Our Security: What You Need to Know and How to Maintain Your Own Privacy

McFarland-CPA Security

Like the Matrix, but without terrifying computer creatures taking over the world!

The U.S. Congress’s reversal of the Obama Administration’s FCC rule preventing your ISP from selling your internet usage data has dropped electronic security back onto the stage. Mention the adjective Russian now and hacking easily comes to mind. In this age of aggressive hacking, several clients have contacted us about our security measures. We’ll cross-post this text in our FAQs but wanted to get this the widest dissemination, so it’s starting on this blog. As all blog articles end up in our monthly newsletter, it will go out that way too.

As an office-free firm, our security is procedural and network centric. We keep our desktops locked when not in use (actually we disconnect). We store no information on premises and have no physical files. If we encounter paper documents, we scan them and return them immediately or shred them. Unlike in the case of traditional firms, we do not present a target for physical server theft with thieves then selling your information on the dark net.

We Use HTTPS and Cloud Security

Unlike the DNC (and some say the RNC was equally deficient), we have state of the art security. To start with, all of our applications force the use of the HTTPS protocol in line with Electronic Frontier Foundation best practices. Forced HTTPS use causes a uniform resource locator (URL) request sent by unsecured to be re-established in an encrypted session between your browser and our servers.

GoDaddy hosts our web-facing servers. They, in turn, have encrypted tunnels to our accounting data servers that are virtualized deep inside the Amazon cloud. We adopted this architecture to build in an additional layer of security for client’s sensitive financial information.

Unlike a local, storefront operation, or even more sophisticated global scope firms, we do not store any customer information on local computers. We use Chrome OS devices since they are the most secure off-the-shelf computers and tablets.  Then, we only use them as thin clients, granting us access to our web applications through our virtual private network (VPN) and encrypted browser sessions, and to Amazon’s cloud-hosted servers. We also have a few Ubuntu Linux machines online for specific processes that are not convenient on Chrome OS.

Connecting From Unsecured Locations

Some of our clients access our platform from places that are even more unsecured than just the general hacking climate (which is bad enough). Even their internet service providers (ISP) are highly suspect. In those cases, say, if you are expat living and working in Russia or China, we recommend you take additional measures. First, all of your internet traffic should be in a VPN that you run either from your device or your home router. We discuss Wi-Fi below. You should use a Chrome OS device (not to be confused with the browser of the same name) such as a Chromebook or a Chromebox. Neither Windows nor MAC OS can be trusted these days regardless of the measures you take to secure them (unless you use a thin client and reboot after every session).

Wi-Fi Security

There are a lot of myths out there about Wi-Fi security. But first, let’s just get this out there: Wi-Fi doesn’t stand for anything, especially not “wireless fidelity.” It was just a catchy name for the IEEE 802.11 standard.  The most important issue is to ensure you are using at least WPS2-PSK to secure your network. Your password should look like h&5U2v$(q7F4*. If it doesn’t, change it. Do not use the WPS option. Don’t turn off SSID broadcasting, DHCP, or bother locking down IP ranges or limiting access to specific MAC addresses. Those only keep out people who wouldn’t know how to penetrate your network anyway. Anyone who qualifies as a hacker will have the tools to defeat those measures faster than you can set them up and maintain them.

An added measure of security is to use a VPN originating at your device over the Wi-Fi. With this configuration, you will be secure even using open Wi-Fi systems such as at libraries, coffee shops, or airports. VPNs do slow down your internet experience a bit. However, you won’t notice unless you are trying to stream video or use internet video telephony like Google Hangouts (our preferred product) or Skype. In those cases, just turn off the device VPN but make sure to turn it back on when accessing your U.S. bank account from Moscow.

TOR and Other Onion Proxy Systems

Should I use a multi-hop proxy system like TOR for more security? That’s a question we’ve heard more than once. Keep in mind that the purpose of systems like TOR is to hide who you are from those with whom you are interacting or third parties trying to monitor your activities. In the case of banking or accessing our systems, do you really want to hide from us who you are? What you want to do is to ensure that no one in between you and us can read your traffic. That’s an encryption issue, not an identity issue. So, keep systems like TOR for when you are doing something that demands you hide your identity, not protecting content. Of course, you can do both, and if you are a sophisticated user and want to explore that possibility, there are many tutorials available for configuring these measures.

What Level Of Encryption

We use 128-bit encryption which is the same level used by the U.S. financial system. It is a good balance between speed (encrypting and decrypting incurs overhead costs on processors at each end) and security. If the industry increases to 256 bit or higher levels, we’ll be an early to middle term implementer. We won’t blaze the way, we’ll let others bear those costs, but we won’t hesitate either since security is one of our primary values.

Discussion and Advice

We’ll set up a thread on our forum for discussing these issues if you, dear reader, want to follow up on some point we made here.  For CPAs and other small businesses interested in advice, if you are considering any of these technologies, please feel free to contact us or our implementing partner, CPA Network Solutions (they have a link at the bottom of the page). If you contact them directly, we ask that you mention us as the referral source.

Tax Simplification

Once again, the politicians in Washington have chosen to attack the straw man of the tax code. They love to portray the IRS as somehow (they never state this but artfully imply it) creating the tax code. The truth is quite the opposite: Whenever a constituent darkens a member of Congress’s doorway asking for something in return for a campaign contribution, the result is frequently a new provision in the tax code if the contribution or contribution bundle was big enough. Every few years, we go through a purging of the code in the interest of “lowering your taxes” or “making it simpler” but the net result is just a reset in this interaction between Congress and constituents.

This year, part of simplification in legislation that would affect your taxes in 2018 is decreasing the number of tax rate brackets from seven to three. At the same time, various deductions would be eliminated such as the homeowner’s (a special interest group if there ever was one!) mortgage interest deduction and caps on charitable contributions (charities are another “special interest” — a term we’ve all been trained to hate — with powerful lobbies in Washington). The minimum rates commonly discussed would be an increase from 10% to 12% at the bottom.

Another aspect of the so-called simplification is the sought-after decrease in statuses from four to two: Head of Household and Widow/Widower would be eliminated. The following chart shows the current state of complexity.

 What this dialogue ignores is that the complexity of the tax code is in two areas that precede or follow the determination of this rather mechanical and simple process: What is the income amount to be taxed and what credits are available to lower the amount of tax once it has been calculated. The former we call determining adjusted gross income (or AGI) while the latter consists of subtracting various calculated amounts from what would otherwise have been the tax to be paid. In many cases, for those able to take advantage of the nuances of the tax code, they can lower their tax due to zero (especially corporations)!

If the only complexity in Title 26 of the United States Code (the formal name for the tax code) were just what politicians are trying to con us with, their proposal would be relevant. But, I’ll bet that most readers, once they know their AGI, can place themselves in the chart in less than 15 seconds. Are you married or single? Is your spouse dead or alive?  If you are single, do you have dependents? Then, how much is your AGI?  Voila!  Read to the left on the chart above, and that’s the rate by which to multiply your AGI.

As always with tax policy changes, there are winners and losers.  Early betting on potential losers is on single mothers who will lose the benefit of preferential treatment.  Congressional staffers though have been quick to point out that more generous child care deductions will more than offset the double whammy that some have identified — an increase in tax rates, remember the increase from 10% to 12% at the bottom, and the loss of the household deduction built into their status (income not taxable until  $13,250).  We’ll keep an eye on the childcare deduction as will Forbes and others.

If you work with us, however, your taxes will, in each succeeding year, be increasingly lowered by credits as much as your circumstances will allow — we seek to structure your financial life to gain access to credits or to shield income, legally, from taxation. And that’s not simple, nor is it going to be, at least not for long. Why? Well, that’s where we started. Remember that person darkening the Congress member’s doorway?