbers going on right now.

I see no benefit from doing something like this online. Buy the program for $15 and file on paper.
Reply With Quote
  #5  
Old 03-14-2006, 11:04 AM
Lissa Lissa is offline
Guest
 
Join Date: Mar 1999
Quote:
Originally Posted by ftg
I see no benefit from doing something like this online. Buy the program for $15 and file on paper.
I have to agree. I'm not paranoid about internet fraud in general, but when it comes to sensitive data, this is the Mother Lode.

I downloaded the TurboTax program. Costs a bit more, but the peace of mind is worth it, in my opinion. (By the way, I really liked the program-- easy to use and fast.)
__________________
Quid quid latine dictum sit, altum videtur.
Reply With Quote
  #6  
Old 03-14-2006, 11:19 AM
JSexton JSexton is offline
Charter Member
 
Join Date: Jan 2000
Location: Snowy Oregon
Posts: 4,015
I've used it for the past 6 years. No one has stolen my identity.

The arguments being applied to the Intuit people already apply to the employees of Visa, Mastercard, your bank, the IRS, the mail carrier who handles a package addressed to the IRS, etc.
Reply With Quote
  #7  
Old 03-14-2006, 04:12 PM
ftg ftg is offline
Guest
 
Join Date: Feb 2001
Quote:
Originally Posted by JSexton
I've used it for the past 6 years. No one has stolen my identity.

The arguments being applied to the Intuit people already apply to the employees of Visa, Mastercard, your bank, the IRS, the mail carrier who handles a package addressed to the IRS, etc.
The first part is utter and complete nonsense. Anecdote's of non-events prove nothing.

Note that you don't have to have credit cards or bank accounts.

As to the IRS and the USPS*, you have to use them. Intuit is an unneeded option. So opt out.

*Note that the no one at the USPS is collecting millions of tax records on computers. Think in terms of scale. One rogue USPS employee stealing a few tax documents is one thing. An Intuit rogue employee stealing hundreds of thousands of documents is another level of worry. Ditto with accidental leaks of information.
Reply With Quote
  #8  
Old 03-15-2006, 08:13 AM
ralph124c ralph124c is offline
Guest
 
Join Date: Mar 2002
I started filing, then was hit by worry. so, i called the TT helpline-and was connected with a gentelman in INDIA! he assured me 9most profusely) that the on-line system was safe and secure.
Well, not for me-I'm going to use it at home, and file via USPS. no sense tempting fate.
Reply With Quote
  #9  
Old 03-15-2006, 09:29 AM
Dewey Finn Dewey Finn is offline
Charter Member
 
Join Date: Apr 2003
Posts: 16,343
I'm curious; was your decision not to use Turbotax Online affected by the fact that the customer service person was in India? If so, why?
Reply With Quote
  #10  
Old 03-15-2006, 09:53 AM
ralph124c ralph124c is offline
Guest
 
Join Date: Mar 2002
The "outsourcing to India" thing doesn't bother me..it is just that your personal data is being transmitted to who knows where 9maybe India)? I don't know if India has any laws about identity theft, but i'm not anxious to find out. Recently the BOSTONGLOBE (inadvertently0 wrapped its newspapers in papers containing names and credit card numbers of its subscribers. they were oput on the street, for anybody to steal. Again, i just won't risk it.
Reply With Quote
  #11  
Old 03-07-2013, 02:53 PM
Measure for Measure Measure for Measure is offline
Charter Member
 
Join Date: Oct 2000
Posts: 9,407
Is TurboTax (desktop) safe?

---- DISCLAIMER: THIS IS A REPLY TO A 2006 THREAD!!!!!!! OMG !11!!! ------
But I see no reason why the discussion couldn't be extended.

Back in 2001, Turbo Tax had a security glitch affecting the financial institution passwords of 150,000 customers. http://articles.latimes.com/2001/apr...iness/fi-47558

I am unaware that they suffered any financial penalty for this breach. I am unaware of their incentive to provide rock solid security today: after all the fiasco didn't hurt them in 2001. More nonsense at the wiki article: http://www.answers.com/topic/turbotax-2008

Secondly, desktop Turbo Tax offers the option of a direct download from the individual's financial institution. Of course you need to enter your password directly into the program. Does anybody know whether TT HQ stores such a password? We've established that there is little reason to extend to this company a high degree of trust. And there are real risks incurred if the bad guys get hold of your banking or brokerage password and login ID.

The program offers the possibility of import via a .txf file. But to my knowledge, most financial institutions don't provide that. Or am I mistaken?

Security conscious users could enter in all data by hand. No problem, no worries. They could also change to a temporary password at their financial institution, then change it back after they download the data to Turbo Tax. Ideally, TT could encourage the option of doing all this via directly downloadable .txf or .csv files. But it appears that they have decided not to.
Reply With Quote
  #12  
Old 03-07-2013, 11:15 PM
Hockey Monkey Hockey Monkey is offline
Guest
 
Join Date: Oct 2006
I've used TurboTax online for years. I always input all financial institution information by hand, but otherwise I'm unconcerned with identity theft from using their program. No one would want my identity anyway.
Reply With Quote
  #13  
Old 03-08-2013, 10:41 AM
Quimby Quimby is offline
Guest
 
Join Date: May 1999
I was wondering why the tone of this thread was so paranoid and then I realized it was from 7 years ago. I would bet nearly everyone who posted here back then has since done their taxes online.
Reply With Quote
  #14  
Old 03-10-2013, 02:38 PM
Measure for Measure Measure for Measure is offline
Charter Member
 
Join Date: Oct 2000
Posts: 9,407
That and a quarter will get you somebody's SS#.

Quote:
Originally Posted by Quimby View Post
I was wondering why the tone of this thread was so paranoid and then I realized it was from 7 years ago.
Given that Turbo Tax had a security glitch, releasing online banking/brokerage passwords of 150,000 customers, I wouldn't call it paranoia.
Quote:
I would bet nearly everyone who posted here back then has since done their taxes online.
...but that may well be the case, so your point is taken.

Apropos nothing, what's the value of an identity package on the black market? Oh about 25 US cents -- less if you buy in bulk. That would include your first name, last name, middle name, email address, email password, physical address, phone number, date of birth, Social Security number, drivers license number, bank name, bank account number, bank routing number, employer’s name, and the number of years at your current job.
----

Hot off the paranoid press
Some efilers find that there tax return doesn't go through because someone has already filed on their behalf in the hopes of lifting their refund check from the IRS. Web blog: http://hackedbyturbotax.com/my-identity-theft/
Advice for someone in those shoes: http://askthemoneycoach.com/2011/03/...file-taxes-do/
Reuters article: http://www.reuters.com/article/2013/...0B7IYW20130217

Note that the attack vector involves somebody else efiling (possibly via TT online): the pertinent ID data wasn't necessarily leaked by TT itself. Which is a little different than the OP.

----

My question remains: how secure is it to enter your login or password of your brokerage or banking account directly into Turbo Tax? And if the answer is "Not very", why isn't there more discussion of this?
Reply With Quote
  #15  
Old 03-10-2013, 04:36 PM
Leaper Leaper is offline
Charter Member
 
Join Date: Jul 2001
Location: In my own little world...
Posts: 9,134
That first link seems very eager to blame TurboTax Online, when, as you point out, there's little to no evidence that they themselves are the source of the "leak." Did I miss any evidence on the part of that blogger to show that they had anything to do with it, save being the software he used to file online?

The third also seems to have little to do with online filing, despite the 80% mention and being the method of sending stuff in. Hell, it opens with the murder of a mail carrier.

I'm trying to be clear about this, because I used this software last year, and was planning to use it again this year. Would all of y'all (NOT in 2006, please) discourage me from doing so?
Reply With Quote
  #16  
Old 03-10-2013, 06:52 PM
Measure for Measure Measure for Measure is offline
Charter Member
 
Join Date: Oct 2000
Posts: 9,407
Nice post, Leaper. Judging from the Reuters article, it seems that efile permits crooks to file the returns of victims early and capture a refund check from the IRS. Turbo Tax isn't exactly taking the lead in fighting this problem, but nor do they seem more culpable than any other firm that processes online returns. I'll opine that it's likely that the vic in the 1st link had his identity hacked into via another method.

Visitors to the wiki site learn that over the years Intuit (owner of Quicken and Turbo Tax) has yanked the chains of its customers pretty much for the entirety of its existence. It's part of their corporate DNA. Then again, H&R Block has a dubious business model as well (hint: their practitioners rely on selling you things you don't need if they want to make a decent living. Filing the return itself is a loss-leader.)

Everyone must their own decisions. Frankly I think we're in the realm of manageable but unnecessarily high risks. So, no I'm not going to try to dissuade Leaper of anything. Just don't fool yourself in believing that you will be ok because you are working with a reputable firm. I know of no reputable firms in this biz, AFAIK IMHO (though I must say I admittedly know nothing about TaxAct or whatever #3 is called).

Policywise, there needs to be a top-down security audit of this process. More jack-booted IRS regulators, please.
Reply With Quote
  #17  
Old 03-10-2013, 07:29 PM
Leaper Leaper is offline
Charter Member
 
Join Date: Jul 2001
Location: In my own little world...
Posts: 9,134
The thing is, I don't feel comfortable doing the paper return by myself, but the $200+ I was spending on an accountant seems more and more like a waste of money.

What do all of you do?
Reply With Quote
  #18  
Old 03-10-2013, 07:45 PM
Dewey Finn Dewey Finn is offline
Charter Member
 
Join Date: Apr 2003
Posts: 16,343
I use Turbotax on CD and file electronically but if you're nervous about data theft, you can file on paper after using Turbotax to do the return on your computer. The program does need to connect to the Internet, but only to receive updates.

Last edited by Dewey Finn; 03-10-2013 at 07:46 PM..
Reply With Quote
  #19  
Old 03-10-2013, 09:10 PM
Quimby Quimby is offline
Guest
 
Join Date: May 1999
Questions about using the Turbo Tax program: can you do more than one return and does it do state returns?
Reply With Quote
  #20  
Old 03-10-2013, 09:18 PM
Dewey Finn Dewey Finn is offline
Charter Member
 
Join Date: Apr 2003
Posts: 16,343
Yes, to both questions. My brother does his own taxes, our parents', his wife's parents', etc., using the same installation of Turbotax. And yes, it does state returns.
Reply With Quote
  #21  
Old 03-11-2013, 04:52 AM
highrollinwooded highrollinwooded is offline
Guest
 
Join Date: Oct 2008
It is...but I have used it two years in a row, I go thru the motions and it tells me that I qualify for the the Michigan Homestead Property tax credit, but I in fact do NOT, then it delays my refund for weeks! I personally won't be using it again!
Reply With Quote
  #22  
Old 03-11-2013, 11:50 PM
Measure for Measure Measure for Measure is offline
Charter Member
 
Join Date: Oct 2000
Posts: 9,407
Ok, I'm going to sketch some options.

1. You can order a CD or download the program from Turbo Tax or a vendor which you some confidence in. It's probably best to hand enter the data, pending solid information about how exactly their internet security system works and what sort of assurances TT offers. I call for investigation. Downloading files directly from your financial institution is also ok, though it is usually not an option. One list of advantages of desktop choice.

2. You can download the program from a vendor that you have never heard of or one with a shoddy reputation. Don't do this. There exist sophisticated scammers operating out of foreign lands.

3. You can choose Turbo Tax Online: you won't be handing over banking passwords because that exciting service option is limited to paying customers. You will be providing your Social Security number, just like you do with your bank. You will also be sharing your income specifics with Intuit. If you are uncomfortable with this, see option #1.

4. You can hire an accountant, but that can be expensive. Consider 1 or 3.
-----

I've used Turbo Tax for years, but I've always checked their work in iffy situations. It's a very useful tool, but I wouldn't treat it as an expert. It's more like a glorified spreadsheet, with a wizard attached.

-----------
More moaning and groaning:

In 2006 H&R Block mailed out unsolicited free copies of their program to lucky recipients complete with their social security numbers printed on the envelopes at no additional charge.

Back in 2007, one Turbo Tax online customer discovered she could access the returns of other customers who shared her same last name and first initial. Turbo tax no longer offers this service.
Reply With Quote
  #23  
Old 03-12-2013, 12:28 AM
Leaper Leaper is offline
Charter Member
 
Join Date: Jul 2001
Location: In my own little world...
Posts: 9,134
Hmm. Like I said, I used TTO last year, and paid for it. I assume I'd have to shell out again to do it on my computer.

However, I entered all my info by hand; no giving out of passwords or bank account numbers. So I think my SSN would be the "only" info I put out there.

I'd also have to buy a laser printer (I don't think I'll be supporting the now-dry inkjet I have anymore), I assume... But I might want to do that anyway... But that's another thread.

So IS there any news of TTO security breaches from more recently than six years ago? That might be a factor in my decision.
Reply With Quote
  #24  
Old 03-12-2013, 12:36 AM
Measure for Measure Measure for Measure is offline
Charter Member
 
Join Date: Oct 2000
Posts: 9,407
Well my google searches don't show any other recent breaches and the Wiki article doesn't report anything either. Seriously though, I think the desktop version is reasonably safe provided you enter everything in by hand. Or at any rate, I don't believe that there are better options.
Reply With Quote
  #25  
Old 03-12-2013, 11:17 AM
Leaper Leaper is offline
Charter Member
 
Join Date: Jul 2001
Location: In my own little world...
Posts: 9,134
But I'd still have to buy the desktop version separately from the online version I already purchased, right? The links I find are a little vague on that (perhaps I'm searching wrong).
Reply With Quote
  #26  
Old 03-12-2013, 11:18 AM
Dewey Finn Dewey Finn is offline
Charter Member
 
Join Date: Apr 2003
Posts: 16,343
Yes, I believe that you will need to buy the desktop version separately if you no longer wish to use the online version. But I don't think there is any reason not to use the online version if that's what you've already purchased.

Last edited by Dewey Finn; 03-12-2013 at 11:20 AM..
Reply With Quote
  #27  
Old 03-13-2013, 02:17 PM
Measure for Measure Measure for Measure is offline
Charter Member
 
Join Date: Oct 2000
Posts: 9,407
Quote:
Originally Posted by Measure for Measure View Post
Ok, I'm going to sketch some options.
5. Order a CD or download the program from Turbo Tax or a vendor which you have confidence in. If you have a lot of data to download from a financial institution, you can change your password to something temporary, download the data, then change it back. C'mon it's not that much of a nuisance. But realize the following:
a) IME, data entry is quicker than you think, which is not to say that it is quick.
b) If you download the data you are subjecting yourself to their formatting, their structure.
c) Don't forget to check your work regardless.
d) I may have overlooked something. This technique is my own: I have found no recommendations for it on the web and it has not been subjected to external review. Other than upthread and now. And none of us are security experts AFAIK. Commentary welcome!

Aw heck, I'll add this broader perspective/hijack:

e) According to Krebs, the leading attack vector is to place malware on your machine that contains a keylogger which grabs passwords from the password field. None of the above is really relevant to this main threat. Now consumers have *some* limited protections. But small businesses have lost hundreds of thousands of dollars to the bad guys in this manner. The best solution for them is to access their bank on a dedicated and hardened machine using Linux that they don't use for casual web surfing or email. But if that's not practical (and for many it isn't), they should do their banking on a Live-CD.

More: https://krebsonsecurity.com/tag/live-cd/

f) I have no idea how eg the Zeus virus interacts with Turbo Tax's password facility on the desktop.

Last edited by Measure for Measure; 03-13-2013 at 02:22 PM..
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 07:46 AM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.

Send questions for Cecil Adams to: cecil@chicagoreader.com

Send comments about this website to: webmaster@straightdope.com

Terms of Use / Privacy Policy

Advertise on the Straight Dope!
(Your direct line to thousands of the smartest, hippest people on the planet, plus a few total dipsticks.)

Publishers - interested in subscribing to the Straight Dope?
Write to: sdsubscriptions@chicagoreader.com.

Copyright © 2013 Sun-Times Media, LLC.