LAS VEGAS—Tax-preparation software used by accountants can leak customer data over wireless networks, and many accountants may not even be aware., a security expert said Wednesday at the BSides LV hacker conference here.
Mike Wylie, founder of Corporate Blue, an information-security consulting firm based in Calabasas, California, said that he was able to grab client names, Social Security numbers and addresses from two different brands of professional tax-preparation software, such as that used by accountants, simply by monitoring local wireless network traffic.
Wylie said that whether you're a consumer or a small business, you should quiz your CPA on his or her security practices. Only by doing so, Wylie said, will CPAs and tax-prep software firms be forced to beef up their security.
Thirty-four percent of Americans used tax-preparation software to file their personal returns in 2016, Wylie said, and 28 percent used a CPA. The rates varied among age groups, with persons aged 25-34 the most likely (46 percent) to use tax-prep software and those aged over 65 the most likely (42 percent) to use a CPA.
But even the tax-prep software used by CPA is often riddled with security flaws, Wylie said, and accounting firms often don't secure their networks or computers.
On his company's blog, Wylie explained that he and his colleagues were finishing up a security-testing job at an accounting firm in April when they saw lots of unencrypted traffic going by containing sensitive customer information.
Curious, they had a CPA in the office log into the tax-prep software, Intuit Lacerte, and were surprised when the accounting company's server suddenly sent the entire customer database over the Wi-Fi network in plain text.
The data included the full names, dates of birth, Social Security numbers, email addresses, street addresses, occupations, drivers' license numbers, and home, mobile and workplace telephone numbers for 1,000 of the accounting firm's customers and the customers' spouses.
"There isn't much more a cybercriminal could ask for," Wylie wrote. "Everything needed to commit identity theft or fraudulently file taxes on 1,000 people's behalf is presented on a silver platter to anyone on the local network or a compromised workstation."
Someone who managed to crack the Wi-Fi password would also be able to grab the data, Wylie said. Unfortunately, he added, many small tax preparers' networks are very insecure, and their other security practices are often lacking.
The plaintext issue would be mitigated if a firm upgrading its office data-sharing protocol from the older SMB2 to the newer SMB3, which encrypts communications by default, Wylie said. But he added many tax-prep software vendors don't support SMB3 due to performance issues, and don't support the encryption of stored customer data because it would hamper compatibility with other companies' software.
Security problems extend through the entire tax-preparation industry, Wylie said. State laws regulating the disclosure of data breaches at tax-preparation firms are often very lax, and in most cases don't even govern the loss or theft of paper records, only electronic ones.
In Wylie's home state of California, he said, there's no requirement to disclose an electronic breach involving fewer than 500 customers, or breaches where the data was protected by any form of encryption. However, a new state law going into effect in 2020 will let impacted consumers sue companies over data breaches.
Meanwhile, Wylie said, the IRS paid $5.8 billion in fraudulent tax refunds in 2017, even more than the $4.6 billion the tax-preparation industry took in that year.
Intuit had yet to fix the problems Wylie and his colleagues had found in the company's Lacerte software, Wylie said. But another vendor, which the Corporate Blue website named as Thompson Reuters, was patching similar flaws found in its UltraTax CS software.
To protect their own data, accounting clients should interview their CPAs with some basic questions, Wylie said. Is stored customer data encrypted? How well protected is the company Wi-Fi network? Is two-factor authentication required when a CPA logs into the company network from outside the office? Does the firm have an incident-response policy?
"I really want this problem fixed for the general public," Wylie said.