[IMGCAP(1)]Tax season is in full swing, which means tax preparers and their clients will be collaborating. For many, the tool of choice for sharing information electronically will be e-mail. It is quick, easy and everyone has it. However, when relying on e-mail to share personal information such as Social Security numbers, financial statements and 1098 forms, tax professionals and individuals alike are putting themselves at risk. Why? Because e-mail is not secure.
When you send an e-mail it travels over many different servers before the message reaches its intended recipient. At any point during this travel an e-mail message can be intercepted. There is an additional security issue for users of Google’s e-mail service, Gmail. As stated in Google’s user agreement, Google’s system scans the content of e-mails stored on its servers as well as those being sent and received by any Google e-mail account (i.e., Gmail). So what does this mean? It means all messages are being scanned.
Another problem with e-mail is the lack of control over what is sent. A user can’t “unsend” a message once they click send. Therefore, if a Form 8879 or other document containing personal information for one client is accidently sent to another client, there is nothing that can be done to pull the message back once you click send. With e-mail it is also impossible to control the forwarding of information or the possibility of something being printed.
For those who are aware of the security and control issues associated with e-mail, a common response is to use a free service like Dropbox or Google Docs with the assumption that these tools are more secure. Unfortunately, many of these services come with their own set of security and control problems and are often complex to use. Cloud-based file sharing and synchronization services like Dropbox, Google Drive and OneDrive are prone to a common flaw which leaves messages vulnerable to a "man-in-the-cloud” attack. This flaw (which will be discussed in greater detail below) allows attackers to access files on these systems without a user's password.
Key considerations for a secure solution
Significant advances have been made in file sharing technology and solutions do exist that are truly easy to use, affordable, and highly secure. However, with so many options, finding the right solution can be a difficult and confusing undertaking.
During tax season, time is a luxury. Rather than doing lengthy research to determine which secure file sharing solution makes the most sense, consider the following checklist:
1. Don’t compromise security for ease of use (and vice versa). Nearly every secure file transfer vendor claims to be easy to use (and secure), yet that is not always the case. There must be a balance between ease of use and security; there should be no compromising one to get the other. If a solution isn’t easy to use, no one will use it. Asking a tax professional or accountant and their clients to sit for 30 minutes or longer to learn how to use a system is not realistic.
One of the easiest ways to learn about a solution is YouTube. How-to videos exist which show people actually using secure file transfer solutions. Before getting started, look at the length of the video -- if it is 30 minutes long, that is a red flag and it’s time to move on.
2. Be wary of misleading claims (and bulk encryption). A common misleading claim is when a vendor states something is encrypted in transit and at rest. While this may be true, it doesn’t clarify whether the encryption is good or bad or if there is bulk encryption (which is not secure). The purpose of encryption is to ensure privacy by transforming data so it is unreadable for anyone other than the sender or recipient. Because bulk encryption assigns a single key to lots of data, if an attacker successfully uncovers the key for one message, all information/messages using the same key are available to the hacker. High-profile breaches likely involving bulk encryption are the Target and Home Depot attacks.
Individual item encryption, which assigns a unique key for each data object (document or message) is much more secure than bulk encryption. If an attacker successfully uncovers the key, it is for just one item, not hundreds, thousands or even millions of files.
Two-factor authentication is an additional highly recommended security measure when dealing with confidential financial information. Two-factor authentication requires the use of a password (first factor) and a second form of security (second factor) to verify a user is who they say they are. The most common method for second factor authentication is the use of a code that is sent either via text or e-mail to the person signing in. The recipient must enter the code to gain access to their account. When using two-factor authentication, if someone hacks a password but doesn’t have the code, they can’t access the information.
While most vendors will not promote that they are using bulk encryption, those who use individual encryption and two-factor authentication will ensure that it is well known. Therefore, you can learn a lot about a company simply by what they are saying -- or not saying. If they don’t tout it, chances are they aren’t doing it. Also, be wary of vendors who use buzzwords yet lack details. Again, “strong encryption” is a vague statement, as is “encrypted in transit and at rest.“
3. Be wary of file syncing. For version control, some secure file transfer companies will tout file syncing capabilities. While the intent is good, syncing is not always effective nor is it always safe. If a device is not connected to the Internet, files on the device will not sync. If it is connected to the Internet, files can only sync when there are open channels (this means to sync from one device to another, devices must be logged in at the same time). While these problems are relatively easy to solve, some vulnerabilities associated with file syncing are not.
One of the most well-known file syncing vulnerabilities is the “man-in-the-cloud” attack, which occurs when channels are open, thus allowing the file sharing and synchronization tool to constantly ping the device(s), desktop, laptop, etc. to make sure everything is in sync. While it is the constant open connection that allows files to sync, these same open connections can be hacked.
4. Avoid installing software. If a tax preparer or accountant has to install software to use the system, that means their clients will have to do the same. Many people are just not comfortable installing software on their computers, no matter how simple the installation; therefore, Web-based rather than application-based solutions are much more appealing to the masses. Web-based secure file transfer systems allows people to connect and share files from any device at any time over the Internet, regardless of what device they are on or their location.
5. It is time to take security seriously. Hackers are getting better and better, and the repercussions of an attack are getting worse. Having a secure system in place that encrypts information is no longer deemed a competitive advantage for accountants and tax pros; it is mandatory. If you aren’t taking your client’s data seriously, chances are they will look for someone else who will.
David Martin is vice president of VeriFyle, a messaging and document-sharing solution provider.