Jump to content
ATX Community

Can we revisit the topic of file encryption?

SFA

By SFA
in General Chat

 Share

Recommended Posts

  • Replies 51
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Popular Posts

kcjenkins
kcjenkins

Hey, lets be reasonable.  If we password protect it, it's probably as safe as mailing the client a paper copy is.  They can be stolen too.   Odds are, unless your client is extremely rich or famo

Abby Normal
Abby Normal

Keep your conspiracy theories out of our tax forum, Jack.

Jack from Ohio
Jack from Ohio

There is much confusion about "data breach" and "e-mail hacking."  Two totally different and unrelated issues.  Yet everyone treats them as the same. I continue to use e-mail regularly.  My large

Roberts

Roberts

Posted
Posted
22 hours ago, Catherine said:

  But I am very surprised about the cnet warning; that has historically been a source of known-good download files, not malware.

For Cnet it depends on the software file. When installing the file, often times the normal agreement box that you click "OK" is actually an agreement to accept malware. You need to read those with CNET these days. I avoid them whenever possible because I've made the mistake and installed junk that took forever to get rid of.

 

  • Like 1
Link to comment
Share on other sites
Eric

Eric

Posted
Posted
On 11/16/2015, 10:09:54, Jack from Ohio said:

Please cite for me one instance of an individual's e-mail being "hacked" and the document attached being stolen.

Encryption of e-mail has the same basis in concern as man-made global warming, and Y2K.

I won't name names, but It's happened to members of this forum--I've received phishing emails from their hacked accounts.  Granted, it was most likely due to a weak password or a phishing scam.  The attack vector is irrelevant though; once they have your password, they have your emails and attachments.

 

On 11/16/2015, 12:18:54, ETax847 said:

I just got back from a Tax Updates seminar and they explained that password protecting a pdf can be easily cracked.  There is software out there that can break a password "protected" pdf within minutes.

I would stay away from emailing tax returns if at all possible.

I believe that depends on the version of Acrobat used to protect the file.  Acrobat version 9+ uses 256 bit AES encryption, which is plenty secure, but Acrobat 9 has a weakness in password handling.  Anything Acrobat X and above is quite secure as far as I know.

Link to comment
Share on other sites
NECPA in NEBRASKA

NECPA in NEBRASKA

Posted
Posted

Eric,

Are you talking about phishing emails directly from their accounts or emails that look like they might be from their account, but if you hover over the account, it's totally incorrect. I ask because I have had people receive emails that they think are from me, but are not from my account and have my business name backward or completely screwed up. I've had an IT guy check my computer and I run Malwarebytes and AVG constantly. I get this crap from my friends and clients, but normally I can see that it's a spoof. I'm still trying to figure out if my email account has been hacked or if it is from an old AOL hack. I've changed my passwords a lot, but my brother just chewed me out because of one that he received months ago. I guess he's not smart enough to know my name. 

How do you stop these things, besides a strong password? 

 

Thanks!

 

  • Like 1
Link to comment
Share on other sites
kcjenkins

kcjenkins

Posted
Posted
On 11/18/2015, 11:50:04, Roberts said:

I also use FREE software called Advanced Scan to PDF Free to generate pdf files from things I scan. It's also a tiny program, works exceptionally quickly (far faster than anything else I've used) and does a solid job. Only wish is that it would allow custom file names but I can manually rename the pdf files on my own.

Strange,    i googled that software, tried to download it, from the ad, but when I went to open it it was trying to install CCleaner, not the pdf program.  Said no to that, deleted that file, went back, saw 2 different download buttons at the bottom of the page, one direct and one through cNet.  Tried the first one, it said 'loading" but never completed.  Decided to try the cNet button, but my virus program gave me a red flashing warning.  So that's it, I guess.  

Link to comment
Share on other sites
Eric

Eric

Posted
Posted
6 hours ago, NECPA in NEBRASKA said:

Eric,

Are you talking about phishing emails directly from their accounts or emails that look like they might be from their account, but if you hover over the account, it's totally incorrect. I ask because I have had people receive emails that they think are from me, but are not from my account and have my business name backward or completely screwed up. I've had an IT guy check my computer and I run Malwarebytes and AVG constantly. I get this crap from my friends and clients, but normally I can see that it's a spoof. I'm still trying to figure out if my email account has been hacked or if it is from an old AOL hack. I've changed my passwords a lot, but my brother just chewed me out because of one that he received months ago. I guess he's not smart enough to know my name. 

How do you stop these things, besides a strong password? 

 

Thanks!

 

A strong password that is unique to the account is incredibly effective.  Be careful to not provide it to some look-alike site at www.outlook.fakesite.com for example. If you use an email client like Outlook or Mail or Thunderbird and your ISP / email provider supports SSL, then configure your client to use it.  Other than that, it's up to your provider to keep their systems secure.

Encryption is important, which is why every single online retailer in the world utilizes it when they take your credit card information, and why many sites use it when taking your username and password.  With the latest round of donations, I'm going to buy a 3 year SSL certificate for atxommunity.com. 

Yes, I did check the email headers to see where they came from.  The actual addresses were registered to this forum.   They get into the account and send emails to everyone in the contact list.  The same thing happened to my mom a few years ago, and once they were done extracting everything they wanted from the account, they deleted every email and contact so she couldn't easily warn everyone of the intrusion. 

  • Like 1
Link to comment
Share on other sites
Randall

Randall

Posted
Posted
11 hours ago, Eric said:

I won't name names, but It's happened to members of this forum--I've received phishing emails from their hacked accounts.  Granted, it was most likely due to a weak password or a phishing scam.  The attack vector is irrelevant though; once they have your password, they have your emails and attachments.

 

I believe that depends on the version of Acrobat used to protect the file.  Acrobat version 9+ uses 256 bit AES encryption, which is plenty secure, but Acrobat 9 has a weakness in password handling.  Anything Acrobat X and above is quite secure as far as I know.

I have Acrobat 11 Pro.  The menu option says encrypt with password.  I was wondering when people say password protect their attachments, does that automatically encrypt?  I was wondering if there is a separate thing going on, a distinction between encryption and just adding a password.  In Acrobat 11 Pro, it appears to be doing both.

Link to comment
Share on other sites
Eric

Eric

Posted
Posted
34 minutes ago, Randall said:

I was wondering if there is a separate thing going on, a distinction between encryption and just adding a password.  In Acrobat 11 Pro, it appears to be doing both.

I don't think there is a distinction.  Password protection without encryption would be too easily circumvented.

Link to comment
Share on other sites
Margaret CPA in OH

Margaret CPA in OH

Posted
Posted

  Randall, your query prompted me to look more carefully at my Adobe 10 Pro security options.  I can (and am sure you as well) choose to encrypt with either password or certificate.  If using 10 or later, it is 256-bit AES.  Check the online help for security options and read carefully.  I believe, with a strong enough password (and it rates them - last 4 digits of SSN is weak) and letting the recipient know they must have the latest Adobe reader to access file, this will work.

I have been depressed trying to find a solution that doesn't cost (to me) a small fortune.  I have decided, I think, to use the password option on my Adobe Pro 10 but with a much stronger password - maybe street name plus last 4 digits - to send the pdf of the tax returns then instructing the client to only fax or snail mail the 8879 and NOT TO EMAIL!

With only about 50 clients I just can't justify the expense of a portal and equitably share the expense among them.  And many are not tech savvy enough to use them anyway. 

Yup, 3 years left as trustee on 6 trusts and I retire.  This gets more complicated (and I'm not talking tax code - that's another story!) every year!

Link to comment
Share on other sites
Randall

Randall

Posted
Posted
24 minutes ago, Margaret CPA in OH said:

Yup, 3 years left as trustee on 6 trusts and I retire.  This gets more complicated (and I'm not talking tax code - that's another story!) every year!

Wow, you're brave.  No way I'm going to be a trustee.  Are you running the 10K tomorrow?  I'll be there.

Link to comment
Share on other sites
Roberts

Roberts

Posted
Posted

Old versions of adobe would password protect without encrypting. Same is true with Microsoft Office with Word and Excel files. There were websites were you could upload the file and they would crack it open in seconds making the password protection meaningless. That is NOT the same as encrypting the pdf file. Even 128bit encryption can take over 100 years for a piece of software to crack it.

There are TONS of excel files out there where they password protect so you can't manipulate the data - those passwords are easily broken making them virtually worthless.

Link to comment
Share on other sites
Margaret CPA in OH

Margaret CPA in OH

Posted
Posted

Randall, the trustee thing is an extension of the trustee role on the now deceased grandparents.  I really don't do anything as they are all managed accounts.  I just have to keep track that distributions are at least the annual income but do not exceed 50% of the adjusted value.  And prepare the returns...

No, I never race on Thanksgiving.  Probably should but somebody has to cook!  I did the Queen Bee (third in my age group - old lady - for the second year) and as a coach with a first timer in the Indy Monumental Half Nov. 7.  After some medical stuff, I'm back to training next week for the full Flying Pig.  Another new age group and I intend to win my group in the Queen Bee in 2016.  That is if I am still upright and mobile :D in my dotage.  Good luck to you if you race!  You will earn that extra piece of pie.

Lion, I have only a very basic website primarily for the email and domain.  I've already checked and the cost to upgrade to accommodate a portal is too much.  ATX is my software but, again, more than I am willing to pay for a portal.  ISP is Time Warner Cable.  I will check but kind of doubt they have anything.  Thanks for the suggestions, though!

With the information about the Adobe possibility of encryption (and it can be the pdf file), I feel mostly okay sticking with that and having the clients mail back the 8879.  Most folks mail or fax me their data now.  I don't think anyone emails it.  If they send originals, I mail those back after scanning. 

Link to comment
Share on other sites
MAMalody

MAMalody

Posted
Posted

Margaret, here is a simple solution for your password that will make it stronger and not be too complicated.  Use TR2014XXXX.  T=Tax R=Return 2014=tax year XXXX= last four digits of SSN.  YOu can add an exclamation point or whatever to toughen it up even more, if you like. Just a thought.

  • Like 2
Link to comment
Share on other sites
Margaret CPA in OH

Margaret CPA in OH

Posted
Posted

 Sounds good, Mike.  I just try to include something that the client would know such as their street plus the last 4 digits. I do like adding the other character but, again, would have to include that in the text of my email telling the client about the password. The more I have to write in the email that isn't obvious, the better.

Link to comment
Share on other sites
Margaret CPA in OH

Margaret CPA in OH

Posted
Posted

 Thanks for another great suggestion, Catherine.  I do actually have WinZip, too.  But I am certain that some of my clients are not going to manage zipped files.  And it seems that my Adobe Pro 10 may work well with 256-bit encryption.  I will have to include the information that the client must upgrade their Adobe Reader to 10, though.  This season will be longer than usual, I fear.

Nonetheless, I am grateful that I still have clients, am still interested in the work, and am yet able to do a good job - I hope!

Enjoy all the people and things for which you are grateful.  I plan on it today and tomorrow and tomorrow...

  • Like 1
Link to comment
Share on other sites
jklcpa

jklcpa

Posted
Posted
8 minutes ago, jmdaviscpa said:

You might want to revise that link, Eric. It has your personal info in it.

I read a similar paper (from someone trying to sell me a file sharing service) and it basically came down to "people use really stupid passwords."

 

Thanks JMD, I took care of that for him.

  • Like 1
Link to comment
Share on other sites
Margaret CPA in OH

Margaret CPA in OH

Posted
Posted

Well, I just checked out a couple of client portals including PortalSafe in ATX.  In every case, a password is required to access the presumable secure information within the portal.  How is this any more secure when passwords are typically shared in an email exchange?

I'm still leaning towards using Adobe Pro 10 with 256-bit encryption and stronger but obvious to the client password.  The issue I am now having is finding a good link to Adobe Reader 10 as I think most clients won't have that.  Adobe Reader DC seems to be all over the place but I am uncomfortable requiring clients to download that as I personally find it obnoxious.  Ideas?

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...