Tech companies move fast and break things, but that’s not be the right approach for consumer-facing financial companies. Their first concern should be not to get broken.
Tuesday, the FTC announced a settlement with TaxSlayer, a Georgia-based competitor to Turbotax and other tax preparation software. From October to December 2015, the tax preparation service was illegally accessed by cybercriminals. Attackers had full access to approximately 8,800 customers accounts. The company says that number amounts to less than one percent of its users, but for any one of its users, it’s the only account that matters.
“Tax preparation services are responsible for very sensitive information, so it’s critical they implement appropriate safeguards to protect that information,” said Tom Pahl, Acting Director of the FTC’s Bureau of Consumer Protection. “TaxSlayer didn’t have an adequate risk assessment plan, and hackers took over user accounts and committed identity theft.”
Maybe so, but not much came of the FTC’s investigation.
Traditionally, when the FTC signs a consent agreement with a company, it doesn’t admit nor deny wrongdoing. By entering into a consent order, the FTC is agreeing not to take the company to court for its failure to protect its members.
Subsequent to our initial publication of this story, a TaxSlayer spokesperson provided a statement with additional details on the 2015 breach, correcting prior reporting the Observer cited attributing the breach to access of a contractor’s system:
Contractors do not have access to usernames or the company’s systems. The attack was a result of an actor running against a list of known username and password combinations obtained from an unknown source, unrelated to TaxSlayer.
Under an FTC rule written under the Gramm-Leach-Bliley Act, financial institutions are required to make sure that users data is secure both within its own system and within any system that the company allows access to that data. It has to safeguard its customer’s information with any third-party it shares it with.
Futher, in its complaint, the FTC “alleged that the company did not require consumers to choose strong passwords, exposing customers to the risk that attackers could guess commonly used passwords to access their TaxSlayer accounts,” according to the release.
So, for example, here’s how an attack might have taken place. Step one, get access to a third party’s servers just to get a giant list of the user names of TaxSlayer account holders. Step two, write a computer program to test all the user-names in that dataset with commonly used passwords. Most accounts won’t get busted, but with enough usernames an attacker will find some that do.
Even if TaxSlayer locked an attacker out after, for example, four password tries, he or she could probably still get access to lots of accounts using the four most common passwords.
We don’t know that that’s how it worked, but that’s one simple scenario for how an attack could work against a company that just requires a password of any kind. All it takes to bust this kind of exploit is to require some sort of two-factor authentication. TaxSlayer has since updated its security procedures, according to both the company and the FTC. A TaxSlayer spokesperson told the Observer in an email that it was subject to a “list validation attack.”
Under the consent order, TaxSlayer is forbidden from violating the Gramm-Leach-Bliley’s Safeguards and Privacy rules for 20 years. If it does, it may be subject to fines of up to $40,654. It also has to go through a security audit every two years. All together, this feels a lot like saying that Taxslayer has been ordered to follow the rules it already should have been following.
When asked for a comment on the consent order, a spokesperson sent a statement that didn’t actually comment on the consent order, writing that, upon discovery of the breach, “TaxSlayer reacted instantly and self-reported the attack to the IRS and took immediate remediation efforts that have become standardized in response to such attacks. As part of our ongoing efforts to provide customers with the highest quality software and technology, we implemented increased security procedures and stricter authentication measures.”
Here’s the problem with the FTC’s failure to take the company to court or even require an admission of wrongdoing: security tends to be an afterthought when building tech products. Developers and designers build security at the end, not at the beginning. When a company sets up a minimum viable product in the financial space without building in systems that force users to take account security seriously from the start, it leads to vulnerability.
The last two years have been a bloodbath of breaches, but by going easy on TaxSlayer, the FTC sends the message that companies get one free pass on security, which furthers the incentive not to take security seriously.
UPDATE: A previous version of this story cited another publication’s reporting that attributed the breach to compromise of a contractor. August 30, 2017 9:45 PM.