Your Tax Data is Leaked - Corporate Blue · 2018. 8. 8. · The IRS has mandated six (6) security,...

YOUR TAX DATA IS BEING LEAKED

Michael Wylie

Copyright (C) Corporate Blue 2018. 1

1

About Me

❑ Co-Founder of Corporate Blue

❑ Cybersecurity Consultant

❑ DoD Contractor

❑ Teaching:

• US Department of Defense

• Cal State University Northridge

• Moorpark College

• Others

CISSP CCNA R&S

CEH CCNA CyberOps

CEI CHPA

Project+ VCP-DCV

Security+ Dell Security

Splunk User Pentest+

CERTIFICATIONS

Copyright (C) Corporate Blue

2018.2

Sources: https://www.reportlinker.com/p04442209/Tax-Preparation-Services-Global-Market-Briefing.htmlhttps://www.bna.com/consumer-law-requires-n73014464239/?amp=truehttp://src.bna.com/sfohttp://src.bna.com/sfo

2

Outline

❑ Tax prep industry statistics

❑ Research & Case Studies: California CPA breaches

❑ Cybersecurity laws applicable to CPAs

❑ Common breakdowns in CPA’s security

❑ Analysis of tax prep software used

❑ Systemic issues found in testing software

❑ Working with vendor security teams

❑ What can you do?


3

Tax Industry

❑ The global tax prep market is $11 billion (2017)

❑ North America tax prep market is $4.6 billion (2017)

❑ 5 data breaches per week (IRS, 2017)

❑ 177 tax pros reported breaches from Jan-May 2017

❑ $5.8b paid in IRS refunds in 2013 (Diaz v. Intuit)

❑ IRS stopped $24.2b in fraudulent refunds in 2013


2018.4

Sources: https://www.reportlinker.com/p04442209/Tax-Preparation-Services-Global-Market-Briefing.htmlhttps://www.bna.com/consumer-law-requires-n73014464239/?amp=truehttp://src.bna.com/sfohttps://mccunewright.com/wp-content/uploads/2016/03/Diaz-v-Intuit-Complaint-Conformed.pdf

4

How Do Americans File Their Taxes?

Brick & Mortar Company (e.g. H&R Block) - 8.3%

Self calculation using IRS Forms - 8.5%

Do not file taxes - 9.2%

Prepared by friends or family - 10.9%

Digital tax prep tool (e.g. Turbo Tax) - 34.%

Prepared and filed by accountant - 28.5%

GOBankingRates.comCopyright (C) Corporate Blue 2018. 5

Sources: GOBankingRates.com

Survey SampleSample Size: 5,028Year: 2016

5

Age Insights: How Do Americans File Their Taxes?

GOBankingRates.com

25.4%

45.5%

40.5%

34.6%

27.6%

26.2%

16.3%

21.3%

29.0%

29.4%

34.9%

42.5%

19.7%

11.0%

9.7%

9.0%

10.8%

6.8%

10.3%

7.3%

6.6%

10.3%

8.2%

9.1%

7.6%

8.3%

8.3%

9.7%

9.3%

5.8%

20.7%

6.6%

5.9%

7.0%

9.2%

9.6%

18 - 24

25 - 34

35 - 44

45 - 54

55 - 64

65+

Digital tax prep tool (e.g. Turbo Tax) Prepared and filed by accountant Prepared by friends or family

Self calculation using IRS Forms Brick & Mortar Company (e.g. H&R Block) Do not file taxes

$450

$494

$986

$971

$996

$993

Weekly Median Earnings


Sources: GOBankingRates.com

Survey SampleSample Size: 5,028Year: 2016

6

IRS Warns of a New Wave of Attacks Focused on Tax Professionals

Thieves are able to access tax

professionals’ computers and use

remote technology to take control,

accessing client data and completing

and e-filing tax returns but directing

refunds to criminals’ own accounts.

IR-2016-119, Sept. 2, 2016Copyright (C) Corporate Blue 2018. 7

Source:https://www.irs.gov/newsroom/irs-warns-of-a-new-wave-of-attacks-focused-on-tax-professionalsIR-2016-119, Sept. 2, 2016

7

BAD ACTORS “TEND TO GO FOR THE LOWEST-HANGING FRUIT,”

WI-FI SECURITY IS THE MOST COMMON THREAT FOR SMALL BUSINESSES AND TAX PRACTITIONERS

Mark Kahler,

IRS Special Agent


Source:https://www.bna.com/consumer-law-requires-n73014464239/?amp=true

8

CASE STUDIES


9

Research Methodology

❑ Each state has their own data breach reporting laws

❑ CA used for research

❑ Earliest CA breach records start in 2015

❑ Assumptions:

o Most states’ data breach laws cover electronic breaches only

o Not all breaches are reported

o CA doesn’t require reporting for < 500 records OR any encrypted breach

❑ Company Name Keyword Search:

o CPA &Tax


10

California CPA Type of Breach

12%

19%

25%6%

38%

Email compromised

Malware

Physical security

Portal compromised

Unauthorized remote access


Source: https://oag.ca.gov/ecrime/databreach/reports/sb24-133179Search Terms: CPA & TaxDate Ranges: 2015-2018Categories were determined by Michael Wylie by reading each breach notice.

11

California CPA Attacker Goal

25%

19%56%

File fraudulent returns

Theft

Unknown


Source: https://oag.ca.gov/ecrime/databreach/reports/sb24-133179Search Terms: CPA & TaxDate Ranges: 2015-2018Attacker goal were determined by Michael Wylie by reading each breach notice.

12

Case Study: Deloitte

❑ Date(s) of Breach: Late 2016?

❑ Reported Date: October 6, 2017

❑ Summary: confidential emails (350 clients + 4 US Gov’t Dept.), plans clients were compromised by remote attackers. Deloitte is not 100% sure what was taken. At first, claimed “very few” clients were impacted. Other sources claim all administrator accounts and internal email systems were compromised.

❑ Deloitte discovered the breach in March 2017, but believe attacks may have had access since October or November of 2016


Sources:https://www.theguardian.com/business/2017/oct/10/deloitte-hack-hit-server-containing-emails-from-across-us-governmenthttps://krebsonsecurity.com/2017/09/source-deloitte-breach-affected-all-company-email-admin-accounts/https://www2.deloitte.com/global/en/pages/about-deloitte/articles/deloitte-statement-cyber-incident.html

13

Case Study: Wheeler & Egger, CPAs, LLP

❑ Date(s) of Breach: 08/04/2016

❑ Reported Date: 09/11/2016

❑ Summary: bad actor e-filed (45) 2015 returns on extension

❑ Data Accessed: Name, gender, date of birth, telephone number(s), address, Social Security number(s); EIN number(s); all employment (W-2) information, 1099 information; and more

❑ Category: malware


2018.14

Source:https://oag.ca.gov/ecrime/databreach/reports/sb24-133179

14

Case Study: Jeffrey Born, CPA, Inc

❑ Date(s) of Breach: 12/31/2017


❑ Summary: two password protected laptops were stolen

❑ Data Accessed: full name, birthdate, telephone number, address, Social Security number, all employment information, 1099 information, bank account numbers, income earned, insurance data, and more

❑ Category: physical security


2018.15


15

Case Study: Friedman & Perry, CPA's

❑ Date(s) of Breach: 06/15/2016-01/30/2017


❑ Summary: bad actor from a foreign IP gained unauthorized access to systems via RDP between 06/15/16-01/30/17 and filed fraudulent 2016 tax returns

❑ Data Accessed: full name, birthdate, telephone number, address, Social Security number, all employment information, 1099 information, bank account numbers, income earned, insurance data, and more

❑ Category: unauthorized remote access


2018.16


16

Case Study: TaxSlayer

❑ Date(s) of Breach: 10/10/2015 – 12/21/2015


❑ Summary: Unauthorized access to up to ~9,000 tax records due to weak security measures. FTC got involved due to the large number of breaches and weak security.

❑ Data Accessed: ~9,000 accounts accessed during 2 month span. Usernames, passwords, and other online services were accessed. 2014 tax returns, social security numbers, names, and addresses.

❑ Category: unauthorized access


2018.17

Sources:https://oag.ca.gov/ecrime/databreach/reports/sb24-66802https://www.bna.com/consumer-law-requires-n73014464239/?amp=truehttps://oag.ca.gov/system/files/TaxSlayer%20CA_0.pdf?

TaxSlayer LLC became the first tax preparation service to face charges of violating the law, an FTC spokeswoman told Bloomberg BNA. Hackers gained full access to nearly 9,000 accounts during two months in 2015 as a result of weak cybersecurity measures, an FTC complaint said. The Georgia-based private company settled with the commission on Aug. 29 and now has to enlist a third party to review its GLB compliance every two years for the next decade.

Cyberthieves can mine tax documents for Social Security numbers and other personal information to claim fraudulent individual and business tax refunds. The Internal Revenue Service said, for example, that it stopped nearly $11 billion in confirmed fraudulent refunds in 2015.

TaxSlayer didn’t follow either rule. It failed to provide a “clear and conspicuous initial privacy notice” and to “deliver the initial privacy notice so that each customer could

17

reasonably be expected to receive the actual notice,” the FTC complaint said. The complaint also said the company didn’t have a written information security program, failed to conduct the necessary risk assessment, and failed to implement the safeguards to control those risks—specifically, the risk that hackers would use the stolen credentials. As a result, hackers accessed nearly 9,000 users’accounts to commit identity theft, such as filing fake returns with altered routing numbers.

17

Case Study: Intuit TurboTax

❑ Date(s) of Breach: 2010-2015

❑ Reported Date: 2015

❑ Summary: Allegedly in Court Case: TurboTax gets a “tax preparation fee” ~$50-$150 for each filed return. TurboTax had laxed security protocols and enabled fraudulent returns. 2.5 million suspicious returns (e.g. allowed SSN re-use) in 2012. Knowingly kept laxed security policies to boost revenue.

❑ Whistleblowers: Ex-Intuit employees Shane MacDougall & Robert Lee claim management knew about fraudulent returns.

❑ Intuit says: it’s the IRS’ job to catch fraudulent returns.

❑ Intuit was granted dismissal and closed door arbitration for Case No: 5:15-CV-01778-EJD.


2018.18

Sources:https://www.courthousenews.com/wp-content/uploads/2017/10/TurboTax-MTD-ORDER.pdfCASE NO.: 5:15-CV-01778-EJD

https://www.leagle.com/decision/infdco20180516c09https://mccunewright.com/wp-content/uploads/2016/03/Diaz-v-Intuit-Complaint-Conformed.pdfhttps://www.courthousenews.com/wp-content/uploads/2018/05/Turbo.pdfhttps://krebsonsecurity.com/2015/02/turbotaxs-anti-fraud-efforts-under-scrutiny/

18

LAWS


19

Federal Laws

❑ AICPA: “There are actually no uniform federal laws on business cybersecurity.”

❑ “The IRS recommends preparers create a security plan”

❑ Gramm-Leach-Bliley Act (GLB) 1999 – Safeguards Rule

o Designate one or more employees to coordinate InfoSec

o Identify and assess risk PII

o Design, implement, monitor and test safeguards

❑ Financial Privacy Rule requiring notices to customers

❑ IRS Section 7216 – Unauthorized disclosures

❑ IRS Section 7216 – Penalties for unauthorized disclosures


Sources: https://www.irs.gov/newsroom/tax-return-preparers-data-thefts-and-protecting-client-tax-informationhttps://digitalguardian.com/blog/what-glba-compliance-understanding-data-protection-requirements-gramm-leach-bliley-acthttp://blog.aicpa.org/2017/10/if-youre-hacked-whats-your-cybersecurity-liability.html#sthash.F81nLBcl.dpbs

20

IRS e-File Security and Privacy Standards

The IRS has mandated six (6) security, privacy and business standards to better serve taxpayers

and protect their information collected, processed and stored by Online Providers of individual

income tax returns. Compliance with these standards became mandatory January 1, 2010.

1. Extended Validation SSL Certificate

2. Weekly External Vulnerability Scan

3. Information Privacy & Safeguard Policies

4. Web Site Challenge-Response Test (E.g. CAPTCHA)

5. US Registered Domain Name

6. Report Security Incidents


Source: Handbook for Authorized IRS e-file Providers of Individual Income Tax Returns

21

IRS: Safeguarding Taxpayer Data PDF

ONGOING DONE N/A EMPLOYEE MANAGEMENT & TRAINING

The success of your information security plan depends largely on the employees who implement it. Consider these steps:

Check references or do background checks before hiring employees who will have access to customer information.

Ask every new employee to sign an agreement to follow your company’s confidentiality andsecurity standards for handling customer information.

Limit access to customer information to employees who have a business reason to see it. For example, give employees who respond to customer inquiries access to customer files, but only to the extent they need to do their jobs.

Control access to sensitive information by requiring employees to use “strong” passwords that must be changed on a regular basis. (Tough-to-crack passwords require the use of at least six characters, upper and lower case letters, and a combination of letters, numbers, and symbols). (IRS suggestion: passwords should be a minimum of eight characters).

Use password-activated savers to lock employees computers after a period of inactivity.


Source: Safeguarding Taxpayer Data PDF, Publication 4557 (Rev. 6-2018)

22

“…the threat remains, and we need the help of tax professionals to take basic steps to

safeguard their systems and taxpayer data”

David KautterIRS Commissioner


Image Source: https://www.accountingtoday.com/news/irs-makes-summertime-push-for-tax-preparer-cybersecurity

23

U.S. State Data Breach

Notification Statutes –

Form of Data

dwt.com


2018.24

Source:https://www.dwt.com/files/Uploads/Documents/Publications/State%20Statutes/BreachNoticeSummaries.pdf

24

U.S. State Data Breach

Notification Statutes -

Harm Threshold

Notification not required if, after good faith and prompt

investigation, the covered entity determines that

the breach is not reasonably likely to cause substantial harm

to residents.

dwt.com


2018.25


Harm Threshold Defined:Notification not required if, after good faith and prompt investigation, the covered entity determines that the breach is not reasonably likely to cause substantial harm to residents. Determination must be documented in writing and maintained for at least five years.

25

Encryption Safe Harbor

Statute does not apply to covered info that is truncated, encrypted, secured, or modified by another method or technology that deidentifies resident, including encryption of the data, document, or device containing covered info, so long as the encryption key was not reasonably believed to have been acquired.



26

California State Laws

❑ CCPA (2020) allows consumers to sue companies for “unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.”

❑ California Breach Notice: California Civil Code s. 1798.29 and California Civ. Code s. 1798.82


Sources:https://www.securitymagazine.com/articles/89201-a-seismic-shift-what-californias-new-privacy-law-means-for-cybersecurity

27

CALIFORNIA CPA BREACHES

- The Problem -


28

Broken Records

❑ Improper security controls

❑ Lack of logging

❑ No encryption on tax payer data or backups

❑ Not clear understanding of what data was taken

❑ 1 year of identity protection for consumers

❑ Playing down the severity of what really happened

❑ Reading the breach reports isn’t clear what, who or how


Common pitfalls were identified by reading breaches from 2015-2018 in the California breach database with keywords of CPA and Tax.

29

Translating Real Data Breach Notices

❑ Statement: “A password protected laptop was stolen.”

❑ Truth: The laptop was not encrypted and your sensitive data can be accessed by the person who stole it.

❑ Statement: “We found unauthorized access to our secure network.”

❑ Truth: If it was secure, you wouldn’t be sending breach notices.


30


❑ Statement: “We immediately contacted our IT consultant and promptly hired an IT security expert.”

❑ Truth: Our IT consultant doesn’t understand security.

❑ Statement: “The attacker managed to hack into our computer system despite the use of firewalls and anti-virus software.”

❑ Truth: We checked the boxes, but didn’t properly implement security controls.


31


❑ Statement: “Back up hard drives were stolen, though the they require proprietary software for files to be readable.”

❑ Truth: We didn’t encrypt our backups and they were not physically secured. Trials of major tax software can be downloaded for free.

❑ Statement: “We take aggressive steps to protect your information to ensure all records are securely locked.”

❑ Truth: The data was not securely locked, it was unencrypted and someone has your personal information.


32

TAX PREP SOFTWARE


33

CPA Tax Software Survey

❑ May 1, 2017 to May 24, 2017

❑ 3,544 responses from CPAs

❑ Respondent must have filed at least one 2016 tax returns for a fee

❑ 1% of respondents wrote in “others”

❑ Source: Journal of Accountancy, August 2017 Issue


Source: https://www.journalofaccountancy.com/issues/2017/aug/2017-tax-software-survey.html

The survey was conducted from May 1 through May 24, 2017, and received 3,544 responses from CPAs who indicated that they prepared 2016 tax returns for a fee. The tables accompanying this article show answers for the seven most-used products of the 14 asked about in the survey (and 1% of respondents wrote in others). For more information and ratings covering all the products asked about, click here.

34

23%

21%

17%

12%

11%

16% Tax Software Used

UltraTax CS

ProSystem fx

Lacerte

ProSeries

Drake Tax

Other

Journal of Accountancy 2016 Survey


Source: Journal of AccountancyRespondents: 3,851

35

1 – 20 Preparers 21 – 100 Preparers More than 100 Preparers

ATX 6.5% 0.4% 2.9%

CCH Axcess Tax 3.0% 10.9% 29.4%

Drake 13.4% 1.5% 0.0%

Lacerte 20.6% 10.2% 1.5%

ProSeries 14.1% 0.0% 0.0%

ProSystem fx 16.6% 58.9% 64.7%

UltraTax CS 25.8% 18.2% 1.5%

Percentage of respondents saying their firms are in that size category who used each software.

Journal of Accountancy 2017 Survey


Source: https://www.journalofaccountancy.com/issues/2017/aug/2017-tax-software-survey.html

36


37


38


39


40


41

TESTING TAX SOFTWARE


42

“The entire point is to ensure that any personal

info in the source data is obfuscated such that it

requires a concerted effort to remove the

protection, but that the data is still usable for its

intended purposes”

Troy Hunt on pwned passwords


Source:https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/

43

Defining Vulnerability

MITRE:

❑ An "exposure" is a system configuration issue or a mistake in software that allows access to information or capabilities that can be used by a hacker as a stepping-stone into a system or network.

❑ A "vulnerability" is a weakness in the computational logic (e.g., code) found in software and some hardware components (e.g., firmware) that, when exploited, results in a negative impact to confidentiality, integrity, OR availability.

❑ Improper Access Control defined as “The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor. ”


44

Findings

❑ >1 CPA setup is Client-Server topology

❑ Sharing is over SMBv2

❑ Many software vendors don’t recommend SMBv3 due to performance

❑ Vendors claim they don’t recommend client/server setup

❑ Sensitive data was analyzed in transit and at rest

❑ Still working with vendors on patches

❑ Screenshots are for illustration only


45

UltraTax CS Vulnerability Research

CVE Search: “ultratax”

❑ cve.mitre.org: 0

❑ Exploit-DB: 0


2018.46

46

ProSystem fxVulnerability Research

CVE Search: “prosystem”


o CVE-2014-9113

❑ Exploit-DB: 0


2018.47

47

Intuit Lacerte Vulnerability Research

CVE Search: “lacerte”


❑ Exploit-DB: 0


2018.48

https://proconnect.intuit.com/tax/lacerte/eval/

48


49


50


51


52


53


54


55


56


57


58

Discussion with Vendors

❑ Somewhat difficult to reach security teams

❑ My tweets kept disappearing when tagging the vendors about vulnerabilities

❑ Some vendors have private BugCrowd or HackerOne programs

❑ Initial denial and not taking responsibility for cleartext transfer over SMBv2

❑ Software wasn’t meant to be client/server

❑ Tax professionals keep legacy software that cannot be patched (e.g. 2005 version)

❑ Encrypting would break integration with third-party software

❑ One vendor is patching their vulnerability tomorrow (Thank you!)

❑ Solution: recommend SMBv3 with encryption to CPAs


59

NOW WHAT?


60

What Can I Do?

❑ Interview your CPA

o Do you encrypt backups?

o When’s your last pen test?

o What’s your IR policy?

❑ Make the public and your CPA aware

❑ Share the findings of this presentation

❑ Help test tax software and responsibly disclose findings

❑ Request your data be deleted by prior CPAs


61

What Can My CPA Do?

❑ Defense in-depth

❑ Build a solid security program

❑ No wireless on production network

❑ Encrypt everything (including backups)

o At rest

o In transit

o In process

❑ Dedicated and isolated tax prep workstations

❑ Endpoint protection (e.g. EDR?)


62

THANK YOUTwitter: @TheMikeWylie

Email: [email protected]: linkedin.com/in/mwylie


63

Date post:	29-Aug-2020
Category:	Documents
Upload:	others
View:	1 times
Download:	0 times