Canadian Turbo Tax 2012 Privacy and Security issues

Discussion in 'privacy problems' started by Escalader, Jan 27, 2013.

Thread Status:
Not open for further replies.
  1. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    January 27, 2013

    Turbo Tax 2012 Privacy and Security issues

    This post reports on observations of interest to Canadian users of Turbo TaxTax Canada 2012 sold by Intuit. It is probably the most ‘popular’ product of this type. Its former name was Quicktax.

    1) The executable TT2012.EXE lacks a digital signature
    2) During the process of updating it connects to multiple sites asking for the use of cookies, active X, referrs.
    3) ALL these sites are US based and are amazon based except the last referr which was Canadian
    4) It tried to send my external ip address as private data element protected by my ID vault via an open connect on http. This was blocked.
    5) The update I limited to qktaxpatch00.quicken.com via my 2 way FW
    6) The update worked, so all the other connect attempts were not needed BY me as the user

    More work will follow on this one.

    Turbo Tax Update IP Addresses Report

    Order
    1
    IP Address
    206.108.42.232
    Status
    Succeed
    Country
    USA - California
    Network Name
    INTU-Q-A-NET
    Owner Name
    Intuit Inc.
    From IP
    206.108.40.0
    To IP
    206.108.47.255
    Email
    nadmin@intuit.com
    Whois Source
    ARIN
    Host Name
    Resolved Name
    qktaxpatch00.quicken.com
    Order
    2
    IP Address
    205.251.253.221
    Status
    Succeed
    Country
    USA - Washington
    Network Name
    AMAZON-05
    Owner Name
    Amazon.com, Inc.
    From IP
    205.251.192.0
    To IP
    205.251.255.255
    Email
    noc@amazon.com
    Whois Source
    ARIN
    Host Name
    Resolved Name
    server-205-251-253-221.ind6.r.cloudfront.net
    Order
    3
    IP Address
    204.246.160.224
    Status
    Succeed
    Country
    USA - Washington
    Network Name
    AMAZON-04
    Owner Name
    Amazon.com, Inc.
    From IP
    204.246.160.0
    To IP
    204.246.191.255
    Email
    noc@amazon.com
    Whois Source
    ARIN
    Host Name
    Resolved Name
    s3-us-west-1.amazonaws.com
    Order
    4
    IP Address
    204.246.162.224
    Status
    Succeed
    Country
    USA - Washington
    Network Name
    AMAZON-04
    Owner Name
    Amazon.com, Inc.
    From IP
    204.246.160.0
    To IP
    204.246.191.255
    Email
    noc@amazon.com
    Whois Source
    ARIN
    Host Name
    s3-us-west-1.amazonaws.com
    Resolved Name
    s3-us-west-1.amazonaws.com
    Order
    5
    IP Address
    204.246.160.241
    Status
    Succeed
    Country
    USA - Washington
    Network Name
    AMAZON-04
    Owner Name
    Amazon.com, Inc.
    From IP
    204.246.160.0
    To IP
    204.246.191.255
    Email
    noc@amazon.com
    Whois Source
    ARIN
    Host Name
    Resolved Name
    s3-us-west-1-w.amazonaws.com
    Order
    6
    IP Address
    204.246.162.225
    Status
    Succeed
    Country
    USA - Washington
    Network Name
    AMAZON-04
    Owner Name
    Amazon.com, Inc.
    From IP
    204.246.160.0
    To IP
    204.246.191.255
    Email
    noc@amazon.com
    Whois Source
    ARIN
    Host Name
    s3-us-west-1-w.amazonaws.com
    Resolved Name
    s3-us-west-1-w.amazonaws.com
    Order
    7
    IP Address
    184.169.138.91
    Status
    Succeed
    Country
    USA - Washington
    Network Name
    AMAZON-EC2-USWEST-N-CALI-1
    Owner Name
    Amazon.com, Inc.
    From IP
    184.169.128.0
    To IP
    184.169.255.255
    Email
    aes-noc@amazon.com
    Whois Source
    ARIN
    Host Name
    Resolved Name
    ec2-184-169-138-91.us-west-1.compute.amazonaws.com
    Order
    8
    IP Address
    66.46.108.237
    Status
    Succeed
    Country
    Canada
    Network Name
    ALLSTREAM-9
    Owner Name
    Allstream Corp.
    From IP
    66.46.0.0
    To IP
    66.46.255.255
    Email
    jose.alvarado@mtsallstream.com
    Whois Source
    ARIN
    Host Name
    Resolved Name
    redirects.intuitcanada.com
     
  2. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    Previous versions of TurboTax were noted for installing DRM software that in many cases rendered the PC unbootable.

    There have been other cases of tax software writing to the boot track.
     
  3. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses

    Well I've got it installed and I'm still booting.

    I sent my complaint to the firm BUT have not received a reply. I doubt they will reply.

    Why would a firm like this have no digital signatureÉ
    What is in it for themÉ

    PS I hope you were not caught up in the 48 inch water pipe flood in your city!
     
  4. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    The updates at this time of year come as a result of government rules on tax.

    These TurboTax calls patches. One came tonight it as well did NOT have a digital signature. Clearly this firm is sloppy on security. :mad:
     
  5. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,089
    So just use the online version... problem solved! Seriously, I'm glad to see some Turbo Tax application software discussion because I think the online version would be unusable from a security/privacy POV and there would seem to be various potential problem scenarios with the application software. For example, but not necessarily limited to:

    - The early registration screen asking for personal info
    - Updating
    - Retrieving data from financial institutions
    - Allowing it to compare your income to others
    - Purchasing a state (separate forms here in the US which you purchase through the software, not sure if it applies up north)
    - E-filing

    I'm not sure how well protected you would be if you set it to prompt in your firewall, allowed only update checking/retrieval, purchased a state, but didn't use any other net based features. It might still phone home some information it shouldn't. The more people taking a look at it and sharing what they found, the better. So thank you.
     
  6. emmjay

    emmjay Registered Member

    Joined:
    Jan 26, 2010
    Posts:
    884
    Location:
    Triassic
    You stated that you contacted the company. If you do not hear back from them I suggest you send a complaint with your information to the CRA. I assume they have met all the CRA filing credentials. According to the CRA there is a criteria that has to be met by these type of software packages (including the online versions) or the users tax return will not be accepted by the CRA. If they already meet the current standards, you can request that the CRA expand the credentials based on your findings. With new rules regarding Netfile in place, they may be more open to your findings. If you chose to go this route make sure you let the CRA know that you contacted the company as that gives weight to the issue.
     
  7. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    You are welcome. I'm kind of stuck at the moment but I will add as much private data to my OP ID block list as possible (more work for me):mad:

    I suspect that this will not be effective since it is a https connect BUT if they attempt any open connects that may help.:doubt:

    What I will do on your idea is totally block it from www access while working on my return. Once I'm done, I'll connect update and disconnect create my netfile file data and then while I transmit to the government site block TurboTax again as it doesn't need to be involved with that. :blink:
     
  8. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses

    Excellent suggestions! Thanks.

    More work for me caused by a SW vendor.
     
Loading...
Thread Status:
Not open for further replies.