Drake Software blog for tax pros, covering tax, IRS news, and more

Protect Yourself from Wi-Fi Hacking

Protect Yourself from Wi-Fi Hacking

The introduction of Wireless Equivalent Privacy (WEP), in 1999, was supposed to be a solution to the growing issue of Wi-Fi security.  At the time, Wi-Fi was seen as an alternative to the relatively high cost of wired connections, and free Wi-Fi hotspots were springing up nationwide to serve academic and business environments.

Because WEP could easily be cracked, it was followed by Wi-Fi Protected Access (WAP) in 2003 and WEP was officially retired.  However, WAP used some of the code from WPA, and thus was perceived as vulnerable.  Since 2006, WAP has been superseded by WAP2 and its variants.

Wi-Fi, however, remains relatively easy to hack using simple tools available on the Internet.  And that makes it particularly of interest to tax preparers.   As we noted in 2014, two federal statues address the requirement to safeguard client data:

  • Title 26: Internal Revenue Code (IRC) § 301.7216.1 Imposes criminal penalties on any person engaged in the business of preparing or providing services in connection with the preparation of tax returns who knowingly or recklessly makes unauthorized disclosures or uses of information furnished to them in connection with the preparation of an income tax return. Internal Revenue Code (IRC) § 7216 is available here.
  • Internal Revenue Procedure 2005-60 requires authorized IRS e-file providers to have security systems in place to prevent unauthorized access to taxpayer accounts and personal information by third parties. It also specifies that violations of the GLBA and the implementing rules and regulations promulgated by the FTC, as well as violations of the non-disclosure rules contained the Internal Revenue Code (IRC) § sections 6713 and 7216 are considered violations of Revenue Procedure 2005-60, and are subject to sanctions specified in the Revenue Procedure. Internal Revenue Procedure 2005-60 is available at irs.gov.

In spite of its inherent weaknesses, Wi-Fi continues to grow in popularity for two reasons – convenience, and the simplicity of logging on to the Internet.  Today, Wi-Fi connections are even available on commercial airlines, in camp grounds, and in bars.

There is literally a dozen or more identified threats, with some having multiple names.  The most critical security issues come from two problems – using public Wi-Fi, and running an unsecured network.

Using free public Wi-Fi poses two threats.  First, that the access point (or AP) for the free Wi-Fi has been compromised, thus making vulnerable anyone who uses it.  Second, the strong possibility of a “Man in the Middle” (MitM) attacks.  This is a case wherein a second AP is set up between you and the real one.  You believe you are logging into the real AP, when you are logging into a similar AP operated by a data thief.

Open networks are those with improper security settings.  Such as using the default user name and password for access to the AP, or not requiring strong user login authentications.  Mainly done for convenience of the users, this use of an unsecured and open network applies both a work and at home.

Both are relatively easy to fix with these ten solutions:

  • Stop using Wi-Fi altogether. This is easier said than done, but is made possible by improvements in networking over powerlines.  Simply plug the AP via Ethernet into any electrical outlet, and plug each computer into a similar Ethernet connection at their location.  This in relatively inexpensive (roughly $50 per connection) in locations where it is not possible to run Ethernet cables to each workstation.  It is less feasible at home, where family members often want to roam from one place or another, or outside the house, where cabling is not feasible.  For Ethernet at home, many home builders are placing Ethernet connections in every room when the house is built.
  • Separate work computers from play computers. A work computer should be a single-purpose machine so that the risk of penetration is reduced.  Shopping, gaming sites, adult sites and even social media should be banned from use on these computers because of their appeal for hackers and data thieves.
  • Stop using public Wi-Fi. Such hotspots are teeming with data thieves, who can easily hack into your computer from a hotel lobby, a nearby table and even on an airplane.
  • Invest in air cards. This is the slowest, and possibly the costliest, option.  However, since it is a cellular connection to the Internet encryption is provided for all data from one end of the connection to another.  Most cellular companies offer daily or monthly rate for their air cards.
  • Secure the Access Point. Use WPA2/AES level security settings, and make the passwords strong enough to thwart random guessing.  Change the default access user name and password to the AP.  On newer equipment, look for the “Wi-Fi Certified” designation, indicating that the equipment can utilize the most advanced security.  A list of the 25,000-plus products so designated can be found at the Wi-Fi Alliance web site.
  • Keep client data in the cloud. To the maximum extent possible, client data should be kept on a server in the cloud rather than on individual computers.  Most tax software companies offer inexpensive cloud storage and client data portals.
  • Use a virtual Private Network (VPN). A VPN offers a secure connection to another computer via a private “tunnel” to the destination computer, with the data invisible to hackers.  It does not, however, provide security for the data on the computer or the login to the Internet necessary to establish a VPN connection.  VPN also carries a cost.
  • Use secure web sites only. A web site whose address begins with “https://” rather than the more common “http://” indicates that the connection is secure and encrypted. Any cloud storage, client portal or connection to the home network that does not offer this secure connection should not be used for client information.
  • Encrypt the hard drives. Encryption of the hard drive is available as a free option on any operating system – in Windows 10, for example, the option is available via the control panel under “Bitlocker Drive Encryption.”  Similarly, Mac OS X includes encryption of the Home folder or other filed and folders through its disk utilities.
  • Use your cell phone as an Access Point. Virtually all smart phones enable the user to configure the phone as an AP, with secure connectivity.  The only chink in the security armor of these cellular Aps is between your computer and the cell phone, so remember to use strong encryption and passwords as you would on any other access point.  With the price of data via cell phone dropping lower, this should be an attractive option for those who absolutely must to client work on the road.

The greatest threats to security over a Wi-Fi connection occurs when convenience and the desire for a simple login have to compete with the need to protect client data.  Since the failure to safeguard this data is also perceived as a failure to follow the best practices required under federal law, however, data encryption, complicated logins and secure connections should be the first order of business.

 

admin taxing_subjects