Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Web Based Turbo Tax Disclosure Vulnerability Found

samzenpus posted more than 7 years ago | from the whose-taxes-do-you-want-to-pay dept.

Bug 110

Anonymous MPLS Coward writes "Looks like the web-based Turbo Tax was allowing some users to look at other user's tax return information. Reports state that things like bank routing information was available as well as SSNs. Turbo Tax software was unaffected; the bug is in the web-based Turbo Tax service."

Sorry! There are no comments related to the filter you selected.

Penalty for the developers (5, Insightful)

davidmillions.com (1086903) | more than 7 years ago | (#18697287)

Companies should be penalized for something so severe to let them know that they need to do a better job in the future.

Re:Penalty for the developers (1)

HomelessInLaJolla (1026842) | more than 7 years ago | (#18697301)

That'll happen the same day the government accepts penalty and responsibility for laws passed outside of its jurisdiction.

Re:Penalty for the developers (0)

Anonymous Coward | more than 7 years ago | (#18697457)

No, it is already happening. Because of this (and other problems), I won't use Intuit for any of my financial information. There isn't any bigger punishment to a business than losing customers. Please join me! A possible alternative is TaxCut [taxcut.com]

Re:Penalty for the developers (1)

davidmillions.com (1086903) | more than 7 years ago | (#18698483)

Great for you and me (I use TaxAct), but what's preventing from other companies into being sloppy too?

Re:Penalty for the developers (0)

Anonymous Coward | more than 7 years ago | (#18699005)

According to capitalist theory, good companies with solid products should be preferred by consumers and dominate the market. In practice... well, I can't really explain why Turbo Tax and Quicken are so popular. Quicken in particular has lots of problems. I'll do it by hand (or start my own financial software company!) if I can't find a better product than that junk.

Re:Penalty for the developers (2, Insightful)

j1m+5n0w (749199) | more than 7 years ago | (#18705005)

According to capitalist theory, good companies with solid products should be preferred by consumers and dominate the market.
The trouble with the theory is that consumers are, in most cases, unable to evaluate whether the companies that make the products they use employ good security practices (and will continue to do so in the future). See information asymmetry [wikipedia.org] .

Re:Penalty for the developers (2, Insightful)

Propaganda13 (312548) | more than 7 years ago | (#18699153)

I haven't used an Intuit program since they installed the C-Dilla malware with Turbo Tax. That was a greater breach of trust than this slip-up. There's a good chance that any company will have a problem sooner or later. It's the frequency of the problems, how they handle the problems, and their overall view of their customers that matters.
Two companies that I won't buy from
Intuit - adding malware to tax software - I'd be annoyed if a game did this, but having financial software do this crosses the line.
Iomega - defective hardware is bad enough, but settling a lawsuit with rebates to buy more hardware from you - you've got to be kidding.

Why? They're accountable anyways.. (1)

stratjakt (596332) | more than 7 years ago | (#18697517)

Mr pain and punishment, I bet you're just achin to spank some bacon, YOU BAD BOY

Re:Penalty for the developers (1)

Heembo (916647) | more than 7 years ago | (#18698809)

Isn't that the Gramm-Leach-Bliley act?

Re:Penalty for the developers (4, Informative)

CodeBuster (516420) | more than 7 years ago | (#18699131)

Agreed. This is the same kind of crap that I see all of the time from inexperienced developers (especially offshore developers in India). They make all of the classic mistakes, client side javascript for input validation, use of query string parameters with the the SQL command builder on their pages (SQL injections galore), administrative query access to the SQL server directly from the web server, "secret" admin pages, cross-site scripting, you name it and they do it. The problem with a significant portion of the Indian developers is that they are are too busy waving their IIT degree, ISO certs, and other documentation of their extensive education, which taught them everything they needed to know, so they don't need to listen to American devs who have a few lessons left to teach them from school of hard knocks. They suffer from the "not invented here" syndrome, sometimes to an extreme, and thus earn themselves nasty surprises when the attack finally comes and catches them completely flat-footed. The really sad part about all of this is that same types of attacks are used again and again and the same developers keep building vulnerable sites again and again...even long after the attacks are known and proper designs have been presented on many developer forums to avoid these problems (i.e. use stored procedures, limit database permissions to those stored procedures only, don't use the query string for sensitive data, use regular expressions to validate user input data on the server side, etc...)

If you want American (3, Informative)

wytcld (179112) | more than 7 years ago | (#18702039)

There's one tax software company doing their programming entirely in America, TaxAct (2nd Story Software [taxact.com] . I haven't used their Web version, but their Windows version runs nearly flawlessly under Wine on Linux (there are minor problems with checkbox and drop-down list display on screen while filling out forms, but those show up correctly in the print preview and output). I've used TaxCut and TurboTax in past years; TaxAct doesn't have silly videos included, but it's efficient and effective.

I share the caution about Indian programmers. I just dropped checking and savings accounts with Ameriprise (formerly Amex Bank), because in the several years since they shipped the programming off to India they still haven't gotten their site to work reliably in its basic operations. Even before security is considered, the incompetence is amazing. Now I'm seeing a downgrading in the usability of CitiBank's Website, where there's also been extensive recent offshoring - they can't be bothered to test for obvious JavaScript bugs that block Mozilla, for example, even though previously they'd officially and effectively supported Mozilla/Netscape for years. (Hell, I do work for financial firms in NYC that don't even allow their own people to browse with IE.)

Re:Penalty for the developers (0)

Anonymous Coward | more than 7 years ago | (#18702319)

FYI - all TT for the web dev is done in San Diego, CA

Re:Penalty for the developers (1)

Skye16 (685048) | more than 7 years ago | (#18704385)

In all fairness, using JS for client-side validation *as well* as implementing server side validation is okay. After all, it's better for the user if they know they fucked up immediately rather than sending a request to the server and waiting for a response (both for the client (realtime response) and you (slightly lower server load).

But I digress.

Re:Penalty for the developers (0)

Anonymous Coward | more than 7 years ago | (#18700821)

This is unacceptable indeed, I used their service this year. I guess I should have read the agreement before hand where it would have read "We offer this service for a $5 discount over retail because we may have a hole in our code that may allow users to get your shit!. And no, we wont give a crap because we gave you a $5 discount"

Re:Penalty for the developers (1)

k1e0x (1040314) | more than 7 years ago | (#18701275)

..And who would do the penalizing? The government? What type of law would we have them write?

The fact is they are penalized.. Its just not as visible as the flogging in the street you seem to be calling for. They could be sued, and are going to loose business over this.

Exaggerated synopsis (3, Informative)

SpiffyMarc (590301) | more than 7 years ago | (#18697289)

The synopsis makes it seem like this was a bigger deal than it is. If this was actually in the wild, or exploited, that'll be big -- but as the article is written, one person stumbled across this problem, reported it, and Intuit fixed it.

Re:Exaggerated synopsis (3, Insightful)

HomelessInLaJolla (1026842) | more than 7 years ago | (#18697317)

Nothing is ensured, though. If one random user can happen to stumble across a flaw then there are probably ten or twenty other flaws which can be found by more detailed analysis of the code.

The original software authors probably already know most of them and are happily passing that information along to their friends in political office--or to their cohorts on IRC.

Re:Exaggerated synopsis (1)

Sam Ritchie (842532) | more than 7 years ago | (#18698123)

How is the (paraphrased) comment "software probably contains bugs" insightful?

Exaggerated opinions. (0)

Anonymous Coward | more than 7 years ago | (#18705207)

"The original software authors probably already know most of them and are happily passing that information along to their friends in political office--or to their cohorts on IRC."

So that's what programmers think about each other? Glad I'm not in your profession. The back-stabbing must be terrible.

Re:Exaggerated synopsis (3, Insightful)

LighterShadeOfBlack (1011407) | more than 7 years ago | (#18697409)

If this was actually in the wild, or exploited, that'll be big
How do you know it wasn't? This isn't the kind of thing where if it's being exploited people would know it. If the wrong person discovered this first then obviously they wouldn't be running around telling people that they'd found a security hole which they were currently exploiting for their own personal profit.

Re:Exaggerated synopsis (1)

scottrocket (1065416) | more than 7 years ago | (#18698745)

"If the wrong person discovered this first..." I was afeared this might happen, which is why I stopped using Turbotax online many years ago; I now go to a bunch of sweet ladies who always seem to get the work done much quicker!

Re:Exaggerated synopsis (0)

Anonymous Coward | more than 7 years ago | (#18697449)

Larry did you forget to perform some actual tests before the product was considered RTM?

Re:Exaggerated synopsis (3, Insightful)

uofitorn (804157) | more than 7 years ago | (#18697613)

If this was actually in the wild

Well, it was in the wild. It was on their production website, accessible to the public. Any number of less well intentioned individuals could have taken advantage of the flaw before it was actually reported to Turbo Tax.

If it was in beta or development code, and the flaw was found internally, then it would be as you say.

Re:Exaggerated synopsis (1)

fimbulvetr (598306) | more than 7 years ago | (#18697669)

...Smoke and mirrors comment...

The plain and simple fact is that this should have never happened. There should be *authentication* mechanisms in place to prevent logins from seeing any more than exactly their information. Anything beyond that is absurd and screams to be insulted.

In security its never a question of where or how far advanced a public/wild an exploit is, it's if the potential exists. Anything else is damage control, and that's what you're attempting to do.

Re:Exaggerated synopsis (1)

Ucklak (755284) | more than 7 years ago | (#18697735)

one person stumbled across this problem, reported it,
... and the 1000 other crackers (hackers if you're offended by the cracker label) would just harvest information and sell later.

Come on, in the restaurant business, for every one that complains, there are 10 that don't. 3 of the 10 never come back.

This is horrible on Intuit's part.

Re:Exaggerated synopsis (-1)

Anonymous Coward | more than 7 years ago | (#18698303)

I'm posting anonymously for what will become obvious reasons.

A few years ago a colleague of mine discovered that it was possible to download other people's tax returns from H&R Block's website. The trick was you needed to have a name, address, year of birth, and social security number. That sounds pretty good, but actually it's terrible. 10019 is the nation's most populous zip code. A lot of people have lived in that zip code their entire lives. All of the people who currently live there are listed in the phone book. Social security numbers are very easy to predict if you know the place and year of birth. So he just tried a lot of combinations of names and years of birth with educated guesses as to SSN and viola: tax returns. I think the rate of success was on the order of one return per 10,000 attempts.

not fixed (2, Informative)

r00t (33219) | more than 7 years ago | (#18698411)

They claim to have REMOVED THE LINK.

Removing a link to a web page takes the "feature" away on the server...? Idiots.

Re:Exaggerated synopsis (1)

syphax (189065) | more than 7 years ago | (#18701793)


What's unknown is how many people stumbled across the problem and did not report it.

I really like the web version of Turbo Tax, but things like this leave me very nervous.

TAXES!!! (0)

Anonymous Coward | more than 7 years ago | (#18697319)

You can have my taxes when you pry them from my cold dead fingers.

COCK!!! (0, Funny)

Anonymous Coward | more than 7 years ago | (#18697451)

You can have my cock when you pry it from your mother's cold, dead fingers.

Re:COCK!!! (0)

Anonymous Coward | more than 7 years ago | (#18697975)

He had it coming. :)

Wearing Jackets with Bull's Eyes (4, Insightful)

bill_mcgonigle (4333) | more than 7 years ago | (#18697329)

The Turbotax.com offering really does sound like a good idea, for the taxpayer, but I still bought the boxed version and won't E-File. These guys are taking perhaps millions of people's sensitive data online, into a database that's Internet accessible. Even if their admins have done the best possible job (let's assume they have) their software has undiscovered vulnerabilities, at least as far as the whitehat community is concerned.

Now, factor in the fact that there is a smart blackhat community and this database is about the most delicious thing an high-tech organized-crime-sponsored identity thief can imagine - and sometimes it just doesn't make sense to walk around wearing a jacket with a bull's eye painted on the back, even if you're not a coward.

As far as not E-filing, it also costs the IRS more to process, so that at least helps to keep one more negative about the income tax on the board.

Re:Wearing Jackets with Bull's Eyes (2, Insightful)

Jose (15075) | more than 7 years ago | (#18697495)

Now, factor in the fact that there is a smart blackhat community and this database is about the most delicious thing an high-tech organized-crime-sponsored identity thief can imagine

yep, that's a pretty juicy target...a more juicy target would be the IRS's DB, which must be at least somewhat available online (think e-filing). Even if you don't e-file, your data is going to end up in a DB at some point, so don't feel too safe.

Re:Wearing Jackets with Bull's Eyes (1)

bill_mcgonigle (4333) | more than 7 years ago | (#18697587)

a more juicy target would be the IRS's DB, which must be at least somewhat available online (think e-filing).

Yeah, I should have clarified in my post - with the TurboTax database, as I understand it, you don't have to do your entire return at one sitting, so you can come back to it. That makes perfect sense for the user. But it also means the data has to be retrievable from the website.

With the IRS, they can, in theory, have a gate in place that makes the E-file transactions one-way. Some TLA agencies use XML bridges for this kind of setup. At least it's possible, and I hope they do it.

Re:Wearing Jackets with Bull's Eyes (1)

Jose (15075) | more than 7 years ago | (#18698005)

With the IRS, they can, in theory, have a gate in place that makes the E-file transactions one-way. Some TLA agencies use XML bridges for this kind of setup. At least it's possible, and I hope they do it.

yep, that would be a great way to help protect the database, but everything in front of that is still a single point of attack.

I'd imagine that the monitoring around those systems is massive, and the security/setup is top-notch...but as always, it just takes one mistake :(

Re:Wearing Jackets with Bull's Eyes (1)

bill_mcgonigle (4333) | more than 7 years ago | (#18698043)

I'd imagine that the monitoring around those systems is massive, and the security/setup is top-notch

We'd also think the FBI and FAA would have decent computer systems, but they're classic IT boondoggles. Let's hope the IRS does better. Heck, they ought to let the Post Office run their systems. ...but as always, it just takes one mistake :(

Or none if they get zero-day'ed. I'll second your :( .

Re:Wearing Jackets with Bull's Eyes (2, Insightful)

ceejayoz (567949) | more than 7 years ago | (#18697655)

As far as not E-filing, it also costs the IRS more to process, so that at least helps to keep one more negative about the income tax on the board.

Huh? You do realise that in the governmental mind "costs more to process" translates to "collect more taxes to cover it", not "maybe we should abolish income tax", right?

Re:Wearing Jackets with Bull's Eyes (1)

bill_mcgonigle (4333) | more than 7 years ago | (#18697951)

Huh? You do realise that in the governmental mind "costs more to process" translates to "collect more taxes to cover it", not "maybe we should abolish income tax", right?

Yep, I'm talking about when the argument comes, not the change in my pocket today. If the IRS has no administrative overhead it'll be harder to topple. If it's very expensive it can be shown as an inefficient mechanism (and therefore unfair) for taxation.

Re:Wearing Jackets with Bull's Eyes (1)

ceejayoz (567949) | more than 7 years ago | (#18698763)

It'll never get toppled. They'll just make efficiency measures, like requiring you to e-file.

Re:Wearing Jackets with Bull's Eyes (1)

Ken D (100098) | more than 7 years ago | (#18702975)

Here's my problem. Why should *I* pay more, so that *they* save money? E*filing should grant you a credit on your return, not a bill.

Re:Wearing Jackets with Bull's Eyes (1)

ceejayoz (567949) | more than 7 years ago | (#18704365)

If it makes you feel any better, just assume some of Bush's tax cuts were a result of increased e-filing.

Re:Wearing Jackets with Bull's Eyes (1)

SeaFox (739806) | more than 7 years ago | (#18697785)

The Turbotax.com offering really does sound like a good idea, for the taxpayer, but I still bought the boxed version and won't E-File. These guys are taking perhaps millions of people's sensitive data online, into a database that's Internet accessible. Even if their admins have done the best possible job (let's assume they have) their software has undiscovered vulnerabilities, at least as far as the whitehat community is concerned.

Yup, I filed online for the first time this year (using TurboTax Online, sadly) and I don't think I'll be doing it again. I'll be back to using the paper forms next year.

Re:Wearing Jackets with Bull's Eyes (2, Insightful)

Red Flayer (890720) | more than 7 years ago | (#18698221)

As far as not E-filing, it also costs the IRS more to process, so that at least helps to keep one more negative about the income tax on the board.

Ah, yes, the old we-don't-like-government-waste-so-we'll-add-some-m ore-voluntarily.

The security concerns about e-filing are real (which is why I don't do it either). But is it really likely that the government will stop collecting taxes just because it's more expensive than not collecting taxes? No -- the collection cost will just continue to be passed on to us.

Re:Wearing Jackets with Bull's Eyes (1)

bill_mcgonigle (4333) | more than 7 years ago | (#18698291)

Ah, yes, the old we-don't-like-government-waste-so-we'll-add-some-m ore-voluntarily....But is it really likely that the government will stop collecting taxes just because it's more expensive than not collecting taxes? No -- the collection cost will just continue to be passed on to us.

I can't tell if you're misunderstanding or misrepresenting, but I'll try to be more clear:

When debating various forms of taxation, efficiency is a factor in determining appropriateness, fairness, and desirability.

Re:Wearing Jackets with Bull's Eyes (1)

ceejayoz (567949) | more than 7 years ago | (#18704421)

When debating various forms of taxation, efficiency is a factor in determining appropriateness, fairness, and desirability.

I suspect "I refuse to take already existing measures to improve efficiency just to bolster my side" doesn't win you debate points.

Re:Wearing Jackets with Bull's Eyes (1)

bill_mcgonigle (4333) | more than 7 years ago | (#18705977)

I suspect "I refuse to take already existing measures to improve efficiency just to bolster my side" doesn't win you debate points.

That would be a conflict of interest. Fortunately, I'm not the one debating, just doing my part to bolster the side of the debate I favor.

Re:Wearing Jackets with Bull's Eyes (1)

necro81 (917438) | more than 7 years ago | (#18700971)

My objection to E-Filing is that I have to pay for it. To E-File my federal and state returns, generated by software running locally on my computer, would have cost me about $30 above the cost of the software. Why? It is not the IRS that charges this fee, it is the tax preparation company. It was a sweetheart deal made in some back room years ago - the IRS will not accept E-Filings from private citizens except via a tax preparation company, who is able (even encouraged, I'd say) to collect a fee for shifting the bits around. This is not limited to just tax software, brick-and-mortar tax firms do this, too. While I could understand the IRS not wanting to deal with every improperly filled-out tax return from your average Joe, I heavily object to them not accepting a return created with a qualified tax preparation software package, all so that a private company can gouge me.

When that sweetheart deal was made a few years ago, the various groups decided to throw a bone to us poor plebians: free online E-Filing [irs.gov] . If your adjusted gross income is less than a certain amount, about $52k/housheold I think, then you are entitled to E-file your federal taxes for free using a variety of online services. TurboTax's online software is one such place. For reasons which I think are shared here on slashdot, I refuse on principle to do my taxes through some company online.

Last year I helped a friend prepare his taxes using TurboTax. His AGI was below the limit for free e-filing. And yet, for some reason, the copy of TurboTax running on his computer never mentioned he was entitled to it. It would only e-file for an additional fee. You would think that, since he had already paid for this software, Intuit would be more willing to e-file his taxes than the taxes from someone who only visited their website and paid didn't pay for anything. This is not the case, however. The line I (eventually, after an hour) got from their tech support line (in Bangalore) was that anyone who actually purchased the software must have so much money that they'd never qualify for free e-filing. I look at it more along the lines of: shucks, you were such a sucker for buying this software in the first place, surely you'll be enough of a sucker to pay us even more.

I don't use TurboTax anymore.

My tax software is grey and squishy. (1)

maxume (22995) | more than 7 years ago | (#18697337)

Pen and paper have the added advantage of making people think you are crazy.

No! (4, Funny)

Bluesman (104513) | more than 7 years ago | (#18697355)

Not my bank routing number!

Someone please fix this before someone finds out how to deposit money into my account!

Re:No! (3, Informative)

ZorbaTHut (126196) | more than 7 years ago | (#18697441)

I am currently holding in my hand a wire transfer request, dating from a few months ago when I sent money to a friend with an unexpected catastrophe. It asks for very few things.

* Date/time of original request
* "Teller ID" (I called them to ask how to do this and they gave me this bit of information)
* Member name
* Member number (this is embedded in the routing number for my savings account)
* Daytime phone
* Amount
* Information on who gets the money
* Signature

The only parts of this which could be used for authentication:

* The fact that I called
* My name
* My member number
* My phone number
* My signature

Given my tax forms, one could easily find my name and phone number, and if I had chosen the option to wire to or from my checking account, my member number as well. (This is why I would have sent a check, although that doesn't help particularly since the number is still written on the check. I got a refund, however, so they'll be sending me a check instead and I don't have to worry about that particular hole.)

Calling them is easily doable by someone who isn't me. My signature, as much as I hate to admit it, is awful and pretty easily forgeable.

So, in summary: the information on a tax return is a significant fraction of what is needed to withdraw money from someone else's account. It may not be enough. But it certainly helps.

Re:No! (1)

AmberBlackCat (829689) | more than 7 years ago | (#18701351)

I'm pretty sure the name, address, account number, and routing number, are all you need to do an online check.

Perhaps we're looking at this the wrong way (5, Funny)

psaunders (1069392) | more than 7 years ago | (#18697361)

Think of it more as a useful, undocumented feature. Not only can you do your own tax return online, now you can do other people's! Well done to the good folks at Turbo Tax for coming up with it.

Re:Perhaps we're looking at this the wrong way (1)

Beryllium Sphere(tm) (193358) | more than 7 years ago | (#18697811)

Wikireturns! People can collaborate on filing them.

Re:Perhaps we're looking at this the wrong way (1)

indifferent children (842621) | more than 7 years ago | (#18701107)

Wikireturns! People can collaborate on filing them.

And if there's fraudulent information submitted, 50000 people spend 2 hours in jail.

Oh, swell! (4, Funny)

Tokerat (150341) | more than 7 years ago | (#18697367)

I just filed my taxes with TurboTax Online! Great, now I'm going to be hacked, and then audited and the IRS is going to repossess all of my belon

NO CARRIER

Re:Oh, swell! (1)

maxume (22995) | more than 7 years ago | (#18697859)

That's not how you would start spelling bologna.

cU0ck (-1, Troll)

Anonymous Coward | more than 7 years ago | (#18697429)

Re:cU0ck (0)

Anonymous Coward | more than 7 years ago | (#18697557)

Great job linking to a picture of a pumpkin, failure.

Until... (1)

Lead Butthead (321013) | more than 7 years ago | (#18697453)

Until penalties for data breach has some serious teeth (say, for every dollar of loss inflicted on the customer, fine the offending company ten dollars) companies will never take the security of customer data seriously.

Re:Until... (3, Insightful)

maxume (22995) | more than 7 years ago | (#18697563)

You have to balance a punishment like that against encouraging disclosure. Personally, if my data is lost, I'd rather be sure I hear about it than have the government make a buck.

Re:Until... (1)

Beryllium Sphere(tm) (193358) | more than 7 years ago | (#18697835)

Well, if the government makes a buck it's because they found out and started a proceeding that's part of public record.

Where you're absolutely right is that we want to offer incentives for not covering things up and for sharing enough information to improve security in general. The aviation industry does this right: they publish accident reports, whereas Intuit is keeping quiet about what kind of vulnerability they had.

Re:Until... (1)

joeytmann (664434) | more than 7 years ago | (#18705725)

Good point, but I like the customers getting feed up and leaving the company for some other product. Would hurt the bottom line way more than a fine.

I'll never go near turbo tax again. (2, Insightful)

Darth_brooks (180756) | more than 7 years ago | (#18697605)

I overpay my taxes every year. It's a few extra bucks out of my check that I don't notice, and I get a nice refund from the government. Yeah, I know I lose money on the deal based on inflation, since the money I let the feds hold doesn't earn interest. But it works out to a couple dollars a year at most based on what I'm paying, and getting the extra check works out well for me at the beginning of the year.

So two years ago I was filing with turbo tax. I'd been using it for a couple years with no problems. My taxes are simple; no house, no kids, no tax shelter investments. Just a handful of numbers on a W2, to the point where I could just as easily fill out the forms by hand, but I liked the convenience. Now, I overpay by ten bucks every week. 40 bucks a month * 12 months = $480 per year that I should get back (based on my tax bracket at the time) no matter what. My average refund was usually a couple hundred over that, and had been for the years prior. I've cut the feds a check exactly once since I started working 12 years ago.

So what did I get when I used turbo tax that year? They had me paying an additional 280 bucks! I went over that return with a fine tooth comb. All my numbers were right, every box was checked, every i was dotted and t was crossed on my end, and the software was up to date, but Turbo Tax said I owed the feds money. I broke out the disaster recovery computer (also known as a pen & paper), and did my taxes by hand and by the book. Result? My usual refund of around 700 bucks. On a lark I tried Taxcut. Same result, $700-ish refund.

Tax software (at my level anyway) should be no more complicated than a freaking spreadsheet. If they can't get that right for me, I shudder to think what kind of screw ups they've had for people who have real returns to file. At least I got a good lesson in double checking someone else's math.

Re:I'll never go near turbo tax again. (5, Insightful)

ptbarnett (159784) | more than 7 years ago | (#18698141)

You probably made a data entry error in TurboTax -- not necessarily entering the wrong amount, but clicking the "yes" button when you should have clicked "no" (or vice versa).

Based on the difference in taxes ($280 owed vs. $700 refund = net $980) and presuming a 28% marginal tax rate, the difference in taxable income was $980 / 0.28 = 3,500).

The personal exemption was $3,100 for tax year 2004. All you had to do was enter the personal exemption incorrectly (as in accidentally tell it you could were being claimed as a deduction on someone else's return), and you would have gotten the results you observed.

If your taxes were that simple, just looking at the generated 1040 (or 1040A) would have revealed whatever error (yours or theirs) that was occuring. So, I'm skeptical of your claim.

Re:I'll never go near turbo tax again. (1)

nametaken (610866) | more than 7 years ago | (#18699203)

You should've seen what TurboTax (boxed) did when I let it import data from one of my brokerage accounts. It told me I owed about $2,900. I just about had a heart attack until I realized that it took incomplete data (no purchase dates or prices), didn't warn me, recorded all the sales as income and added it to what I owe against.

I called an accountant instead and ended up eating the cost of TurboTax.

Paper wins again. (1)

SeaFox (739806) | more than 7 years ago | (#18697723)

I've been doing my own taxes on paper since I was 16 (and back then I was having to file self-employments taxes and commercial schedules). This year, in the interest of getting my refund sooner (not that I really needed it fast) and avoiding transcription typos at data entry, I files electronically online, using the free TurboTax Online.

This is what I get.

Re:Paper wins again. (0)

Anonymous Coward | more than 7 years ago | (#18698731)

I've owned a farm since I was 21, operated a small a small egg business related to that (family business for generations, makes enough money to maintain operating costs and employ 3 people), I've owned several kinds of real estate, and I have an interest in a gas well. I've been rich, I've been poor, I've been single, married, and divorced. My taxes are somewhat more complicated than most individuals because of all this, but I have never derived much benefit from using tax prep software, aside from programs I have written myself for record keeping purposes. I sit down at tax time with an HP32, a scratch pad, and last year's paperwork, and it usually just takes me a couple of hours. Once I tried to go to a professional. It takes hours just to explain the complexity of my business interests, and when I had a farm that operates at a net loss, it did not seem to compute at all. The "pros" get just enough training to fill out a 1040A, I think.

Re:Paper wins again. (1)

SeaFox (739806) | more than 7 years ago | (#18699119)

Exactly, taxes aren't that complicated. I even did my taxes on paper like I usually do before I went online, and doing them online didn't make a bit of difference in my refund amount, just as I knew it wouldn't.

The problem is everyone treats taxes like a lottery, they think if they let a "professional" do them they'll get some big windfall. Two flaws in this thinking:
  • Tax preparers don't use a separate set of tax laws, nor do they make up records out of midair. Everything they do you can do yourself with the same materials, all it takes is a little reading. Most of those special deductions are explained in the standard 1040 instruction book or through the PDF's available on the IRS site.

  • It's a tax refund. You aren't getting anything back you didn't pay to start with. If you're getting humongous refunds, maybe you should adjust your withholding. Then open a savings account and have the difference funneled automatically to it every month. That way the money you used to overpay the government will be sitting in your account and earn you interest, not Uncle Sam.

If H&R Block or any of the other tax preparers can make that large a difference in a refund, using methods I can't spot going through the form myself, I would question the legality of whatever it was they were doing. The fact they recently had issues doing their own taxes [typepad.com] only strengthens this opinion in me.

I'll gladly take a couple hours of my own time and not give $50 of my refund to them. And with the Fill-in PDF forms the IRS makes available, even sloppy handwriting can't goof my return up now!

SpPonGe (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#18697755)

This is nothing new (3, Informative)

msblack (191749) | more than 7 years ago | (#18697771)

On-line websites have been a major source of information security breaches. A few years ago I was able to perform reverse-directory lookups on Verizon customers. Their DSL registration website was one such problem. After a customer entered his/her telephone number to verify DSL availability, the website displayed the corresponding customer's name and billing address, asking "is your information correct?"

Re:This is nothing new (1)

Jables (837148) | more than 7 years ago | (#18700657)

Huh? Reverse number lookups have been around for a long time. You didn't need to do a DSL search, just click on the "Reverse # Lookup" link on Verizon's Support page [verizon.com] . The fact that it was really hard to do this in a phone book in the old days doesn't make it a "security breach" on the web.

Re:This is nothing new (1)

ezzewezza (84083) | more than 7 years ago | (#18700749)

On-line websites have been a major source of information security breaches.
SO TRUE! We should all be using off-line websites. They are MUCH more secure.

Check out Canada's security requirements (1)

eric31415927 (861917) | more than 7 years ago | (#18697773)

The Canada Revenue Agency sets up security rules here in Canada for third-party e-filers:
http://www.efile.cra.gc.ca/eol-security-e.html#con f [cra.gc.ca]

The article didn't mention what sort of security rules are enforced in the US.
Does the IRS have similar rules to what we have in Canada?

Re:Check out Canada's security requirements (1)

gnuman99 (746007) | more than 7 years ago | (#18698259)

Huh? What guidelines? The only guidelines are "try to be careful and warn users their tax data is stored on your servers". That's the extend of what you are asked to do for web based solutions. I know this because I'm writing one of the software that has NETFILE in CCRA. And no, our product will NOT be web based for exactly the reasons of security. People that can't install simple software (it's 3 clicks!) should not be doing their own taxes. Go to H&R or similar (family?) to help you out.

As currently is, Intuit can use these databases for whatever reason they wish short of selling the data verbose. Who could prove otherwise?

And no, NETFILE can be safe because CCRA only accepts data and does not allow you to read it back. That's why it is safe to transfer taxes over the Internet.

Here's a genius idea (1)

Corporate Gadfly (227676) | more than 7 years ago | (#18697793)

Why doesn't he government provide online tax processing website? That way, if the site gets hacked its the government's problem. And your hard-earned tax dollars go towards a service that you can ACTUALLY use. Nay sayers, might say well what about the tax software industry? How many jobs will be lost? And I say to you, screw that. The tax software industry has milked the cash cow dry. Then again, I might be dreaming and this will never happen.

Re:Here's a genius idea (2, Informative)

Arkaine101 (591667) | more than 7 years ago | (#18698011)

Why doesn't he government provide online tax processing website?
Lobbyists representing tax-preparation agencies like TurboTax.

Re:Here's a genius idea (2, Informative)

Techman83 (949264) | more than 7 years ago | (#18698781)

In Australia the Government provides software to do your tax online. I've been doing it like this for the past 3 financial years. It is far easier and explains a lot more then the paper return you fill out. If you have a refund it is deposited into your account within 14 days. The paper "Tax-Pack" is utterly useless in comparison.

Re:Here's a genius idea (1)

Zontar_Thing_From_Ve (949321) | more than 7 years ago | (#18701359)

Why doesn't he government provide online tax processing website?

Because one of the mantras of a Republican controlled US government (remember, that the Republicans controlled both the White House and Congress from 2001 until this January) is that private industry always does a better job. Another mantra, which also applies, is that the free market solves all ills. That's why Uncle Sam doesn't do what you suggest.

Re:Here's a genius idea (1)

DragonWriter (970822) | more than 7 years ago | (#18703683)

Why doesn't he government provide online tax processing website?


Because politicians get massive campaign contributions from the industry that provides software and services for tax processing, and generally believe in not biting the hand that feeds them lavishly, and because their is no public outcry for this that would offset the allure of the campaign cash. Politicians don't, mostly, lead even if they get called "leaders", they follow, and what they mostly follow is money, though a clear enough weight of votes on the other side may deflect them from that course.

Though, IIRC, John Edwards, as part of his present Presidential campaign, has proposed both an IRS online tax entry website and, even further, having the IRS take the information that is filed with it and preparing draft tax returns for taxpayers that would, where no additional information is needed (as is often the case) simply require confirmation and no additional data entry, calculations, or other work by the taxpayer.

Not the first time this year! (5, Interesting)

SD_92104 (714225) | more than 7 years ago | (#18697947)

It is very scary to see how much value Intuit seems to put to customer's data and how much they learn from past mistakes...

On January 6th this year I received an email from TurboTax Online with the subject
"TurboTax User ID Enclosed: Online Products Now Available!"

Problem being that - in addition to my UserID - it also contained two other (seemingly random) UserID including a live link to their login pages. I tried to be nice and alert them of their security problem but it was not easy. After hunting through the website for a feedback/support link I could only find an online chat with one of their support people. It took me close to an hour to tell her about the problem (it somehow didn't seem to fit into her questionnaire flow chart...) and she promised that she would pass the information on to the tech department and that they would get back to me (yeah, right!). I also asked her repeatedly to delete my account including all data and she said it couldn't be done and that I wouldn't have anything to worry about as the data would be safe on their servers - apparently not.

Guess I should have been a little more aggressive and tell some news outlet about the problem than thinking that their internal procedures and security audits would be sufficient without additional pressure. I decided after that email to never again use the online TurboTax version (I never actually filed from it before as it was a little too limited) and looks like I made a smart choice.

Web-based taxes (1)

Jonathan McDowell (515872) | more than 7 years ago | (#18698051)

Of course, TurboTax's web based form is one of the few options for Linux users..
I tried a bunch of different sites; of course there's no excuse for a purely web-based
service to be incompatible, but of course they mostly are! In contrast,
I have had good experiences with Turbotax for the past couple years. And so far
the contents of my bank account haven't vanished .... well actually they did,
but that was because I spent all the money...
Any recommendations for full-featured tax services that work well on
firefox under linux?

    - Jonathan

Re:Web-based taxes (0)

Anonymous Coward | more than 7 years ago | (#18698063)

I've had good luck with TaxACT [taxact.com] .

H&R Block (1, Informative)

Lish (95509) | more than 7 years ago | (#18698177)

H&R Block had a similar issue with their online tax prep software back in February:

news.com.com article [com.com]
Businessweek article [businessweek.com]

Re:H&R Block (1)

DCMonkey (615) | more than 7 years ago | (#18698773)

... of 2000

Bank routing information is public, isn't it? (1)

AxelBoldt (1490) | more than 7 years ago | (#18698345)

I have to assume that bank routing information is public, or else banks wouldn't print it in clear text on every single check, along with full address. Is there anything evil I can do to you if I had your bank routing information?

In Germany many people put their bank routing information on their letter head, so that people can easily transfer money to them.

Re:Bank routing information is public, isn't it? (0)

Anonymous Coward | more than 7 years ago | (#18698863)

You are absolutely correct. Your bank routing info AND checking account number AND name and address and phone # and signature sample are printed on every single check you write. Take out your checkbook and look at it. It's there.

Would you write that info down on a plain piece of paper and hand it out? No. But you're happy to hand it out at the grocery store, the minimart, when you pay your electric bill or rent or mortgage, when you renew your magazine subscriptions, etc, and it's same as writing that stuff on plain paper and handing it out to abject strangers.

I know plenty of people who are freaky protective of bank account numbers but at the same time, they also write checks for everything because they are afraid of using debit or credit cards because someone might get their personal info. It usually does no good to point out that every check is loaded down with the same info they are so worried about.

And hell, some of these people still preprint their SSNs on their checks because that's what people did in the 70's and these people have always have done it that way. They also think it's A-OK to mail a check from their home mailboxes with the little red flag on top. It's the way they have always done it. Nevermind that it's about the most unsafe way.

On the other hand, I do have at least one smart friend who I owed money to. He's permanently living in Canada now so I had him email me his bank account number -we happen to share the same bank- so I went down and put the cash money directly into his (still open) local bank account. He understood that there was no point in worrying about it because the cat was already out of the bag, and he also understood this was a quick way to get his money from me. Worked perfectly. From 4000 miles away, he could see the deposit show up instantly and he had immediate ATM access to the money. He now uses this technique to send and receive money among his parents and siblings who live here and they smirk about how simple and easy it is and how nobody else knows how to do this. Pretty proud of them actually. Smart folks.

The bottom line is that checks are inherently insecure.

Re:Bank routing information is public, isn't it? (1)

nametaken (610866) | more than 7 years ago | (#18699245)

Oddly I had to authorize a family member to use my checking account before they were able to do deposits for me. I was using BankOne before it was bought up in the last year or so.

Re:Bank routing information is public, isn't it? (1)

mutterc (828335) | more than 7 years ago | (#18703799)

checks are inherently insecure

That's true. Technically, if you have a check from someone, you could clean out their account through electronic transfer. Heck, that's similar to what big credit card companies do now - when you send them a check in the mail, they EFT the money from your account, then destroy the paper check, so it must be possible.

If I were to ever pay for stuff with checks in person (I usually just use plastic), I wouldn't mind giving it to the cashier, for the same reason I don't mind giving them the plastic: the paper trail.

You know who you write checks to; it's in your checkbook, and the bank knows, by means of who cashes them. That will create instant suspicion of anyone who handles your checks when your money goes missing; if it goes missing from several people who all visited the same store recently, that will be noticed.

Re:Bank routing information is public, isn't it? (1)

karmatic (776420) | more than 7 years ago | (#18700395)

Well, with ACH access, you can withdraw (or deposit) any arbitrary amount (with sufficient funds) from (or to) almost any account in the United States.

Does that count as evil?

Re:Bank routing information is public, isn't it? (1)

AxelBoldt (1490) | more than 7 years ago | (#18706661)

Why would the bank hand my money from my account if I didn't authorize it? If the bank is being defrauded I can't see that as being my problem.

Re:Bank routing information is public, isn't it? (1)

equivocal (655448) | more than 7 years ago | (#18707839)

Why would the bank hand my money from my account if I didn't authorize it?

1) Because the bank serves commercial interests. Consumers are not allowed to protect their accounts. That would raise the cost of extracting money from the account. My bank claims it's by law, but more likely it's just their policy so the won't annoy their corporate peers.
2) Authorization is now implied by writing a check or otherwise specified in terms of service (cell phone, cable TV, etc.).

If the bank is being defrauded I can't see that as being my problem.

You have 60 days to notice the fraud and complain. Fail to act and it becomes your fraud. I'd argue that the burden of noticing fraud makes it your problem from the beginning.

Simple tax software (1)

ingo23 (848315) | more than 7 years ago | (#18698525)

I have been using TaxAct for 3 or 4 years now. They have a free downloadable version (as well as web based one). This year they had free e-file as well (before they charged $10 or $12 for e-filing). If your finances are rather simple - it should be covered (I did a Schedule C without a problem). I assume if your situation is more complicated - you'd better hire a CPA.

As for the web based tax preparation - I've never used it. I prefer to keep that kind of data behind my firewall and backed up on my CDRs...

Re:Simple tax software (0)

Anonymous Coward | more than 7 years ago | (#18698647)

(posting anon because I'm a TaxCut Senior Tech Rep - at work)

You'll notice if you look carefully that TaxCut and TaxACT seem to have very similar interfaces... shockingly similar... almost as if they were developed by the same company...

Also, if you go to IRS.gov and click on Free File, you can follow a link from there to either TaxCut Online or TaxACT and do your taxes for free (including efile). HRB licenses the software, so if there's any bugs, it's fixed in TaxACT's product a few hours before it's rolled out on TaxCut.com - but at this stage in the game, federal taxes are 99% bug-free.

State taxes aren't covered by the Free File program, so you'll still have to pay for those. But as long as you meet the qualifications, it's a great deal.

I owe again this year... (1)

AmigaHeretic (991368) | more than 7 years ago | (#18698615)

I don't suppose their is a way someone could steal my SSN, Name, address, etc.. and somehow use all this information to pay my taxes for me this year could they?

If so I'm going to recomend Turbo Tax to all my friends!

I won't pay to pay (0)

Anonymous Coward | more than 7 years ago | (#18698837)

I have always done my rather complicated taxes by hand. I would prefer e-filing if I could do it directly with the IRS/FTB. And sure enough, this year I used Calfile (on unsupported software, too: Firefox 1.5/linux).

That's how taxes should be filed! Enter 5 or so numbers, check 5 or so boxes. Nothing to sign or send (I didn't owe). I hope the IRS will copy the Calfile system so I can move to efiling completely. For the record, it took me 15 minutes to do Calfile (from when I found it on the FTB web site), 45 minutes for the 1040 with pen and calculator and an hour and a half for the freaking 8801!

And where should I have heard this from? (1)

th3rmite (938737) | more than 7 years ago | (#18699285)

I'm pretty upset reading this article due to the fact that I have been faithfully using Turbo Tax for 7 years now, this year included, and I have yet to receive an email form them along the lines of "Your information might have been compromised." Shouldn't the customers be the first ones to hear about this? Thank god I read Slashdot.

Avoidable risk. (1)

russotto (537200) | more than 7 years ago | (#18702465)

I may be a crusty old Luddite, but this is why I do my taxes the old fashioned way -- with TurboTax on my personal machine. (I tried TaxCut the year that Intuit put DRM on, even though I use a Mac, and found it buggy and inferior). I want the data to remain as much under my control as possible. I send it in on paper, too, though that's because I'm too cheap to spend my money to reduce their costs rather than a concern over a compromise of the E-file database.

It's true that the data is still vulnerable at the IRS. But that's a risk I cannot avoid. Web-based tax returns are one that I can.

My 2 cents (2, Insightful)

Jsox (951873) | more than 7 years ago | (#18703133)

I actually work for Turbotax in the Technical Support Division. Actually to be specific I work for another company and they outsource their support through us. They do the same for many other offices through different companies, including outsourced Sales people in India, and an office in the Phillipines. Most chat agents are from India.

I've been using Turbotax over the past 5 months for roughly 600 hours and there's a few things I can say about the program. First and foremost, it's very rarely wrong. I've taken 2057 calls (On 2058 right now) and in all these I have seen 1 calculation error, and it was a number getting transferred between Federal and State incorrectly. Most calls fall into the following categories: Password resets, how-do-I-enter, where-is-this-number-coming-from, and Installation. We also get run of the mill save errors, questions about how to transfer information, and so on. Calls that are prefaced with "Your program is doing this wrong..." always make me roll my eyes, because as far as calculations go, the program is almost exclusively correct, and alleged calculation errors are actually a result of someone entering it in wrong. And its just a piece of software, really just a big calculator, and it's only as smart as the data that gets put into it. That being said, while it is wonderful in performing calculations correctly, it is very quirky when it comes to navigation and sometimes outright bizzare.

For example, once you've gone through the State portion, revisiting it at any point takes you straight to the end, without allowing you to review the information. If you want to change something, you need to get to a very specific page and click "Topic List", then "What's new for 2006. If you click on the topic named "State Interview", it completely skips to the end of the State Interview. Makes a lot of sense, eh? Also, checking certain boxes will generate certain forms or worksheets that will not be deleted if you go back and uncheck them, which causes the Error Check feature to freak out and tell you that you have 9000 errors because the form is blank. Also, due to the way Turbotax calls on some functions (namely XML) if it doesnt like your XML configuration, it will randomly give you errors and there's essentially no way you'll be able to use the Desktop version without reinstalling your OS or IE.

Online is more of the same, but with even more lovable "features". If you check one of those boxes that I mentioned above, and it generates a form, if it's in the state interview, there's no way to delete it; it's stuck there forever. You can delete the entire state and start again, or we can import the data into the Desktop version to remove it. Also, some pages simply refuse to load in either Firefox and IE. Short of ripping and fully reinstalling windows or drastically modifying internet settings (something most of the agents wouldn't even know how to do) the only option is to switch browsers. Simple fix, but it shouldn't be necessary.

This all being said, the bottom line is that Turbotax calculates things wonderfully but is lacking in most other areas. When this story 'broke', all of us agents were told basically to keep our mouths shut and if any customer had any questions beyond us telling them that we were fixing the issue, to foreward their request to the Corporate Office.

I've seen customers do some very retarded things, both in trying to access their account and enter or manipulate data. Is it possible that this was a one-time isolated incident? If someone was able to stumble on this information on accident, how hard would it be to do deliberately? The page with Vault access has been up for almost 5 months and this was only recently discovered, has it been abused before? I don't know the answers to these questions, but I don't get a fuzzy feeling thinking about them. People should know if their data was possibly compromised, but I don't blame them for trying to keep it quiet. In this day and age of information security and data protection, it's in their best interests to prevent everyone who efiled 75 million returns from knowing that doing so may expose their private information.

The "FAQ" that they created can be accessed somewhat easily by clicking on the "Your Data is Protected" button on the front page and then clicking on "Learn More". It's on the bottom of the page and doesn't really answer any questions. It's cleverly hidden enough to the point that you can find it, but you probably won't find it unless you go looking.

Take it as you will.

My advice is to avoid the Online version. It's functionally crippled compared to the desktop (No ability to manipulate the forms or worksheets - this is invalueable in troubleshooting alleged calculation issues) and while the online version will save your data in the vault, this apparently exposes your data unnecessarily. E-filed returns through the desktop version are simply handed off to the IRS and not retained by Intuit in any manner, only stored locally and with the IRS.

TurboTax and Security (1)

bmeighan (942088) | more than 7 years ago | (#18704851)

There is a post on the TurboTax site (http://turbotax.intuit.com/tax_products/turbotax_ advantages/secure.jhtml;jsessionid=FQK0HSUDKCVCMCQ IAURRYUQKBACREF4K [intuit.com] ) disclosing and providing more facts on this issue. The issue does NOT affect the TurboTax Online application. Bob Meighan VP, TurboTax

Re:TurboTax and Security (1)

PetManimal (987201) | more than 7 years ago | (#18706651)

I am a long-time user of TT software (CD ROM version, and for the past four years, the Web version). I was always a little suspicious of your company's promises about security [computerworld.com] and now I can see that I was right to be skeptical.

So Bob, could you clarify exactly what happened with this customer in Nebraska? You said that the vulnerability does not affect the TurboTax Online application, yet the user in Nebraska says she was able to access other people's returns using your online service, and one of your employees has confirmed [networkworld.com] the incident.

Can you definitely confirm that NO ONE besides these three people were affected? Or do you just assume no one else was affected, because no one else reported this flaw? Do you have log files or other records which would be able to definitely confirm whether anyone else's record was viewed?

Also, a user on this thread reports that he noticed some poor security practices [slashdot.org] that your company had in place in its communications and policies earlier this year; is the Nebraska incident related to this? Did Intuit address the concerns that he brought up (he says no one ever got back to him)?
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?