Tag Archives: security

how to prevent the bad guys from getting your tax refund

Posted on by
Reply

I read about a problem where the “bad guys” would file your (US) federal tax return before you could and get your refund. Luckily there is a way to protect yourself from this scenario. I did it this year. There’s a few steps, but the peace of mind is worth it to me.

Step 1 – Fill out a form

If you live in Florida, Georgia or DC, you can skip this step and go on to step three. For most of us, we have to fill out a form. The Identity Theft Affidavit form sounds like it is for those who have actually had their identity stolen. However there is another option on the form:

I have experienced an event involving my personal information that may at some future time affect my federal tax records.

Who hasn’t had some of their personal information stolen by now!

It’s not a hard form. In fact, the hardest part is that you need a photocopy of your passport, driver’s license or social security card. Which means you have to go to a photocopy machine.

Step 2 – Receive letter

Some time after filling out the form, you get a letter saying your account has been marked with an identity theft indicator. It also gives the option to opt-into to the IP PIN (Identity Protection Personal Identification Number) program. Make sure you want to. Once you opt in, there is no way to opt out in the future.

The letter also gives you a voucher to use if you have an inquiry or payment to further tie your letter to your identity. I’ve never written the IRS about anything, but keeping it in case.

Step 3 – Sign up for IP PIN

The IRS IPPIN site allows you to sign up for a PIN. It’s like two factor authentication for submitting your return. I signed up as a first time user and received a 15 minute expiring confirmation code in my gmail to validate I control that email. I then had to enter some basic info about myself – social security number, birthdate and my filing status from last year. None of this is hard for the “bad guys” to find out.

Then I had two choose three pieces of information to identify them in the future:

  1. a unique phrase for emails to me
  2. a unique phrase when I log into the site
  3. a picture when I log into the site

This is good. It makes it incredibly difficult for someone to spoof the IRS in email or on the web. Then I had to pick 4 challenge/response questions if I forget my password. They were the usual type of not terribly secure questions.

Next, I had to answer four questions to confirm my identity. Two had an answer of “n/a” just like the annual credit report system. I don’t think this is overly difficult for the bad guys to get past nor does Krebbs. In fact, the best way to protect yourself against this is to sign up so your identity already has an account and nobody else can sign up for you.

edit: online lookup is now disabled

Once you login, the system shows you the date/time of your most recent log on (which is the current one in this case) and gives you a six digit number to put on your tax return. This works whether you file on paper or electronically.

Handling two factor when on an international vacation

Posted on by
3

I got Australian government tells citizens to turn off two-factor authentication forwarded to me because of my two factor posts on this blog. The theory is that they will not have access to texts while abroad. I was surprised to see such a thing, but lo and behold, their twitter account does in fact say that including:

Going out of mobile range? Turn off myGov Security Codes so you can still sign in! Go to ‘settings’ in your account

and

If you turn off security codes, you’ll still need to securely sign in with secret questions & answers.

My gut reaction

This sounds like a horrible idea. While traveling, make your access LESS secure? I find it hard to believe their “secret” questions are actually secure. Most places use things that lots of people know. Or that you have no way of remembering yourself.

How Australia could fix this without compromising security

Australia could update their website. They could add support for any or all of the following:

  1. Email a secondary auth code for verification. It you have access to the website, you presumably have access to email.
  2. Google Authenticator support. This app doesn’t even require internet access.
  3. Predefined codes. Gmail has a number of codes you can type in that are generated in advance to be used if other methods fail.
  4. Support a temporary alternate number. This one is less convenient, but the site could provide a way to enter a secondary phone number to use during a pre-defined window. That way SMS could still be used.

All of these are still two factor solutions.

What users could do if a website doesn’t have an option other than SMS

This part isn’t specific to Australia. It applies to any site that uses only SMS for two factor.

  1. First, decide whether you will actually need the site while traveling. If not, problem solved.
  2. Check if the site remembers your device. If so, sign on using the temporary smart phone device while you still have access to your main phone/SIM so you won’t get two factor challenged while traveling.
  3. If there are predefined codes, bring them with you.
  4. If you must turn off two factor, do so. But also do the following:
    1. Complain to the website so they know this is a problem
    2. Leave a post it note on your home computer to turn back on two factor
    3. If the website shows “last login” check it was you.
    4. If the website emails when logging in from a different device, check for those.

two factor on amazon

Posted on by
Reply

I enabled two factor on many sites last year. Amazon is a bit late to the party, but they finally have two factor support. While they waited a long time, they did a good job with it.

Sign up was easy. They give you a choice of an authenticator app including scanning with your device to connect. Or you can use a mobile phone number for voice or text. Or you can use a landline with voice. You can set a second of these options as a backup. I like that there were choices.

You are also asked if the current device is trusted. Which is good as you don’t get prompted repeatedly from your main/home computer.

I also took this opportunity to check on twofactorauth.org to see if any other sites I use have added support. I was disappointed by how many banks don’t support two factor. I tweeted at four of them with the link on the page. (I don’t have accounts at all four).