Tax Day 2016: Auditing the IRS, E-file and Tax Software Websites

Posted by UpGuard

Auditing the IRS

Are you filing your taxes online this year? As e-filing and internet connected tax software becomes more and more standard, the security of the sites accepting your sensitive information becomes more and more important. You've probably heard about some of the various data breaches facing the tax industry, including one of the IRS in May of 2015, potentially exposing hundreds of thousands of tax records. UpGuard's external risk grader measures the security of a company's internet presence. We ran ten tax-related websites through to see how they stacked up and the results are interesting. Perhaps most interesting of all, IRS.gov received a rare perfect score of 950 out of 950. Tax software websites such as TaxSlayer fared well too. But as we'll see, the external information is just the tip of the iceberg.

 

Tax Website External CSTAR Scores

Website External Score as of 4/6/2016
IRS.gov 950
TurboTax 846
TaxAct 808
TaxSlayer 789
H&R Block 741
E-File.com 694
E-Smart Tax 646
Jackson Hewitt 456
TaxAudit 333
CommunityTax 266

Only three of the sites we scanned had scores under 600, which is good news for most people. Of the tax software sites, TurboTax led the pack with a strong 846, followed by TaxAct and TaxSlayer. However, three sites were sub-500, Jackson Hewitt, TaxAudit and CommunityTax, with the latter two having quite low scores. It is worth noting that Jackson Hewitt has a separate login page with a higher score of 789, but the lack of sitewide SSL reduces their overall resiliency. But before we go into detail on a few of these, let's take a look at the IRS' perfect score and what that means.

IRS.gov - 950 out of 950

IRS.gov External CSTAR Score as of 4/6/2016: 950The IRS scored a perfect 950 on their external security audit. They have SSL enabled and well-configured; they're using SPF and DMARC to protect their email. In short, they've hardened their systems to the internet. But how is it that the IRS can have such a good external security profile and still have so many issues with data breaches and vulnerabilities? If you look at the CSTAR wheel diagram above, you'll notice that there are three large gray sections labeled Security, Compliance and Integrity. These sections describe an organization's internal security configuration, and as the name implies, the external risk grader does not access these. With the IRS, many of the problems they face concern their internal configuration. With aging Windows systems becoming a big problem, the IRS must overhaul its internal infrastructure to improve its security.

There's no guarantee against data breaches, even you have a perfect external security configuration. That's why an organization's resiliency, as well as its risk, must be measured by a combination of their external and internal security profiles-- what comprises the complete CSTAR score. Another possibility is that the IRS reactively improved their security post-breach. This is a common circumstance, where an organization makes acute security changes in response to a damaging incident, both to prevent the same thing from happening again and to (try and) save face. But if an organization really wants to save face, it needs proactive visibility into its environment so it can address security concerns before they are exploited.

TurboTax.com - 846 out of 950
TurboTax.com External CSTAR score as of 4/6/2016: 846

Of the Tax software websites we looked at, TurboTax came in first with a good score of 846. They have a strong SSL and email configuration and are only lacking DNSSEC, HTTP Strict Transport Security and HttpOnly Cookies. Yet you might remember in early 2015 when TurboTax had to suspend their state returns amid data breach investigations. Much like the IRS, it's quite possible that the breach incident compelled TurboTax to improve their security measures, but a data breach may not have even been responsible for that slew of tax fraud. Given TurboTax's high profile and the potential damage another breach could do, chances are they are taking security seriously, late perhaps, but better than never.

 

Scan your site right now

E-File.com - 694 out of 950
E-file.com External CSTAR score as of 4/6/2016: 694

E-File.com is the authorized website for manually e-filing your tax returns. What's ironic about this site is that while IRS.gov sports a pristine 950, e-file.com, the website used to digitally transmit your personal information over the internet to the IRS, is not as secure. It rates average, with a score of 694, which is still decent, but could easily improve with a few inexpensive tweaks such as obscuring server information and enabling DMARC for email. Remember, the security of your data is the security of every point it passes through along the way, and some links in the chain will be stronger than others. Someone looking to compromise that data may not need to overcome a strong security configuration if they can exploit a third-party much more easily.

TaxAudit.com - 333 out of 950
TaxAudit.com External CSTAR Score as of 4/6/2016: 333

TaxAudit's biggest problem is the lack of sitewide SSL. In 2016, there's no reason not to have it, especially for websites with a ton of forms. It only takes one misconfigured redirect or form for an attacker to compromise the site, so an across the board SSL policy can help mitigate human error and its consequences. TaxAudit has a strong communications policy, with both SPF and DMARC set up for email. It would behoove them to follow suit on their website.

Time will tell whether the security measures these companies have in place will prevent more data breaches from occurring, but as we saw with the IRS, external configuration is not always enough. Plenty of other businesses (most of whom don't have the personal information of every citizen) can empathize with the IRS' problem of outdated Windows servers and desktops becoming vulnerabilities. Maintaining a consistent internal IT state can be difficult without visibility, but is absolutely crucial to ensure data is sufficiently protected. The external security profile offered by our webscan is a great initial assessment of an organization's resiliency and more often than not, it telegraphs the type of internal practices you should expect. But it's only the tip of the iceberg, one wedge of the complete CSTAR score. 

Free ebook: Continuous Security Monitoring

More Articles

How CSTAR Works

All the information needed to perform a CSTAR assessment is bundled into the UpGuard platform. Learn more about CSTAR.
Read Article >

What's In the Website Risk Grader?

The UpGuard Website Risk Grader provides a low friction way to get an initial assessment of a business' risk profile.
Read Article >

Understanding Risk in the 21st Century

And as we enter 2016, the risk of data breaches in particular threatens to hamper business innovation.
Read Article >

Topics: security, CSTAR, vulnerabilities, webscan

UpGuard Customers