Thursday, May 1, 2008

Microsoft Small Business Accounting & Quickbooks

I just received my copy of Microsoft Small Business Accounting 2008, I've been wanting to try this out since I had the 2007 version, but I was unable to import the data from Quickbooks 2006 Pro. When I installed Small Business Accounting I started the import and low and behold I did not have to enter my Quickbooks password. This struck me as very odd and made me concerned, being out of time, I tabled further investigations until today. I created a dummy company, in Quickbooks, "Hackme" added a few quick entries, and proceeded to try to import it into Small Business Accounting.

When I tried to import he new company file it prompted me to open the file and allow access to Small Business Accounting. At which time I stopped feeling a bit better, but that feeling did not last long. I got to thinking, I remembered allowing access to Small Business Accounting several months back. My Quickbooks file has been vulnerable to theft, my customer data, names, address and phone numbers have been more or less easy pickings. The only positives as I see it is I do not store my bank accounts in Quickbooks, only a description of the account and I do not store Credit card data.

I'm doing a bit more research into how this can be avoided, mitigated, and or cleared after access has been granted. I certainly do not want my Quickbooks files being vulnerable to being sucked out by other people using Small Business Accounting or any other "authorized program".

I take some of the blame for allowing a program access to my data with out fully understanding what it does, but I also blame Microsoft & Intuit for not having the data link secured in a more robust manner. I am not sure if this "authorized link" can be exploited only on the machine it was initiated or if any Quickbooks file can be compromised after Small Business Accounting has been granted access, I have some tests under way, and will post the data when it becomes available.

Until then take this as a lesson learned, and do not allow programs access to your data, unless you know a few things:
1. How to revoke access to the program
2. What the program is actually going to do with the data
3. What type of data you are potentially exposing to the world
4. If the risk is worth the potential pay off.

-- Tim Krabec