Join Australia's most dynamic and respected property investment community

Drop box

Discussion in 'Accounting & Tax' started by pinewood, 10th Oct, 2016.

  1. pinewood

    pinewood Well-Known Member

    Joined:
    8th Jul, 2015
    Posts:
    94
    Location:
    Vic
    Can I ask if drop box is a secure way to share or send documents to brokers and accountants that include a lot of personal information? What do people do to avoid faxing, posting or delivering? If drop box is used does it matter who creates the folder, is it more secure if you create the folder yourself as opposed to the receiver who creates the folder for you?
     
  2. Peter_Tersteeg

    Peter_Tersteeg Finance broker and strategist Business Member

    Joined:
    18th Jun, 2015
    Posts:
    2,109
    Location:
    Melbourne, Nationwide
    People trying to steal data aren't likely to go after you as an individual. Intercepting an email isn't a very efficient way of doing this either. A better way to do it would be to hack the service providers database and steal all the clients files directly, the pay off is orders of magnitude larger. It's probably easier to hack someone's computer than it is to intercept their email remotely.

    Keep in mind most people trying to steal your data don't care about your payslips. Your drivers ID documents are probably the most useful things that financial services require (even your bank account details aren't quite that useful).

    Email isn't secure, but it is kind of tricky to intercept an email unless you're the ISP or email provider.

    Dropbox is fairly good for security but you also have to get a link or similar information to the other party, the easiest way to do this is via email (not secure).

    You can use encrypted zip files to transfer info. You still need to send the password though. Easy enough to do by phone I guess.

    Personally I am not going to install a little known encryption application on my PC so a client can encrypt their files. A third party application represents a huge risk and exposes everything on the computer to a hacker.

    The biggest vulnerability in all this is either on your computer or the service providers. The easiest way to get access to a large amount of data isn't to intercept an email. Instead it's to put a link in an email that people will open which then installs some malware on the computer, exposing everything on that computer.

    Chances are that businesses spend more on their IT security than most individuals do, so realistically it's the client that is the weakest link in the entire chain.
     
    Perthguy and pinewood like this.
  3. Ghoti

    Ghoti Well-Known Member

    Joined:
    10th Jun, 2016
    Posts:
    124
    Location:
    Melbourne
    Best practice would be to encrypted the files with a public/private key pair then transmit via secure FTP, but that's pretty full on. Any form of electronic transmission has its risks, but a 256-bit password protected zip file sent via email and password sent via text will provide more than enough protection.
     
    TadhgMor and pinewood like this.
  4. pinewood

    pinewood Well-Known Member

    Joined:
    8th Jul, 2015
    Posts:
    94
    Location:
    Vic
    Thanks @Peter_Tersteeg and @Ghoti, agree there is no fail safe route but wondered since it's now so common to transmit info electronically what people normally do or advised to do esp those with accountants and brokers interstate.
     
  5. Peter_Tersteeg

    Peter_Tersteeg Finance broker and strategist Business Member

    Joined:
    18th Jun, 2015
    Posts:
    2,109
    Location:
    Melbourne, Nationwide
    Honestly most people don't do anything at all. It's fairly low risk (compared to every other stupid things people do on the internet), so they tend to get away with it.

    A ZIP file and password as @Ghoti suggested is the way to go. Anything more is overkill and most brokers wouldn't understand and be able to cope with it.
     
    Last edited: 10th Oct, 2016
  6. Paul@PFI

    Paul@PFI Tax Accounting + SMSF Business Member

    Joined:
    18th Jun, 2015
    Posts:
    2,400
    Location:
    Sydney
    Email transfer of personal data that is highly secure is high risk. We used to encourage dropbox, onedrive etc as ways to transfer data but..... this is only as secure as YOUR password and YOUR computer (since I know ours is highly secure).

    We saw a fraud committed where the client computer was hacked a year earlier than the fraud. You know the one...I'm from Microsoft. NEVER EVER allow a third party to access your computer without exceptional care. If they call you hang up. If you initiate the contact and KNOW they are OK then access through team viewer to someone from Norton etc may be OK BUT you should always initiate the contact and not them. You can only imagine the compromised data.

    We have replaced our system and now have one of the most secure client facilities available. We strongly discourage client emails with attachments now and offer them a alternative.

    - Our IT system is not hosted locally. If our building burns or someone steals the server it will not affect us. It is embedded in a secure data farm interstate. (Three law enforcement agencies also have faith in their services!)
    - It takes three different logins to access our client data.
    - Then our software has a further password and user based permissions. I can deny a staff member rights to even see some clients. They see absolutely nothing if I set it that way. These clients include ATO executives, politicians and "celebrity" clients who have an interest in their personal security. Its not special or extra. Its what we do for anyone.
    - Each client has a secure client portal which integrates directly with our software. We can upload any file to them and they choose and manage their own login. They can access our systems 24/7 and reset their own passwords. They can access files using ANY internet enabled device. We log jobs and manage workflows using this system.
    - Clients can digitally sign tax returns. This encrypts the return and locks it from changes and is Australian Government authorised as a method of signature. No printer or other app. Click usinga mobile device and the return is ready to lodge. No email, no printing, no pen, no apps.

    The key risk remains the client - If their system is compromised I can block and restrict access immediately (or they can) BUT......Their data may already be compromised. It is essential that your computer has internet security software (not just virus software) that covers trojans and all threats. In addition the device must have password access and be regularly logged off.
    - Never open emails of unknown sources. delete them.
    - Never respond to or open a email that appears to be for you from a public agency - The Police cant email traffic camera fines and the ATO do NOT email notices. Australia Post dont have your email address. And PayPal will only email you and advise YOU of your login. If there is no login the email is a fraud. Delete it.

    Think of a tax return.
    - Full name/s, spouse name, dates of bith, address, TFN, employer, income etc etc.

    Zip passwords dont work. I have a utility that hacks these as clients regularly forget them. It and my PDF password cracker take seconds. Ghoti's suggestion of SMS for the password is sensible too BUT what does the accountant do with their system and your file ??
     
    Susan, House, Perthguy and 1 other person like this.
  7. pinewood

    pinewood Well-Known Member

    Joined:
    8th Jul, 2015
    Posts:
    94
    Location:
    Vic
    Thank you @Paul@PFI for taking the time to comment and explain the system you are using for your clients. This topic is food for thought.
     
  8. Paul@PFI

    Paul@PFI Tax Accounting + SMSF Business Member

    Joined:
    18th Jun, 2015
    Posts:
    2,400
    Location:
    Sydney
    The thought of client data being compromised from a tax return makes my stomach turn. I would argue our process goes way way beyond and is the best of its kind. If not I would love to hear how to improve it and still be functional. MyGov is a good lesson not to follow.
     
  9. pinewood

    pinewood Well-Known Member

    Joined:
    8th Jul, 2015
    Posts:
    94
    Location:
    Vic
    I knew someone who went to lodge her tax return only to find that it had already been lodged and tax refunded and it was a case of stolen identity.
     
  10. Perthguy

    Perthguy Well-Known Member

    Joined:
    23rd Jun, 2015
    Posts:
    4,798
    Location:
    Perth
    If that makes your stomach churn, think of full loan documents for multiple properties sitting on my front door step in full view of the street!!! This has the full details of 2 applicants: name, address, date of birth, full details of security properties and loan amounts. It's like an identity thief starter kit. All because banks won't send loan packs to PO Boxes "for security".

    Anyway, it's good you take your clients information security seriously. Identity theft is an increasing threat and we can no longer think of it as something that happens to someone else.
     
  11. Paul@PFI

    Paul@PFI Tax Accounting + SMSF Business Member

    Joined:
    18th Jun, 2015
    Posts:
    2,400
    Location:
    Sydney
    Yes loan applications would be more risk. Just photocopy , change a few contact number/s and email address etc....I would secure it from staff too. More chance of a staffer with a betting issue, drugs or even a targeted fraud etc and you are up ship creek.... Its a real place - Anchorage! Alaska).

    If I were a mortgage broker I would be paperless and have storage of client records like a bank vault somewhere with layers of passwords and security. Settled client records archived in cloud with further passwords and security away from eyes too. I would ensure doc exchange between client and broker was secure and if lender wants to compromise the process so be it.

    Perhaps add Adobe Acrobat DC which has tools that get managed in the clouds. Allows a range of tools. Easy to sell to clients I will argue. Its their identity. Point of difference is you are a pro and the dude at the bank is a clown who emails client data...Your choice.

    Dropbox pro is fair but not brilliant. Problem is if the client computer gets compromised its all open access even with your secure documents no mater what you use. Thats the key risk with the "Microsoft virus scam".. All it takes is a dumb act by a client and they open their door to theft.
     
  12. Ghoti

    Ghoti Well-Known Member

    Joined:
    10th Jun, 2016
    Posts:
    124
    Location:
    Melbourne
    Kinda a bit like Monty Python's 'Three Yorkshiremen' skit, but..

    Following a company takeover we were moving direct debit roll from their bank to ours and wanted to transfer the details of 18,000 customers via secure FTP. Other company's bank was concerned about security so instead dumped the details (unencrypted) onto a CD and sent them to us in an AusPost CD box, normal postage!

    I have two friends that work in the ethical hacking industry and some of their stories really make you wonder!!!
     
  13. norwoodman

    norwoodman Well-Known Member

    Joined:
    20th Jun, 2015
    Posts:
    263
    Location:
    Brisbane, QLD
    Securing individual files to be transferred is one way to improve the security - some companies will secure the document by asking you to use your own date of birth as a password in order to access a PDF file, for example. Also prevents the file itself from being tampered with or being converted back in to a Word doc.
     
  14. Paul@PFI

    Paul@PFI Tax Accounting + SMSF Business Member

    Joined:
    18th Jun, 2015
    Posts:
    2,400
    Location:
    Sydney
    Passwords security on most PDFs is very poor if the conventional security setting is used. I dont even bother to enter the DOB into clients health fund PDFs - I use a free tool that cracks them with one right click. It can also convert into word. I like it as the formatting is almost always perfect... The PDF problem seems to be that the password is contained within the file as a string of charecters and isnt even encrypted unlike say office docs which are impossible to crack as the password doesnt carry in the file.

    DOB is a poor password. Its like "password"or Pa55word etc. Or the highly imaginative one of using a phone number.