YOUR TAX DATA IS BEING LEAKED
Michael Wylie
Copyright (C) Corporate Blue 2018. 1
1
About Me
❑ Co-Founder of Corporate Blue
❑ Cybersecurity Consultant
❑ DoD Contractor
❑ Teaching:
• US Department of Defense
• Cal State University Northridge
• Moorpark College
• Others
CISSP CCNA R&S
CEH CCNA CyberOps
CEI CHPA
Project+ VCP-DCV
Security+ Dell Security
Splunk User Pentest+
CERTIFICATIONS
Copyright (C) Corporate Blue
2018.2
Sources: https://www.reportlinker.com/p04442209/Tax-Preparation-Services-Global-Market-Briefing.htmlhttps://www.bna.com/consumer-law-requires-n73014464239/?amp=truehttp://src.bna.com/sfohttp://src.bna.com/sfo
2
Outline
❑ Tax prep industry statistics
❑ Research & Case Studies: California CPA breaches
❑ Cybersecurity laws applicable to CPAs
❑ Common breakdowns in CPA’s security
❑ Analysis of tax prep software used
❑ Systemic issues found in testing software
❑ Working with vendor security teams
❑ What can you do?
Copyright (C) Corporate Blue 2018. 3
3
Tax Industry
❑ The global tax prep market is $11 billion (2017)
❑ North America tax prep market is $4.6 billion (2017)
❑ 5 data breaches per week (IRS, 2017)
❑ 177 tax pros reported breaches from Jan-May 2017
❑ $5.8b paid in IRS refunds in 2013 (Diaz v. Intuit)
❑ IRS stopped $24.2b in fraudulent refunds in 2013
Copyright (C) Corporate Blue
2018.4
Sources: https://www.reportlinker.com/p04442209/Tax-Preparation-Services-Global-Market-Briefing.htmlhttps://www.bna.com/consumer-law-requires-n73014464239/?amp=truehttp://src.bna.com/sfohttps://mccunewright.com/wp-content/uploads/2016/03/Diaz-v-Intuit-Complaint-Conformed.pdf
4
How Do Americans File Their Taxes?
Brick & Mortar Company (e.g. H&R Block) - 8.3%
Self calculation using IRS Forms - 8.5%
Do not file taxes - 9.2%
Prepared by friends or family - 10.9%
Digital tax prep tool (e.g. Turbo Tax) - 34.%
Prepared and filed by accountant - 28.5%
GOBankingRates.comCopyright (C) Corporate Blue 2018. 5
Sources: GOBankingRates.com
Survey SampleSample Size: 5,028Year: 2016
5
Age Insights: How Do Americans File Their Taxes?
GOBankingRates.com
25.4%
45.5%
40.5%
34.6%
27.6%
26.2%
16.3%
21.3%
29.0%
29.4%
34.9%
42.5%
19.7%
11.0%
9.7%
9.0%
10.8%
6.8%
10.3%
7.3%
6.6%
10.3%
8.2%
9.1%
7.6%
8.3%
8.3%
9.7%
9.3%
5.8%
20.7%
6.6%
5.9%
7.0%
9.2%
9.6%
18 - 24
25 - 34
35 - 44
45 - 54
55 - 64
65+
Digital tax prep tool (e.g. Turbo Tax) Prepared and filed by accountant Prepared by friends or family
Self calculation using IRS Forms Brick & Mortar Company (e.g. H&R Block) Do not file taxes
$450
$494
$986
$971
$996
$993
Weekly Median Earnings
Copyright (C) Corporate Blue 2018. 6
Sources: GOBankingRates.com
Survey SampleSample Size: 5,028Year: 2016
6
IRS Warns of a New Wave of Attacks Focused on Tax Professionals
Thieves are able to access tax
professionals’ computers and use
remote technology to take control,
accessing client data and completing
and e-filing tax returns but directing
refunds to criminals’ own accounts.
IR-2016-119, Sept. 2, 2016Copyright (C) Corporate Blue 2018. 7
Source:https://www.irs.gov/newsroom/irs-warns-of-a-new-wave-of-attacks-focused-on-tax-professionalsIR-2016-119, Sept. 2, 2016
7
BAD ACTORS “TEND TO GO FOR THE LOWEST-HANGING FRUIT,”
WI-FI SECURITY IS THE MOST COMMON THREAT FOR SMALL BUSINESSES AND TAX PRACTITIONERS
Mark Kahler,
IRS Special Agent
Copyright (C) Corporate Blue 2018. 8
Source:https://www.bna.com/consumer-law-requires-n73014464239/?amp=true
8
CASE STUDIES
Copyright (C) Corporate Blue 2018. 9
9
Research Methodology
❑ Each state has their own data breach reporting laws
❑ CA used for research
❑ Earliest CA breach records start in 2015
❑ Assumptions:
o Most states’ data breach laws cover electronic breaches only
o Not all breaches are reported
o CA doesn’t require reporting for < 500 records OR any encrypted breach
❑ Company Name Keyword Search:
o CPA &Tax
Copyright (C) Corporate Blue 2018. 10
10
California CPA Type of Breach
12%
19%
25%6%
38%
Email compromised
Malware
Physical security
Portal compromised
Unauthorized remote access
Copyright (C) Corporate Blue 2018. 11
Source: https://oag.ca.gov/ecrime/databreach/reports/sb24-133179Search Terms: CPA & TaxDate Ranges: 2015-2018Categories were determined by Michael Wylie by reading each breach notice.
11
California CPA Attacker Goal
25%
19%56%
File fraudulent returns
Theft
Unknown
Copyright (C) Corporate Blue 2018. 12
Source: https://oag.ca.gov/ecrime/databreach/reports/sb24-133179Search Terms: CPA & TaxDate Ranges: 2015-2018Attacker goal were determined by Michael Wylie by reading each breach notice.
12
Case Study: Deloitte
❑ Date(s) of Breach: Late 2016?
❑ Reported Date: October 6, 2017
❑ Summary: confidential emails (350 clients + 4 US Gov’t Dept.), plans clients were compromised by remote attackers. Deloitte is not 100% sure what was taken. At first, claimed “very few” clients were impacted. Other sources claim all administrator accounts and internal email systems were compromised.
❑ Deloitte discovered the breach in March 2017, but believe attacks may have had access since October or November of 2016
Copyright (C) Corporate Blue 2018. 13
Sources:https://www.theguardian.com/business/2017/oct/10/deloitte-hack-hit-server-containing-emails-from-across-us-governmenthttps://krebsonsecurity.com/2017/09/source-deloitte-breach-affected-all-company-email-admin-accounts/https://www2.deloitte.com/global/en/pages/about-deloitte/articles/deloitte-statement-cyber-incident.html
13
Case Study: Wheeler & Egger, CPAs, LLP
❑ Date(s) of Breach: 08/04/2016
❑ Reported Date: 09/11/2016
❑ Summary: bad actor e-filed (45) 2015 returns on extension
❑ Data Accessed: Name, gender, date of birth, telephone number(s), address, Social Security number(s); EIN number(s); all employment (W-2) information, 1099 information; and more
❑ Category: malware
Copyright (C) Corporate Blue
2018.14
Source:https://oag.ca.gov/ecrime/databreach/reports/sb24-133179
14
Case Study: Jeffrey Born, CPA, Inc
❑ Date(s) of Breach: 12/31/2017
❑ Reported Date: 01/26/2018
❑ Summary: two password protected laptops were stolen
❑ Data Accessed: full name, birthdate, telephone number, address, Social Security number, all employment information, 1099 information, bank account numbers, income earned, insurance data, and more
❑ Category: physical security
Copyright (C) Corporate Blue
2018.15
Source:https://oag.ca.gov/ecrime/databreach/reports/sb24-63840
15
Case Study: Friedman & Perry, CPA's
❑ Date(s) of Breach: 06/15/2016-01/30/2017
❑ Reported Date: 03/08/2017
❑ Summary: bad actor from a foreign IP gained unauthorized access to systems via RDP between 06/15/16-01/30/17 and filed fraudulent 2016 tax returns
❑ Data Accessed: full name, birthdate, telephone number, address, Social Security number, all employment information, 1099 information, bank account numbers, income earned, insurance data, and more
❑ Category: unauthorized remote access
Copyright (C) Corporate Blue
2018.16
Source:https://oag.ca.gov/ecrime/databreach/reports/sb24-66802
16
Case Study: TaxSlayer
❑ Date(s) of Breach: 10/10/2015 – 12/21/2015
❑ Reported Date: 01/13/2016
❑ Summary: Unauthorized access to up to ~9,000 tax records due to weak security measures. FTC got involved due to the large number of breaches and weak security.
❑ Data Accessed: ~9,000 accounts accessed during 2 month span. Usernames, passwords, and other online services were accessed. 2014 tax returns, social security numbers, names, and addresses.
❑ Category: unauthorized access
Copyright (C) Corporate Blue
2018.17
Sources:https://oag.ca.gov/ecrime/databreach/reports/sb24-66802https://www.bna.com/consumer-law-requires-n73014464239/?amp=truehttps://oag.ca.gov/system/files/TaxSlayer%20CA_0.pdf?
TaxSlayer LLC became the first tax preparation service to face charges of violating the law, an FTC spokeswoman told Bloomberg BNA. Hackers gained full access to nearly 9,000 accounts during two months in 2015 as a result of weak cybersecurity measures, an FTC complaint said. The Georgia-based private company settled with the commission on Aug. 29 and now has to enlist a third party to review its GLB compliance every two years for the next decade.
Cyberthieves can mine tax documents for Social Security numbers and other personal information to claim fraudulent individual and business tax refunds. The Internal Revenue Service said, for example, that it stopped nearly $11 billion in confirmed fraudulent refunds in 2015.
TaxSlayer didn’t follow either rule. It failed to provide a “clear and conspicuous initial privacy notice” and to “deliver the initial privacy notice so that each customer could
17
reasonably be expected to receive the actual notice,” the FTC complaint said. The complaint also said the company didn’t have a written information security program, failed to conduct the necessary risk assessment, and failed to implement the safeguards to control those risks—specifically, the risk that hackers would use the stolen credentials. As a result, hackers accessed nearly 9,000 users’accounts to commit identity theft, such as filing fake returns with altered routing numbers.
17
Case Study: Intuit TurboTax
❑ Date(s) of Breach: 2010-2015
❑ Reported Date: 2015
❑ Summary: Allegedly in Court Case: TurboTax gets a “tax preparation fee” ~$50-$150 for each filed return. TurboTax had laxed security protocols and enabled fraudulent returns. 2.5 million suspicious returns (e.g. allowed SSN re-use) in 2012. Knowingly kept laxed security policies to boost revenue.
❑ Whistleblowers: Ex-Intuit employees Shane MacDougall & Robert Lee claim management knew about fraudulent returns.
❑ Intuit says: it’s the IRS’ job to catch fraudulent returns.
❑ Intuit was granted dismissal and closed door arbitration for Case No: 5:15-CV-01778-EJD.
Copyright (C) Corporate Blue
2018.18
Sources:https://www.courthousenews.com/wp-content/uploads/2017/10/TurboTax-MTD-ORDER.pdfCASE NO.: 5:15-CV-01778-EJD
https://www.leagle.com/decision/infdco20180516c09https://mccunewright.com/wp-content/uploads/2016/03/Diaz-v-Intuit-Complaint-Conformed.pdfhttps://www.courthousenews.com/wp-content/uploads/2018/05/Turbo.pdfhttps://krebsonsecurity.com/2015/02/turbotaxs-anti-fraud-efforts-under-scrutiny/
18
LAWS
Copyright (C) Corporate Blue 2018. 19
19
Federal Laws
❑ AICPA: “There are actually no uniform federal laws on business cybersecurity.”
❑ “The IRS recommends preparers create a security plan”
❑ Gramm-Leach-Bliley Act (GLB) 1999 – Safeguards Rule
o Designate one or more employees to coordinate InfoSec
o Identify and assess risk PII
o Design, implement, monitor and test safeguards
❑ Financial Privacy Rule requiring notices to customers
❑ IRS Section 7216 – Unauthorized disclosures
❑ IRS Section 7216 – Penalties for unauthorized disclosures
Copyright (C) Corporate Blue 2018. 20
Sources: https://www.irs.gov/newsroom/tax-return-preparers-data-thefts-and-protecting-client-tax-informationhttps://digitalguardian.com/blog/what-glba-compliance-understanding-data-protection-requirements-gramm-leach-bliley-acthttp://blog.aicpa.org/2017/10/if-youre-hacked-whats-your-cybersecurity-liability.html#sthash.F81nLBcl.dpbs
20
IRS e-File Security and Privacy Standards
The IRS has mandated six (6) security, privacy and business standards to better serve taxpayers
and protect their information collected, processed and stored by Online Providers of individual
income tax returns. Compliance with these standards became mandatory January 1, 2010.
1. Extended Validation SSL Certificate
2. Weekly External Vulnerability Scan
3. Information Privacy & Safeguard Policies
4. Web Site Challenge-Response Test (E.g. CAPTCHA)
5. US Registered Domain Name
6. Report Security Incidents
Copyright (C) Corporate Blue 2018. 21
Source: Handbook for Authorized IRS e-file Providers of Individual Income Tax Returns
21
IRS: Safeguarding Taxpayer Data PDF
ONGOING DONE N/A EMPLOYEE MANAGEMENT & TRAINING
The success of your information security plan depends largely on the employees who implement it. Consider these steps:
Check references or do background checks before hiring employees who will have access to customer information.
Ask every new employee to sign an agreement to follow your company’s confidentiality andsecurity standards for handling customer information.
Limit access to customer information to employees who have a business reason to see it. For example, give employees who respond to customer inquiries access to customer files, but only to the extent they need to do their jobs.
Control access to sensitive information by requiring employees to use “strong” passwords that must be changed on a regular basis. (Tough-to-crack passwords require the use of at least six characters, upper and lower case letters, and a combination of letters, numbers, and symbols). (IRS suggestion: passwords should be a minimum of eight characters).
Use password-activated savers to lock employees computers after a period of inactivity.
Copyright (C) Corporate Blue 2018. 22
Source: Safeguarding Taxpayer Data PDF, Publication 4557 (Rev. 6-2018)
22
“…the threat remains, and we need the help of tax professionals to take basic steps to
safeguard their systems and taxpayer data”
David KautterIRS Commissioner
Copyright (C) Corporate Blue 2018. 23
Image Source: https://www.accountingtoday.com/news/irs-makes-summertime-push-for-tax-preparer-cybersecurity
23
U.S. State Data Breach
Notification Statutes –
Form of Data
dwt.com
Copyright (C) Corporate Blue
2018.24
Source:https://www.dwt.com/files/Uploads/Documents/Publications/State%20Statutes/BreachNoticeSummaries.pdf
24
U.S. State Data Breach
Notification Statutes -
Harm Threshold
Notification not required if, after good faith and prompt
investigation, the covered entity determines that
the breach is not reasonably likely to cause substantial harm
to residents.
dwt.com
Copyright (C) Corporate Blue
2018.25
Source:https://www.dwt.com/files/Uploads/Documents/Publications/State%20Statutes/BreachNoticeSummaries.pdf
Harm Threshold Defined:Notification not required if, after good faith and prompt investigation, the covered entity determines that the breach is not reasonably likely to cause substantial harm to residents. Determination must be documented in writing and maintained for at least five years.
25
Encryption Safe Harbor
Statute does not apply to covered info that is truncated, encrypted, secured, or modified by another method or technology that deidentifies resident, including encryption of the data, document, or device containing covered info, so long as the encryption key was not reasonably believed to have been acquired.
Copyright (C) Corporate Blue 2018. 26
Source:https://www.dwt.com/files/Uploads/Documents/Publications/State%20Statutes/BreachNoticeSummaries.pdf
26
California State Laws
❑ CCPA (2020) allows consumers to sue companies for “unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.”
❑ California Breach Notice: California Civil Code s. 1798.29 and California Civ. Code s. 1798.82
Copyright (C) Corporate Blue 2018. 27
Sources:https://www.securitymagazine.com/articles/89201-a-seismic-shift-what-californias-new-privacy-law-means-for-cybersecurity
27
CALIFORNIA CPA BREACHES
- The Problem -
Copyright (C) Corporate Blue 2018. 28
28
Broken Records
❑ Improper security controls
❑ Lack of logging
❑ No encryption on tax payer data or backups
❑ Not clear understanding of what data was taken
❑ 1 year of identity protection for consumers
❑ Playing down the severity of what really happened
❑ Reading the breach reports isn’t clear what, who or how
Copyright (C) Corporate Blue 2018. 29
Common pitfalls were identified by reading breaches from 2015-2018 in the California breach database with keywords of CPA and Tax.
29
Translating Real Data Breach Notices
❑ Statement: “A password protected laptop was stolen.”
❑ Truth: The laptop was not encrypted and your sensitive data can be accessed by the person who stole it.
❑ Statement: “We found unauthorized access to our secure network.”
❑ Truth: If it was secure, you wouldn’t be sending breach notices.
Copyright (C) Corporate Blue 2018. 30
30
Translating Real Data Breach Notices
❑ Statement: “We immediately contacted our IT consultant and promptly hired an IT security expert.”
❑ Truth: Our IT consultant doesn’t understand security.
❑ Statement: “The attacker managed to hack into our computer system despite the use of firewalls and anti-virus software.”
❑ Truth: We checked the boxes, but didn’t properly implement security controls.
Copyright (C) Corporate Blue 2018. 31
31
Translating Real Data Breach Notices
❑ Statement: “Back up hard drives were stolen, though the they require proprietary software for files to be readable.”
❑ Truth: We didn’t encrypt our backups and they were not physically secured. Trials of major tax software can be downloaded for free.
❑ Statement: “We take aggressive steps to protect your information to ensure all records are securely locked.”
❑ Truth: The data was not securely locked, it was unencrypted and someone has your personal information.
Copyright (C) Corporate Blue 2018. 32
32
TAX PREP SOFTWARE
Copyright (C) Corporate Blue 2018. 33
33
CPA Tax Software Survey
❑ May 1, 2017 to May 24, 2017
❑ 3,544 responses from CPAs
❑ Respondent must have filed at least one 2016 tax returns for a fee
❑ 1% of respondents wrote in “others”
❑ Source: Journal of Accountancy, August 2017 Issue
Copyright (C) Corporate Blue 2018. 34
Source: https://www.journalofaccountancy.com/issues/2017/aug/2017-tax-software-survey.html
The survey was conducted from May 1 through May 24, 2017, and received 3,544 responses from CPAs who indicated that they prepared 2016 tax returns for a fee. The tables accompanying this article show answers for the seven most-used products of the 14 asked about in the survey (and 1% of respondents wrote in others). For more information and ratings covering all the products asked about, click here.
34
23%
21%
17%
12%
11%
16% Tax Software Used
UltraTax CS
ProSystem fx
Lacerte
ProSeries
Drake Tax
Other
Journal of Accountancy 2016 Survey
Copyright (C) Corporate Blue 2018. 35
Source: Journal of AccountancyRespondents: 3,851
35
1 – 20 Preparers 21 – 100 Preparers More than 100 Preparers
ATX 6.5% 0.4% 2.9%
CCH Axcess Tax 3.0% 10.9% 29.4%
Drake 13.4% 1.5% 0.0%
Lacerte 20.6% 10.2% 1.5%
ProSeries 14.1% 0.0% 0.0%
ProSystem fx 16.6% 58.9% 64.7%
UltraTax CS 25.8% 18.2% 1.5%
Percentage of respondents saying their firms are in that size category who used each software.
Journal of Accountancy 2017 Survey
Copyright (C) Corporate Blue 2018. 36
Source: https://www.journalofaccountancy.com/issues/2017/aug/2017-tax-software-survey.html
36
Copyright (C) Corporate Blue 2018. 37
37
Copyright (C) Corporate Blue 2018. 38
38
Copyright (C) Corporate Blue 2018. 39
39
Copyright (C) Corporate Blue 2018. 40
40
Copyright (C) Corporate Blue 2018. 41
41
TESTING TAX SOFTWARE
Copyright (C) Corporate Blue 2018. 42
42
“The entire point is to ensure that any personal
info in the source data is obfuscated such that it
requires a concerted effort to remove the
protection, but that the data is still usable for its
intended purposes”
Troy Hunt on pwned passwords
Copyright (C) Corporate Blue 2018. 43
Source:https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/
43
Defining Vulnerability
MITRE:
❑ An "exposure" is a system configuration issue or a mistake in software that allows access to information or capabilities that can be used by a hacker as a stepping-stone into a system or network.
❑ A "vulnerability" is a weakness in the computational logic (e.g., code) found in software and some hardware components (e.g., firmware) that, when exploited, results in a negative impact to confidentiality, integrity, OR availability.
❑ Improper Access Control defined as “The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor. ”
Copyright (C) Corporate Blue 2018. 44
44
Findings
❑ >1 CPA setup is Client-Server topology
❑ Sharing is over SMBv2
❑ Many software vendors don’t recommend SMBv3 due to performance
❑ Vendors claim they don’t recommend client/server setup
❑ Sensitive data was analyzed in transit and at rest
❑ Still working with vendors on patches
❑ Screenshots are for illustration only
Copyright (C) Corporate Blue 2018. 45
45
UltraTax CS Vulnerability Research
CVE Search: “ultratax”
❑ cve.mitre.org: 0
❑ Exploit-DB: 0
Copyright (C) Corporate Blue
2018.46
46
ProSystem fxVulnerability Research
CVE Search: “prosystem”
❑ cve.mitre.org: 1
o CVE-2014-9113
❑ Exploit-DB: 0
Copyright (C) Corporate Blue
2018.47
47
Intuit Lacerte Vulnerability Research
CVE Search: “lacerte”
❑ cve.mitre.org: 0
❑ Exploit-DB: 0
Copyright (C) Corporate Blue
2018.48
https://proconnect.intuit.com/tax/lacerte/eval/
48
Copyright (C) Corporate Blue 2018. 49
49
Copyright (C) Corporate Blue 2018. 50
50
Copyright (C) Corporate Blue 2018. 51
51
Copyright (C) Corporate Blue 2018. 52
52
Copyright (C) Corporate Blue 2018. 53
53
Copyright (C) Corporate Blue 2018. 54
54
Copyright (C) Corporate Blue 2018. 55
55
Copyright (C) Corporate Blue 2018. 56
56
Copyright (C) Corporate Blue 2018. 57
57
Copyright (C) Corporate Blue 2018. 58
58
Discussion with Vendors
❑ Somewhat difficult to reach security teams
❑ My tweets kept disappearing when tagging the vendors about vulnerabilities
❑ Some vendors have private BugCrowd or HackerOne programs
❑ Initial denial and not taking responsibility for cleartext transfer over SMBv2
❑ Software wasn’t meant to be client/server
❑ Tax professionals keep legacy software that cannot be patched (e.g. 2005 version)
❑ Encrypting would break integration with third-party software
❑ One vendor is patching their vulnerability tomorrow (Thank you!)
❑ Solution: recommend SMBv3 with encryption to CPAs
Copyright (C) Corporate Blue 2018. 59
59
NOW WHAT?
Copyright (C) Corporate Blue 2018. 60
60
What Can I Do?
❑ Interview your CPA
o Do you encrypt backups?
o When’s your last pen test?
o What’s your IR policy?
❑ Make the public and your CPA aware
❑ Share the findings of this presentation
❑ Help test tax software and responsibly disclose findings
❑ Request your data be deleted by prior CPAs
Copyright (C) Corporate Blue 2018. 61
61
What Can My CPA Do?
❑ Defense in-depth
❑ Build a solid security program
❑ No wireless on production network
❑ Encrypt everything (including backups)
o At rest
o In transit
o In process
❑ Dedicated and isolated tax prep workstations
❑ Endpoint protection (e.g. EDR?)
Copyright (C) Corporate Blue 2018. 62
62
THANK YOUTwitter: @TheMikeWylie
Email: [email protected]: linkedin.com/in/mwylie
Copyright (C) Corporate Blue 2018. 63
63