Tax season is like Christmas for identity thieves and hackers. There’s a lot of personal information floating around unguarded this time of year, and they can just pluck it from cyberspace. Even the Internal Revenue Service’s idea for protecting taxpayers wasn’t foolproof. Several Americans who were issued special identity protection PINs to ensure criminals didn’t file returns in their names recently learned the measure had failed — other people already had collected big refunds under their Social Security numbers.
The latest statistic, from 2014, shows criminals have successfully claimed $6.5 billion in fraudulent tax refunds.
Most of us today use our home computers for sensitive financial or health transactions, and four out of five individuals e-file their tax returns. But don’t think it’s just average Joes who have trouble protecting personal data. As an information security and risk consultant, I’ve worked with top corporate officials who have lost hundreds of thousands of dollars over errors in judgment. In your home or your giant corporation, problems typically stem from mistakes made by individuals.
Let’s start with a simple thing you can do. Right now.
Visit www.haveibeenpwned.com and enter all the usernames or emails you use for financial and social media accounts. You won’t be asked for a password. It will tell you whether anything has been compromised and, if it has, you can work with the sites where problems occurred.
Selecting good passwords is the first line of defense in protecting your information. Overall, “123456” and “password” are still the most popular passwords. (I’m not kidding.) However, many tax preparation and other sites that deal with personal information now require eight-character passwords with letters, numbers and special characters. Still, hackers have upped their game and can now crack those in a few hours. I recommend 12-character passwords for sites containing your financial or personal information.
The problem is how to remember these complex passwords. This is where commercial password managers come in. They remember dozens or hundreds of complex passwords effortlessly and make it unnecessary for you to share passwords between sites, another huge no-no. You just have to remember a single master password that unlocks the rest of the password information. You should write that one down and keep it in a safe place. Never expose it to the Internet. Popular password managers include LastPass and Dashlane. LastPass is available for free or in a premium version at $12/year.
Many banks and tax preparation software tools are now going beyond passwords to multifactor authentication to confirm your identity, but not all of these systems are equal. For example, a two-factor system that sends you an email for confirmation isn’t as good as one that uses another device, such as a smartphone. A criminal could be monitoring your computer and get both your password and confirmation email. It’s a lot less likely he would have access to your smartphone as well. In general, wherever there is a multifactor option available, take it. It’s worth the extra 30 seconds.