A tangential issue: It seems almost impossible to me that the systems of tax preparation services, whether cloud-based, local software, or offline, are secure.
The standard of security is, make the target more expensive to breach than it's worth to the attacker. How much would it be worth to have access to the tax returns of large swaths of the population?
I don't know the answer, but I'm guessing it's easily worth billions of dollars. Foreign intelligence services would very much like that information, as well as sophisticated criminals.
I am very doubtful that Intuit or H&R Block, for example, invest in security sufficient to protect themselves against that level of attack.
> I am very doubtful that Intuit or H&R Block, for example, invest in security sufficient to protect themselves against that level of attack.
I can't speak to H&R Block, but I used to work for Intuit and I can attest that they took security very seriously. We were often subject to extreme security precautions despite the fact that the application I worked on didn't have any PII and the entire purpose of it was to make the information in our database available to the public and search engines. The rationale for forcing us to comply with the corporate security policies was that any breach of any Intuit service would be damaging to the Quickbooks and TurboTax brands. One of the reasons I left was because of the frustration with security compliance. The organization is incredibly slow moving on everything because the people in charge of security basically have carte blanche to shut down or delay projects until they've been properly screened. Intuit also doesn't cheap out on hosting either. I heard an internal rumor that they were spending $40m/yr serving TurboTax, and that didn't count the construction of the two dedicated data centers that they had built in previous years.
Whether their security is good enough to defend against a state-level adversary is hard to say, but my personal guess is that if you wanted to get at tax returns, it'd be easier for attackers to target the IRS directly, both because it'd probably be easier and you'd get access to the returns of 100% of Americans rather than just the percentage of Americans who use TurboTax Online. Keep in mind that most high-net-worth individuals don't use these online tools and, instead, have accountants and lawyers who prepare their returns.
Where Intuit has been vulnerable in the past has been in accepting fraudulent returns. For a while, you didn't need much more than an SSN and a few pieces of personal information to file a tax return, so identity thieves would file returns that had the highest possible refund and make off with that money. But that's not really a breach and I know they worked with the government in addressing that problem and I haven't heard much about it since.
The above mentioned security. The workload, which has two spikes in January and April, moderate traffic in between and is basically non-existent April through December is pretty much the poster child for cloud since you could spin down capacity in the 8 months where you don't see much traffic. This is why Intuit has publicly stated that they want to go all in on AWS. But, at least when I was there, the internal security teams were making it very difficult to get cloud deployments approved. I know they were working closely with Amazon engineers to fix/design solutions to the gating security concerns, but I have no idea how far they've gotten.
But when you look at the money involved, you can see why Intuit is moving so slowly and is willing to continue to spend on its own data center. $40m/yr may sound like a lot of money, but when your product pulls in $3b/yr, it's a rounding error. And the data centers aren't dedicated to TurboTax...Quickbooks and a few other products run there too. And I have to say that, for certain services, I think you get a lot of piece of mind from not sharing and having your own data center. Take, for example, Intuit's service for scraping data from financial institutions (FICDS). It powers Mint, Quickbooks and TurboTax and is required to store login credentials for people's banks, retirement accounts, brokerage accounts and such. Needless to say, the security of such a service is paramount and there's no way that I'd ever entrust my banking credentials to any service hosted in the cloud. You just can't get the same level of security you can get when you've got physical control over your hosting.
I am a developer of accounting software and this is exactly the problem I faced when developing the cloud-based version of my accounting software.
My solution was to keep all financial data on the server encrypted. The server is unable to decrypt any financial data because the crypto key is either (a) derived from the user's password; or (b) located on an offline device to allow customer support staff to reset passwords.
This means that even an attacker who gains root access to our online servers would be unable to access users financial data. (In fact the cloud version is probably more secure than our old desktop-only version because it encrypts all financial data when cached on the end-user's hard drive)
I'm actually considering adding a full end-to-end encryption option, but it would mean that users who enabled this feature would lose their data if they forgot their password. So I suspect that few users would want enable end-to-end encryption in their accounting software. What do HN users think? Is there a market for 'cloud accounting software with end-to-end encryption'?
I wouldn't use it without end-to-end encryption, and I probably wouldn't trust your implementation of encryption (no offense, but probably you can't be a wizard at both financial software and encryption software) unless you used some proven third-party solution. And even then ... I would just keep the data local and encrypted. Why do I need to put it in the cloud?
However, I'm a tiny market of 1, and I and the HN crowd are not representative. While I'd love it if you designed your solution specifically for me, it probably wouldn't be good for your revenues (for good software, I'll pay $100/yr!).
People put their financial information online all the time, using QuickBooks, tax software, Mint, etc. Most have no idea what end-to-end encryption means, but if you tell them it's more secure I imagine they will like that. As an 'influencer', I might be more likely to recommend it (with the caveats in the first paragraph).
Is there some liability involved? What if there is a breach and their data is stolen? What if you tell them it's encrypted, there's an exploit, and your claim on which they depended turns out to be false?
Thanks for your feedback. I guess the benefits of putting your financial data in the cloud are the same as for any online system: Access your data from any computer, automatic backups, and easily share your data with other people (especially your accountant or co-workers).
The problem is more about marketing - every online system claims to have strong security, and users have no way to test those claims. Users regularly hear reports of data breaches so they become cynical about security do not trust any online system.
Curiously, the efforts by the EU to ban end-to-end encryption [0] may lead to an easier marketing pitch in the US: "Security So Strong It's Banned In Europe!"
You make a good point about liability. Any data breach has a big impact on the reputation of online system, but particularly so with a company that claims to be stronger than the rest. There may also be extra litigation in such cases.
> I guess the benefits of putting your financial data in the cloud are the same as for any online system: Access your data from any computer, automatic backups, and easily share your data with other people (especially your accountant or co-workers).
I definitely could see that applying to business accounting, but not to my personal finances. I don't need to look at the latter very often, and very rarely do I need to share it with someone who can't look at my laptop.
The answer, of course, is "it's not that secure". Now, Turbo Tax and H&R Block aren't being hacked, but breaking into their systems isn't the easy way. And like you said, attackers want to take the easy way. The easy way is to get just enough info from your targets as it takes to extract money from them. And in the past few years, e-filing fraud has skyrocketed. The mantra is "file your taxes before someone else does", because the number of people who are submitting their tax form only to find out it's already been submitted is greater than ever before.
It's really, really hard to attack Intuit. It's much easier to submit fraudulent tax forms and pocket the returns before anyone notices.
> The mantra is "file your taxes before someone else does", because the number of people who are submitting their tax form only to find out it's already been submitted is greater than ever before.
The IRS is liable for losses due to fraud, so why would I care about fraud? It's up to the IRS to secure their systems.
This is absolutely the case. My parents' personal data was dumped when one of the major health providers got hacked a few years ago, and somebody started submitting junk returns with their info. Each season it takes them easily 20+ hours on the phone, and usually the IRS won't believe their identity over the phone (understandable enough) so they need to show up in person at the nearest IRS office (which isn't very near, and requires an appointment - another 3-4hrs on hold to schedule, and they never take you on time when you get there). It's a nightmare, and if you choose not to resolve it, you're just setting yourself up to get audited.
> It's really, really hard to attack Intuit. It's much easier to submit fraudulent tax forms and pocket the returns before anyone notices
What makes you say that it's so hard? Also, the return on breaking into Intuit is millions of tax returns. Finally, attackers may not be after the refunds on a few returns, and more interested in a massive intelligence and identity theft haul.
That's based on my years of experience in the information security industry. Trust me, if Intuit and H&R Block were being breached, I would know about it. And more than likely, so would you.
But your comment about identity theft, that's part of the "file it before someone else does" aspect. Not necessarily that Intuit is getting broken into, but the rampant identity theft that seems to be common and even acceptable in today's day and age is making it a lot easier to file someone else's taxes for them and then make off with the money. And hackers will always go for the easiest target.
In Sweden, as government documents, tax returns are public information. Every year after tax season the tabloids print long lists of "The richest people in YOUR neighborhood! Is your neighbor on there?". You can look up anyone you want.
The local software doesn't really carry the same security concern.
With cloud-based or in-person tax preparation, there's a risk that a single breach could compromise many, many tax returns. With offline software you have no such exposure, it's not like it's exposing open ports to the internet.
Generally I agree that it's a higher cost and therefore less valuable target, but there are ways to mass deploy some exploits. For example, you could use a browser exploit to obtain access, and then use that to mass deploy an exploit on tax return software.
Browser exploit? What? On software that runs completely locally - without a browser, then only connects over SSL to a single government-run server? How exactly do you propose that would work?
Do you mean to suggest that malware unrelated entirely to the tax software has an impact on its security? I mean... you'd have the whole host machine compromised - no need to "exploit" the tax software at all, you can get that and a lot more than just taxes off there - but it's still hard to do in true bulk. Much worse than a simple database dump and would only affect people who browsed to your site during the time of the exploit. Much more limited than anyone who used a given service.
Additionally, full browser exploits these days are very rare and extremely valuable though. I doubt you'd see one wasted on such a purpose - at least, one that still works if you keep reasonably up to date.
The standard of security is, make the target more expensive to breach than it's worth to the attacker. How much would it be worth to have access to the tax returns of large swaths of the population?
I don't know the answer, but I'm guessing it's easily worth billions of dollars. Foreign intelligence services would very much like that information, as well as sophisticated criminals.
I am very doubtful that Intuit or H&R Block, for example, invest in security sufficient to protect themselves against that level of attack.