It’s tax season and like many of you I’ve been working with an accountant to prepare my tax return. I moved to a remote desert community a couple of years ago but I still use the same accountant I had in the city. We can easily handle all the issues over the phone and e-mail and an occasional package in USPS.
Recently however my accountant had his IT consultant setup a web portal so his clients could upload tax documents. He told me they were using 256-bit SSL and that it was all secured. I thought that was a great idea and proceeded to register on his site. As is the usual practice these days I had to select a username, a password and enter and confirm my e-mail address. I was very careful to use a strong random password created by my Keepass password manager. At the end of the process the website indicated that my account was pending and that I’d receive a confirmation e-mail shortly. Sure enough about 10 minutes later I got an e-mail confirming my selections for username and password and thanking me for creating an account.
If I was an average user I probably would have merrily uploaded my files and moved on to the next task in my busy work day. Of course, I’m considerably more paranoid about security so I called my accountant and let him know that he should fire his IT consultant on the spot!
While divulging the username of an account in a confirmation e-mail is not a great idea it presents relatively little risk provided that the password is strong and kept secret. Divulging the password and the username in an open e-mail however is a major security blunder!
My accountant is a great guy and apologized profusely after I told him of the situation. He clearly didn’t know what was going on in the account setup process or of its potential ramifications. I honestly felt bad for him since IT and security are not his strong suit. We quickly closed my account and agreed to find a better way for he and his clients to share files after the tax rush was over.
In light of this situation, I wanted to remind all of you that you need to pay attention to your security all the time. Don’t assume that just because someone has an “IT guy” and says that something is secure that they necessarily know what they are doing!
Be careful, be suspicious, be paranoid if necessary!