Doing my Taxes Online

March 13, 2010

This year I decided to do my taxes entirely online. I used H&R Block‘s internet service for doing taxes and overall it worked very well. I don’t know how complex of a tax operation their service can complete, but my taxes are still fairly simple as I don’t have many deductions and own very little. More frequent readers of my blog might be surprised to learn that I used such a service. After all, they have to store lots of personal information about me in order to complete the tax return!

It is true that I had to put a lot of personal information into this service, and I was quite nervous about that. Sure, they use SSL, but so what. If there’s one thing reading security news has taught me it is that a dedicated enough hacker can essentially get any information they desire. The sad reality I came to terms with is that as long as I am submitting electronically, I will already have to send important data over the internet.

Additionally, how handy the service is partially convinced me to take such a risk. It is true that they sell software which can be installed on my local computer and in theory, if I mailed in my return, I could keep all of my data roughly within my possession. In fact, I am still considering doing it that way, but I am not sure if that is really that much more secure. However, the ability to just a open a web browser and pick up where I left off is not something to leave out of this equation.

At any rate, the damage is already done, so to speak, and overall I was happy with the process. I still feel a bit uncertain as to whether this will come back to bite me or not, but I suppose we’ll see. At the heart of the matter is the fact that organizations use one’s social security number in exactly the wrong way (credit card companies, banks, etc). It’s true that’s it’s a great unique identifier for a database, but there are other and better ways to do things.


Paypal Password Problems

March 10, 2010

So, last week I was going to purchase a shiny new scanner from Newegg.com so that I might reduce the paper clutter that resides at my computer desk at home (more on that later). When I hit the “Finish” button to complete the transaction all seemed well and good until I got an e-mail from them saying that my credit card could not be charged. Long story short somehow someone had my credit card number and ran it into the ground buying — wait for it — Facebook games (funny, I know). Anyway, I got my new card, and I also thought that this was a good time to change all my passwords.

Most of my password changing went without a hitch. However, Paypal had an interesting process. To change my password I had to provide the number of the credit card I had linked to my account. Well, one problem here, I had cut up and discarded my old credit card because it was no longer active. Not one to let that stop me, I took the next reasonable action, I unlinked the credit card from my account. Honestly, I was happy to do that anyway because I hate linking credit cards to online account. Paypal tried to make it hard for me to not have a credit card linked, but I was able to click past everything.

This is the best part, though. When I went to change my password I was allowed to do it without providing any additional security information. Frankly, I think using a credit card number as a security measure is a terrible idea to begin with so I don’t care that once I log into my account, that password changing is easy. What I think is funny here is that they put in place a security measure that is trivial to circumvent. In other words, not a real security measure.

On the matter of storing credit cards in a database, I think that is also a big problem. If you don’t store the credit card — guess what — even if someone breaks in, it can’t be stolen! I think these companies should use more discretion when storing credit card numbers. I agree that sometimes numbers have to be stored for things like online monthly subscriptions, but short of that, why bother! I think online retailers shouldn’t even offer it as an option and make the customers aware that it is actually for their benefit. At the very least, don’t default to storing the card, make the user actively seek after that.

Anyway, that is my little tale about password changing, which is a practice I encourage everyone to do at least yearly. Also, I encourage different levels of password security. For instance I have one password I use for online retailer accounts (which I avoid creating if I can), one for e-mail, one for the blog, one for work, one for root access, etc. This way, if there is a breach, I don’t have to change all my passwords and just the ones within the security level that was broken.


Pidgin’s Plaintext Passwords

August 11, 2008

This has actually bothered me for quite some time now (even back when pidgin was called GAIM). That is the simple fact that when you want to have pidgin save your login password it is saved: in an easy to access location, and in an unencrypted fashion. Here is the excerpt from my ~/.purple/accounts.xml file:

<account>
     <protocol>prpl-aim</protocol>
		<name>fake_account</name>
		<password>secret_password</password>

So I ask you, is this a good idea? Well I sure don’t think so. Yeah, you could argue that under the perfect scenario a person wouldn’t be able to view that file without the login information for the computer. However, how many times have you walked away from the computer and forgotten to lock the screen? It still happens to me from time to time, and I’m willing to bet it could happen to anyone. So, in less than a minute someone could have easily found that password in the config file.

The moral of the story here is that perhaps you shouldn’t have pidgin save your passwords. At least until they implement some level of encryption. Don’t get me wrong though, I love pidgin, and it is a great IM client 🙂 .