SAN FRANCISCO – No doubt many of the taxpayers who file between now and April 17 will turn to their computer to get their return in on time. But are taxpayers taking steps to keep their personal data safe when they're online?
About 72 percent of the tax returns filed through March 23 this year were filed electronically, up from 68 percent of returns filed in the same period last year, according to the IRS. That's more than 53 million e-filed returns. Of those, more than 15 million e-filed returns were self-prepared; professional tax preparers e-filed the remaining 38 million.
Security experts say e-filing with online vendors is a safe and secure process. But it's up to taxpayers to take the necessary steps to secure their own computers.
"You can e-file very securely. You can be comfortable with what you're doing, [but] there are precautions that you should take with your computer," said Brian Grayek, vice president of threat research with CA. The Islandia, N.Y.-based company makes information-technology software for businesses and security software for home users.
"E-filing is safe if done correctly -- and if you're following good procedures on the Web," he said.
Staying safe wirelessly
If you're using a wireless home network, make sure your firewall is on and that your transmissions are encrypted. Otherwise hackers "can pluck information right out of the air and they can do that from over 100 miles away," said Stu Elefant, a Sunnyvale, Calif.-based senior product manager with McAfee Inc., a security technology company based in Plano, Texas. "They can see all the data that's flying through the air."
If you're connecting solely to sites with "https" -- the signal of a secure connection -- "you're in pretty good shape," Elefant said, as that data is encrypted. But you need to ensure you're at a legitimate site. Hackers now create fake sites that mimic trusted Web sites -- right down to the "https" security sign, he said.
Larger companies continually monitor to make sure their sites aren't being copied, Grayek said. "Smaller companies that aren't so diligent may not know about those things," he said. A good way to stay safe: Bookmark your trusted sites.
Also, consider software that alerts you to sites with questionable security certificates or practices. For instance, McAfee offers a free product called Site Advisor.
Make sure you have a firewall to guard against other users hacking onto your machine, and encrypt the data you're sending out through your wireless connection , Elefant said.
"The vast majority of home wireless users don't understand the details about encryption," Elefant said. "Encryption sets up a secure tunnel so as that data is flying through the air, it's in a secure tunnel so people can't grab it," he said. "Once you set up the encryption , someone needs that encryption key in order to connect."
Either make sure encryption is turned on with your current router or consider an additional product. For instance, McAfee sells an encryption product for home computers.
The café setting
If you're thinking you'll need a strong coffee to get your taxes done this year, think about making that cup at home. "You're quite vulnerable in the Wi-Fi café," Elefant said. "That connection is wide open. Anyone can see all your data packets that are flying through the air. Since people are connected to the same network as you, they can do bad things to you if you don't properly protect yourself."
Protecting yourself includes ratcheting up your firewall settings and ensuring you've downloaded any recent security patches for your Internet browser and other applications.
The easiest way to stay safe is to make sure your computer is set up for automatic updates -- and be sure to agree to download those updates. "A lot of times users will say, 'I'll do it later, later, later,'" Elefant said, "but it's important you do it before you take your computer to an even more vulnerable environment like a hotspot."
Check your spelling
Scammers these days try to ensnare unsuspecting consumers by setting up a fake Web site that looks just like a trusted company site -- with a URL address that's just one letter different from a valid site.
"What I do as a bad guy is: I will take out every spelling combination close to a site that I possibly can. I will make my site look just like their site," Grayek said. Then, the hacker simply collects the data entered there by unsuspecting consumers.
One way to avoid that problem is to bookmark your most-visited Web sites, Grayek said. And check your spelling carefully before hitting "enter."
Avoid unknown computers
There's good reason to avoid public computers when filing your taxes: Hackers can physically attach a keystroke logger to a computer in an Internet café or library. This device records your keystrokes and sends them back to the hacker, who can then retrace your Web site visits -- plus your user IDs and passwords.
Keystroke loggers can also end up on a computer if a user clicks on a Web site that's been compromised so that the Web site downloads a keystroke logger to the computer.
"I would never, ever file my taxes from an Internet café or from a computer that I don't completely trust," Grayek said.
Consider your passwords
Yes, it's a pain to remember many different passwords, but if nothing else, be sure to use different passwords for the less secure Web sites you visit.
"You don't want to use the same password for your Yahoo mail that you would for logging on to TurboTax ," Elefant said. "A lot of times, certain accounts that you log into don't protect those log-in credentials. Unless you see the 'https' when you're logging into anything, they may not be protected over the air," he said.
"If you use the same username and password for your insecure accounts as well as your secure accounts, your secure accounts are not that secure anymore."
Never trust a link sent in an e-mail, Grayek said. For instance, scammers now send e-mails that appear to be from the IRS , but are instead an attempt to steal taxpayers' personal information. Remember that the IRS won't contact you by e-mail.
Remember that an e-mail address can be mimicked. "No matter who sent it to you, think about: What if it didn't come from that person?" Grayek said.
Instead of clicking on links in e-mail messages, mouse over the link to see what the address is. Then open your Internet browser and type in the address yourself, Grayek said. A legitimate company will not e-mail you a message saying "your account has been compromised," Grayek said.
Check for updates
Make sure you've got the latest updates for your operating system and any applications. For instance, Grayek said he tells his family and friends to set a reminder to check for updates on the second Tuesday of every month. "That's when Microsoft issues its updates: Windows updates, Office updates, application updates," he said.
Setting your computer for automatic updates is also a good idea, he said, though he noted that "the system is set to try to do it at its earliest convenience, but if it can't -- the system is not on, you're not connected -- it waits ... up to a day or two," Grayek said.
"I tell my whole family: Set a reminder. On the second Tuesday of the month go to the Microsoft update site, get your operating system update and Office updates."
Three's a charm
Always run updated antispyware, antivirus and firewall programs, Grayek said. A fourth charm: Make sure your e-mail is protected by an antispam program.
Even with those four defenses in place you're not fully protected.
"Your miles ahead, but you're not 100 percent protected," Grayek said. "Here's the caveat: if there is something going on out there that either your antivirus company is not aware of, or if you visit a Web site that's been compromised, or you select something and download it, there's nothing anyone can do to protect you. You have to be Internet savvy."
Copyright (c) 2006 MarketWatch, Inc.