irc162 wrote:So now CAF numbers have (apparently) been compromised. It seems to me this is important information that the IRS should share with practitioners. As more and more practitioner data is out there, the more vulnerable we are. And that makes our clients more vulnerable too.
I am feeling less and less confident about the IRS's ability to keep indentifying data secure. This extends to E Services. Yes, there are new authentification procedures. But there is also a new phone app that practitioners can use to authenticate their identity. Just how secure is that app? It seems to me that could be a weak link. Think how often phones are stolen or lost.
I have not updated my E Services account (I rarely if ever need to get a transcript for a client). I am seriously thinking of sitting this one out.
irc162 wrote: With my CAF number, data available publicly about me and my firm (like my EIN, address etc.),it gets a lot easier to create a fake POA in my name, perhaps using client data from one of the many data breaches. And then if the bad guys had access to my E Services accunt (which they could use to file the POA), a lot of damage could be done.
SumwunLost wrote:They are going to be asking us about information contained on our own tax returns. Isn't that the same information used to validate an e-services session? Why is that a good security measure? Why is it not an atrociously bad one?
makbo wrote:The banks don't ask for passwords. Good passwords are known only to the user, they are encrypted at the other end, so even if you told them your password, they couldn't validate it short of logging in under your name. PINs are another matter, they are essentially very weak passwords and often are not encrypted, but they still can operate as a shared secret (since you need the physical card in addition to the PIN to actually withdraw money). Since I called them, at a known good customer service number, I probably would share the PIN if I really needed to continue with the call. The PIN without my card is not very useful to anyone, and certainly not to the bank employee.
"It seems to me that the IRS is asking us to give their employees information that could be used to impersonate a tax professional via e-services. Why does that make sense?"
Again, I think you are drawing a connection between PPS and e-services that doesn't exist. Let's take your statement in two parts.
" used to impersonate a tax professional via e-services" That is nowadays a fairly high barrier. First, the impersonator would need your password, which must be changed regularly and which meets industry standard complexity rules, and they would also need real-time access to texts sent to your cell phone. Not impossible to hack a cell phone, but beyond the reach of most, certainly not the path of least resistance (and the bad guys don't want any extra work, they always switch to something easier). Or, if not yet registered, the would-be impersonator would need access to your credit report info, your physical U.S. mailbox, and/or your cell phone. Look, even some legitimate users are complaining about how hard it is to authenticate under the new system, so it's not going to be easy for the bad tax preparers to do so.
"asking us to give their employees information that could be used" Guess what, the employees already have the information. They are simply using it as a "shared secret", such as your Form 1040 AGI for a given year, to authenticate you. You know that you initiated the PPS call to the IRS (you are not talking to a scammer), so how do you see giving them something they already know as a security risk? I would say the only problem is that the SSN and DOB are too weak to use as a shared secret, they should use AGI, or some other stronger shared secret. (At least they aren't using mother's maiden name!) But that would be less convenient, wouldn't it? And security is inversely proportional to convenience.
My point is, in no way are the PPS questions making anything any worse, or increasing your risk, they are only possibly increasing the authentication of your phone call. If you still disagree, please give a specific example of how a bad guy could use the information you spoke over the phone to a known IRS employee to his own advantage, starting with how he would get access to the audio of the conversation in the first place, and then how would he use your SSN and DOB information?
Return to Business Operations and Development
Users browsing this forum: No registered users and 27 guests