TurboTax owner Intuit Inc. said Thursday that it is temporarily suspending the transmission of state e-filed tax returns in response to a surge in complaints from consumers who logged into their TurboTax accounts only to find crooks had already claimed a refund in their name.
“During this tax season, Intuit and some states have seen an increase in suspicious filings and attempts by criminals to use stolen identity information to file fraudulent state tax returns and claim tax refunds,” the company said in a statement.
Intuit said a third-party security audit turned up no signs of a security breach with the company, and that the information used to file fraudulent returns appears to have been obtained from other sources outside the tax preparation process.
“As it worked with state governments to assess and resolve the recent issues, Intuit took the precautionary step Thursday, Feb. 5, of temporarily pausing its transmission of state e-filing tax returns,” the company’s statement continued.
“Intuit will be working with the states today to begin turning transmissions back on. Customers who have already filed their state tax returns using Intuit software during this temporary pause will have their returns transmitted as soon as possible. They do not need to take further action at this time. This action does not affect the filing of federal income tax returns, and is limited to those states that require residents to file returns.”
This is hardly a new problem, but I have no doubt we are seeing even more phony tax refund claims than last year (in which my own taxes were filed fraudulently). Cyber thieves have long sought stolen credentials for hijacked tax preparation accounts at TurboTax, H&R Block and related services. Typically, the usernames and passwords for consumer accounts at these services are obtained via password-stealing malware that infects end-user PCs (see my Value of a Hacked PC graphic for more such examples.)
Victims also can see their tax accounts hijacked if crooks assume control over their inboxes as well, since tax preparation services — like most sites — allow users to reset their passwords by requesting a password reset link via email (see my Value of a Hacked Email Account graphic for additional examples like this). And of course phishers frequently impersonate tax preparation firms in a bid to steal credentials.
Stolen TurboTax or H&R Block credentials are cheaper and more plentiful than most people probably would imagine. According to the below-pictured well-known seller on the Dark Web forum Evolution Market, hacked accounts currently can be had for .0002 bitcoins, which works out to about 4 cents apiece.
Hacked accounts are extremely useful for tax fraudsters because they typically include information from previous years’ returns. They also usually include the filer’s adjusted gross income, which is a piece of data the IRS uses to verify a filer’s identity.
Perhaps it’s finally time for Intuit to support two-factor or two-step authentication for its customers? This is a basic security precaution which involves the service sending its user a unique, one-time code — via text message or specialized mobile app — that must be entered along with the customer’s username and password when he or she signs up for the service and then anytime after that when the service detects those same credentials being used from an Internet address or computer that the service doesn’t recognize.
The beauty of this approach is that even if customers have their credentials stolen in an phishing or malware attack, the crooks still can’t log in without also hijacking the second factor. It’s not an insurmountable challenge for the bad guys, but two-step authentication can dramatically cut down on the incidence of account takeovers. Unfortunately for Intuit and its users, calls for the company to support two-factor authentication have fallen on deaf ears so far, at least according to twofactorauth.org, a site that tracks which popular cloud-based services support the added security measure.
Update, Feb. 7, 9:08 a.m. ET: Intuit says it has turned the state e-filing spigot back on. It also says it is turning on multi-factor authentication for all TurboTax customers, although the company declined (in their press release and via email) to specify how that process will work.