Canadian Turbo Tax 2012 Privacy and Security issues

January 27, 2013

Turbo Tax 2012 Privacy and Security issues

This post reports on observations of interest to Canadian users of Turbo TaxTax Canada 2012 sold by Intuit. It is probably the most ‘popular’ product of this type. Its former name was Quicktax.

1) The executable TT2012.EXE lacks a digital signature
2) During the process of updating it connects to multiple sites asking for the use of cookies, active X, referrs.
3) ALL these sites are US based and are amazon based except the last referr which was Canadian
4) It tried to send my external ip address as private data element protected by my ID vault via an open connect on http. This was blocked.
5) The update I limited to qktaxpatch00.quicken.com via my 2 way FW
6) The update worked, so all the other connect attempts were not needed BY me as the user

More work will follow on this one.

Turbo Tax Update IP Addresses Report

Order
1
IP Address
206.108.42.232
Status
Succeed
Country
USA - California
Network Name
INTU-Q-A-NET
Owner Name
Intuit Inc.
From IP
206.108.40.0
To IP
206.108.47.255
Email
nadmin@intuit.com
Whois Source
ARIN
Host Name
Resolved Name
qktaxpatch00.quicken.com
Order
2
IP Address
205.251.253.221
Status
Succeed
Country
USA - Washington
Network Name
AMAZON-05
Owner Name
Amazon.com, Inc.
From IP
205.251.192.0
To IP
205.251.255.255
Email
noc@amazon.com
Whois Source
ARIN
Host Name
Resolved Name
server-205-251-253-221.ind6.r.cloudfront.net
Order
3
IP Address
204.246.160.224
Status
Succeed
Country
USA - Washington
Network Name
AMAZON-04
Owner Name
Amazon.com, Inc.
From IP
204.246.160.0
To IP
204.246.191.255
Email
noc@amazon.com
Whois Source
ARIN
Host Name
Resolved Name
s3-us-west-1.amazonaws.com
Order
4
IP Address
204.246.162.224
Status
Succeed
Country
USA - Washington
Network Name
AMAZON-04
Owner Name
Amazon.com, Inc.
From IP
204.246.160.0
To IP
204.246.191.255
Email
noc@amazon.com
Whois Source
ARIN
Host Name
s3-us-west-1.amazonaws.com
Resolved Name
s3-us-west-1.amazonaws.com
Order
5
IP Address
204.246.160.241
Status
Succeed
Country
USA - Washington
Network Name
AMAZON-04
Owner Name
Amazon.com, Inc.
From IP
204.246.160.0
To IP
204.246.191.255
Email
noc@amazon.com
Whois Source
ARIN
Host Name
Resolved Name
s3-us-west-1-w.amazonaws.com
Order
6
IP Address
204.246.162.225
Status
Succeed
Country
USA - Washington
Network Name
AMAZON-04
Owner Name
Amazon.com, Inc.
From IP
204.246.160.0
To IP
204.246.191.255
Email
noc@amazon.com
Whois Source
ARIN
Host Name
s3-us-west-1-w.amazonaws.com
Resolved Name
s3-us-west-1-w.amazonaws.com
Order
7
IP Address
184.169.138.91
Status
Succeed
Country
USA - Washington
Network Name
AMAZON-EC2-USWEST-N-CALI-1
Owner Name
Amazon.com, Inc.
From IP
184.169.128.0
To IP
184.169.255.255
Email
aes-noc@amazon.com
Whois Source
ARIN
Host Name
Resolved Name
ec2-184-169-138-91.us-west-1.compute.amazonaws.com
Order
8
IP Address
66.46.108.237
Status
Succeed
Country
Canada
Network Name
ALLSTREAM-9
Owner Name
Allstream Corp.
From IP
66.46.0.0
To IP
66.46.255.255
Email
jose.alvarado@mtsallstream.com
Whois Source
ARIN
Host Name
Resolved Name
redirects.intuitcanada.com

 

Previous versions of TurboTax were noted for installing DRM software that in many cases rendered the PC unbootable.

There have been other cases of tax software writing to the boot track.

 

Well I've got it installed and I'm still booting.

I sent my complaint to the firm BUT have not received a reply. I doubt they will reply.

Why would a firm like this have no digital signatureÉ
What is in it for themÉ

PS I hope you were not caught up in the 48 inch water pipe flood in your city!

 

The updates at this time of year come as a result of government rules on tax.

These TurboTax calls patches. One came tonight it as well did NOT have a digital signature. Clearly this firm is sloppy on security.

 

So just use the online version... problem solved! Seriously, I'm glad to see some Turbo Tax application software discussion because I think the online version would be unusable from a security/privacy POV and there would seem to be various potential problem scenarios with the application software. For example, but not necessarily limited to:

- The early registration screen asking for personal info
- Updating
- Retrieving data from financial institutions
- Allowing it to compare your income to others
- Purchasing a state (separate forms here in the US which you purchase through the software, not sure if it applies up north)
- E-filing

I'm not sure how well protected you would be if you set it to prompt in your firewall, allowed only update checking/retrieval, purchased a state, but didn't use any other net based features. It might still phone home some information it shouldn't. The more people taking a look at it and sharing what they found, the better. So thank you.

 

You stated that you contacted the company. If you do not hear back from them I suggest you send a complaint with your information to the CRA. I assume they have met all the CRA filing credentials. According to the CRA there is a criteria that has to be met by these type of software packages (including the online versions) or the users tax return will not be accepted by the CRA. If they already meet the current standards, you can request that the CRA expand the credentials based on your findings. With new rules regarding Netfile in place, they may be more open to your findings. If you chose to go this route make sure you let the CRA know that you contacted the company as that gives weight to the issue.

 

You are welcome. I'm kind of stuck at the moment but I will add as much private data to my OP ID block list as possible (more work for me)

I suspect that this will not be effective since it is a https connect BUT if they attempt any open connects that may help.

What I will do on your idea is totally block it from www access while working on my return. Once I'm done, I'll connect update and disconnect create my netfile file data and then while I transmit to the government site block TurboTax again as it doesn't need to be involved with that.

 

Excellent suggestions! Thanks.

More work for me caused by a SW vendor.