F E d F d D iFront‐End Fraud Detection

2012 Midwestern States Association of Tax Administrators

August 27, 2012St Louis, MO

Introduction

Fluffy Cazalas, Vice President

National Association of Computerized Tax Processors (NACTP)

941‐343‐7708

fluffy@nactp.org

2

NACTP History and Membership

The NACTP was founded in 1969 by six tax processing firms that recognized the need for streamlined tax preparation. Today, therecognized the need for streamlined tax preparation. Today, the NACTP includes in its membership over 50 tax preparation software companies, electronic filing processors, tax form p blishers ta processing ser ices b rea s and otherspublishers, tax processing services bureaus and others.

3

NACTP Structure

• Income Tax• Electronic Filing Committee (EFC)Electronic Filing Committee (EFC)

nactp_efc@nactp.org

• Government Liaison Committee (GLC)nactp glc@nactp.orgp_g @ p g

• Sales & Use • Sales & Use Tax Committee (SUT)• Sales & Use Tax Committee (SUT)

nactp_sut@nactp.org

• Payroll & Information Reporting• Payroll & Information Reporting• Payroll & Information Reporting Committee (PIRC)

nactp_pirc@nactp.org

4

Every time some software engineer says, “Nobody will go to the troublesays, Nobody will go to the trouble of doing that,” there’s some kid in Fi l d h ill t th t blFinland who will go to the trouble.

– Alex Mayfield

5

Overview

– Software Options for Taxpayersp p y

– Best‐of‐Breed Technology

– Best Practices

– Data Integrity and Privacy

– Asset Protection

Social Engineering– Social Engineering

6

Software Options for Taxpayers

There are basically three methods for taxpayers or tax i f i dpreparers to access tax preparation software in order

to file their returns.

– On Premise (installed from CD/DVD)

– Online (accessed via Internet)

– Hosted (accessed via Citrix or VPN)

7

On Premise

On Premise, or software installed from CD/DVD on a i i h i f d lprivate computer, is the version software developers

have the least control over security.

Whil d t t b f d– While updates to programs can be forced on taxpayers, the programs are running on their private computersprivate computers.

– Security is as good as their updated anti‐virus programs and their home network security.programs and their home network security.

8

Online

Online products are growing in popularity and usage. Taxpayers can access their software anywhere theyTaxpayers can access their software anywhere they have internet access.

– Typically used by individuals and small companies– Typically used by individuals and small companies. – Assures they are using most recent updates.

Usual dangers of transferring data across Internet– Usual dangers of transferring data across Internet exist.

9

Hosted

Hosted solutions are common for large corporate taxpayers The software can be as robust as neededtaxpayers. The software can be as robust as needed without having to push the logic that implements that functionality over the wire.functionality over the wire.

– Offices in different regions can each gain access to the information for which they have a legitimate y gneed; yet the information never leaves the host’s facility.

– Information is more likely to remain private if users do not feel they have to share data through “out of b d” h l

10

band” channels.

Opening the Door to Thieves

Every change to an application — whether to add a feature improve performance or fix a bug can openfeature, improve performance, or fix a bug — can open the door to unforeseen problems, including some with security implications. Even a rule change, which somesecurity implications. Even a rule change, which some might consider purely functional, can create data integrity problems if formulas are not implemented correctly or ripple effects are not fully considered.

11

Change Procedures Documentation

– Product Release Testing: Focuses on checking the application before it can be packaged for externalapplication before it can be packaged for external distribution.

– Online Testing: An array of tests to check the operation of a final release candidate in the online or hosted environment. Tests are conducted in a separate environment that mirrors production and is often called pa “staging” environment.

– Change Management: Change Control Requests are tili d t t l ll t d h d h iutilized to control all system and hardware changes in

the production environment.

12

24/7 Monitoring of Online & Hosted

– Where a taxpayer using an on premise software might not monitor their own computer(s) and/ormight not monitor their own computer(s) and/or network systems and facilities around the clock, an online or hosted solutions provider will monitoronline or hosted solutions provider will monitor those systems. This monitoring will include monitoring of the running applications as well as monitoring of physical facilities for break‐ins, fire, and other hazards.

13

Data Communications Security

– Communications between the taxpayer and f d i H T fsoftware company are done via Hypertext Transfer

Protocol over Secure Sockets Layer (HTTPS) through a web browser and the secured thin clientsa web browser and the secured thin clients. Communication methods utilize industry standard 128‐bit encryption algorithms. yp g

– Communications among software company sites are routed over a Virtual Private Network using 128‐bit 3DES IPsec tunnel and 1024‐bit Diffie‐Hellman IKE Phase1 with pre‐shared secret key exchange.

14

Protection from Internet Threats\

Enterprise level firewalls are in place and allow only HTTPS and the secured thin client into the site from the open Internetthe secured thin client into the site from the open Internet. Hypertext Transfer Protocol (HTTP) is allowed to connect for ease of user connectivity, but is redirected to HTTPS for security prior

l i ll h bl k d ddi i b ito login. All other ports are blocked. In addition to ports being blocked, the firewall uses network address translation (“NAT”) to conceal internal network addresses. NAT is integrated with the gstateful inspection technology of the firewall and can automatically generate static and dynamic NAT rules based on network topology information The firewall by default is alsonetwork topology information. The firewall by default is also configured with a host of denial of service (DoS) prevention at the application, session, transport and network layers.

15

Virus Protection – On Premise, Online

– For On Premise products, virus protection of the i i i h ’ h dprivate computer is in the taxpayer’s hands.

– For Online products, while providers ensure t ti f d li ti th i idprotection of servers and applications on their side,

taxpayers could have viruses on their machine that would allow thieves to capture datawould allow thieves to capture data.

16

Virus Protection ‐ Hosted

– For Hosted products, the provider ensures firewalls bl d k h li iare enabled to prevent attacks at the application

layer, and the firewall is able to block several forms of viruses In addition a second tier of protection isof viruses. In addition, a second tier of protection is maintained on the servers. Industry standard enterprise level virus protection is installed on all p pservers in the host site. The servers are automatically updated as new virus definitions are made available.

17

Physical Security\

Data centers are engineered with at least five levels of security.Biometric (fingerprint access) scanning technology verifies identity– Biometric (fingerprint access) scanning technology verifies identity for authorized access into the facility.

– Proximity card access with personal identification number, in addition to biometric clearance, is required to enter/exit the facility.

– All steel mesh cabinets are fitted with combination locks. As a result, no keys can be lost or duplicated.

– Video surveillance cameras are hidden throughout the facility, monitored by a 24x7 network operations center (NOC) and trackmonitored by a 24x7 network operations center (NOC) and track and record access throughout the facility.

– Strategically placed sensor devices alert Data Center NOC l f f d t

18

personnel of any forced entry.

Social Engineering

By far, the greatest threat for identity theft and system intrusion is the human aspectis the human aspect.

– The weakest link in security systems is the human element.– Employees will trust social engineers and give our what they

believe to be innocuous information because social engineers are skilled at influencing and persuading people.

If a social engineer gives a plausible reason people don’t– If a social engineer gives a plausible reason, people don t become suspicious, even if they should.

– Sometimes a social engineer will pose as someone who g pneeds help in order to gain trust and get the information they are seeking.

19

Social EngineeringEducate, educate, educate.– Teach employees the danger of mishandling nonpublic

information.

– Data classification policies in which all internal information is considered confidential unless specified otherwise.considered confidential unless specified otherwise.

– Advise employees that knowing company procedures, lingo and internal identifiers doesn’t automatically authenticate a caller or authorize that person as having a need to know Formerauthorize that person as having a need to know. Former employees or contractors, for example, might know such information.

– Prohibit the release of internal phone numbers.– Develop a step‐by‐step procedure to identify whether a caller who

is seeking a phone number is really an employee.

20

g p y p y

Questions

21