Tax site leaves customer data exposed
Tax preparation site e1040 mistakenly switches off its encryption software, leaving customers' social security numbers and passwords exposed on the Web.
The Secure Socket Layer (SSL) software used by e1040 was turned off accidentally at about 2 p.m. Sunday as technicians made changes to the site's front door, spokesman Ben Humphreys said.
After hearing about the glitch from a CNET News.com reporter, the 3-year-old company shut down the site Monday morning as a precaution while it fixed the problem. The site was still down early Monday afternoon.
"We don't think that any damage was done," e1040 spokeswoman Kathy Travis said. "But at this point there's no way to be sure."
SSL is a standard for transmitting data using HTTP (hypertext transfer protocol) over the Web. By turning off the SSL, the information is sent in plain text and more easily read.
Customers using e1040 use their Social Security number as their ID and type in a unique password. Without the SSL, both the Social Security number and the password appear in the URL. With the SSL, it would be encoded to appear as a random series.
As more Americans than ever will trust filing their taxes via the Web this year, security remains a hot issue. Tax specialists such as H&R Block and Intuit have pledged to protect their customers' private information. But online tax preparation has hit some bumps. Technical glitches have caused sites to crash, or worse, expose customer information.
Last year, H&R Block's online tax filing service exposed some customers' financial records to other customers.
With 156 brick-and-mortar offices in 15 states, e1040, owned by New York-based Gilman & Ciocia, said it prepared more than 120,000 tax returns last year.