Mobile applications from the IRS, TaxAct, TaxSlayer and JacksonHewitt expose taxpayer data

SAN FRANCISCO - April 11, 2014 - PRLog -- With the April 15th deadline approaching taxpayers will be rushing to complete their taxes.  However not all tax applications are equally secure, a consideration that should be taken into account when choosing a product.  A review by Symosis Security of the leading mobile tax applications has revealed failing grades for iPhone products by the IRS, TaxAct, TaxSlayer, and JacksonHewitt.   The applications may appear secure, as users must login when launching the application or enter their data each time, however attaching the device to a computer and using freely available software a criminal can go back and access all of the sensitive data previously entered.   Data includes the users’ SSN, tax data, financial accounts, and the username and passwords in cleartext.   A user of these products may feel they are protected, as they must login or re-enter the data each time they launch the application, but once entered the data remains on the device even if they are not authenticated, and that data is easily accessible.

If your phone is lost or stolen a week, or a year from now, all of that data could easily be recovered.  This could leave thousands of users of those products exposed to identity theft using the tax data, or if a users shares those same credentials on other sites it could expose that data as well.  In some cases the issue was due to logging, other findings included screen captures of sensitive data, and image files of tax documents. Requests to contact the companies to remediate the problem were not successful.  Other applications from Intuit and HRBlock were not affected.

Related Link(s) -

Source:Symosis Security
Email:*** Email Verified
Tags:Mobile Tax Security, Mobile Password Compromise, Mobile Tax Vulnerabilities, Tax passwords exposed, Tax data exposed, Symosis Security Tax Applications
Industry:Mobile, Security
Location:San Francisco - California - United States
Account Email Address Verified     Account Phone Number Verified     Disclaimer     Report Abuse
Page Updated Last on: Apr 15, 2014

Like PRLog?
Click to Share