06
Feb 15

Citing Tax Fraud Spike, TurboTax Suspends State E-Filings

TurboTax owner Intuit Inc. said Thursday that it is temporarily suspending the transmission of state e-filed tax returns in response to a surge in complaints from consumers who logged into their TurboTax accounts only to find crooks had already claimed a refund in their name.

dyot copy2“During this tax season, Intuit and some states have seen an increase in suspicious filings and attempts by criminals to use stolen identity information to file fraudulent state tax returns and claim tax refunds,” the company said in a statement.

Intuit said a third-party security audit turned up no signs of a security breach with the company, and that the information used to file fraudulent returns appears to have been obtained from other sources outside the tax preparation process.

“As it worked with state governments to assess and resolve the recent issues, Intuit took the precautionary step Thursday, Feb. 5, of temporarily pausing its transmission of state e-filing tax returns,” the company’s statement continued.

“Intuit will be working with the states today to begin turning transmissions back on. Customers who have already filed their state tax returns using Intuit software during this temporary pause will have their returns transmitted as soon as possible. They do not need to take further action at this time. This action does not affect the filing of federal income tax returns, and is limited to those states that require residents to file returns.”

This is hardly a new problem, but I have no doubt we are seeing even more phony tax refund claims than last year (in which my own taxes were filed fraudulently). Cyber thieves have long sought stolen credentials for hijacked tax preparation accounts at TurboTax, H&R Block and related services. Typically, the usernames and passwords for consumer accounts at these services are obtained via password-stealing malware that infects end-user PCs (see my Value of a Hacked PC graphic for more such examples.)

Victims also can see their tax accounts hijacked if crooks assume control over their inboxes as well, since tax preparation services — like most sites — allow users to reset their passwords by requesting a password reset link via email (see my Value of a Hacked Email Account graphic for additional examples like this). And of course phishers frequently impersonate tax preparation firms in a bid to steal credentials.

Stolen TurboTax or H&R Block credentials are cheaper and more plentiful than most people probably would imagine. According to the below-pictured well-known seller on the Dark Web forum Evolution Market, hacked accounts currently can be had for .0002 bitcoins, which works out to about 4 cents apiece.

A seller of hacked accounts on the Dark Web community Evolution Market sells hacked TurboTax and H&R Block accounts for pennies apiece.

A seller of hacked accounts on the Dark Web community Evolution Market sells hacked TurboTax and H&R Block accounts for pennies apiece.

Hacked accounts are extremely useful for tax fraudsters because they typically include information from previous years’ returns. They also usually include the filer’s adjusted gross income, which is a piece of data the IRS uses to verify a filer’s identity.

Perhaps it’s finally time for Intuit to support two-factor or two-step authentication for its customers? This is a basic security precaution which involves the service sending its user a unique, one-time code — via text message or specialized mobile app — that must be entered along with the customer’s username and password when he or she signs up for the service and then anytime after that when the service detects those same credentials being used from an Internet address or computer that the service doesn’t recognize.

The beauty of this approach is that even if customers have their credentials stolen in an phishing or malware attack, the crooks still can’t log in without also hijacking the second factor. It’s not an insurmountable challenge for the bad guys, but two-step authentication can dramatically cut down on the incidence of account takeovers. Unfortunately for Intuit and its users, calls for the company to support two-factor authentication have fallen on deaf ears so far, at least according to twofactorauth.org, a site that tracks which popular cloud-based services support the added security measure.

Update, Feb. 7, 9:08 a.m. ET: Intuit says it has turned the state e-filing spigot back on. It also says it is turning on multi-factor authentication for all TurboTax customers, although the company declined (in their press release and via email) to specify how that process will work.

Tags: , , , , ,

78 comments

  1. Cloudmark is blocking a lot of phishing emails right now that appear to be from the IRS, and we have seen some for Turbo Tax credentials. These go to realistic looking phishing page. I’ll have a blog post up about this next week on the Cloudmark web site.

  2. Tragic. This is why it’s extremely important to file as quickly as possible before someone else does it for you. Sad that it’s come to this, but glad that TurboTax is doing something about it. Normally in these cases we’d have to wait until after tax season for a company to take notice.

  3. Buy the TurboTax CD, have it prepare the paper forms, print them out, mail them in.

    • And this protects you — how? I believe to use the CD, you must set up an account with Intuit.

      • It is true that you have to at least provide an e-mail address to TurboTax when you use the CD version, but I think that the tax files are stored on your PC and not in the TurboTax cloud, so perhaps there is more protection with the CD version. That is the version that I use.

        • That is not true. I have bought it from local stores for years and used it without having to give them any information. I cannot remember the exact steps right now, but after it starts, it asks for registration information on a single screen. Just do what Nancy Reagan suggested and move on to the next step. It will ask you “ARE YOU SURE?” like the sky will fall in if you don’t, but after refusing it goes back to regular business. Then mail in the return.

          • Even if you have purchased and registered the CD, my guess is that, if I get your email address and password, I can sign on, switch your account to an online version or use my own CD, and file a return for you. My point is that you are no safer with the CD version; if someone can get your password, you’re toast.

            • You believe? You guess? Based on what evidence or strategy? Suppose you were to obtain a valid email address and passwoird from a TTax account of a user whose return is under preparation on their local computer (using the purchased CD). Unless you could phish them for their tax documents and PII, how would you propose to “switch their account to online” to fraudulently file? As long as we are “believing” and “guessing” I would guess that you don’t really know, and I believe you are spreading FUD for some reason.

              • No FUD, just speculation. I’m not a crook and I’m not going to try what I suggest. All I am saying is that the risk of using the CD is just as high as using the TurboTax online version.

                What a lot of commenters are missing is that the bad guys are not after our legitimate tax returns. The one they file is totally bogus and doesn’t have the right income or deductions. They may even make up children you don’t have. Their goal is to create a return with a big refund which IRS will quickly deposit in their checking account.

                Brian, I have to always change “Reply notification?” from “Don’t subscribe” to “Replies to my comments.” How can I change this so I don’t have to change it every time?

    • Do you know how many hands might steal mail if you send tax return in via postal mail? Electronic filing, while flawed, is still safest.

      • Last I checked, the USPS hasn’t shut down sending/receiving mail over possible state tax return fraud send via snail mail.

      • You miss the point.

        If someone steals my mail while in the USA, we know they are in the USA, and what’s more, we know the path the mail needed to take before it was stolen.

        Physical transit. Physical everything.

        Come try to take anything out of my mailbox. Then, to a lesser extent, risk taking stuff from my local post office. Then, try to steal from physical mail while being a USPS worker. Like your job? You better not if you are stealing while at the USPS.

        Compare all this “physical a** whipping” you will get if you mess with my mail to what you might get away with if I am foolish enough to rely on ecomms after this obvious example of just how even the most well-funded of sloppy arrogant failed to keep ecomms secure.

        What’s more, anyone who makes ecomms their default will default to welcoming ecomms from partners who fail to do things with best practices in mind. Example: above.

        Do you really want to debate how ecomms are safer than snail mail?

        Electronic comms are not local.

        • Physical mail gets stolen all the time. Now which is safer? Who knows, but the fact you are trying to act tough about beating someone up who is taking your mail from your mailbox is childish. Do you ever leave your house to go to work? How about to the store? I can go on with these. The potential for theft is always there. Unless you are physically watching your mailbox from the time the mail might get there until it does 6 days a week there is a good chance it could get stolen. Locked mailbox? Picking a lock is very easy.

          Also thieves can and have in the passed just taken mail from the truck itself.

          Basically just go act tough somewhere else. Throw in some constructive information, not just “It’s safer because I will beat their a**”

          • Its a fact that alot of cybercrime, harassment, vandalism, happens, because people fear no physical repercussions being safe an anonymous behind a computer screen.

            In the future people are going to realize they are not as anonymous as they think.

      • The USPS has its own police force.
        The Internet doesn’t.

        https://postalinspectors.uspis.gov/
        https://postalinspectors.uspis.gov/investigations/MailFraud/fraudschemes/mailtheft/MailTheft.aspx
        http://en.wikipedia.org/wiki/United_States_Postal_Inspection_Service

        The United States Postal Inspection Service (or USPIS) is the law enforcement arm of the United States Postal Service. Its jurisdiction is defined as “crimes that may adversely affect or fraudulently use the U.S. Mail, the postal system or postal employees.” The mission of the U.S. Postal Inspection Service is to support and protect the U.S. Postal Service, its employees, infrastructure, and customers by enforcing the laws that defend the nation’s mail system from illegal or dangerous use.

        An agency with approximately 4,000 employees, 1,200 criminal investigators, an armed uniformed division with 1,000 personnel, forensic laboratories and a communications system, and with 1,000 technical and administrative support personnel, the USPIS leads and assists in numerous joint federal and state investigations.

        http://trac.syr.edu/tracreports/bulletins/white_collar_crime/fil/
        Other frequently prosecuted lead charges include: … “18 USC 1349 – Mail Fraud – Attempt and Conspiracy” (8.5%), “

  4. I filed state & fed two days ago using H&R Block tax software, no issues so far, keeping my fingers crossed!

    $20 fee for filing state online. If I wasn’t getting a refund, I’d have mailed it in…

    • Ohio has a free online site for entering your returns. I print mine out of TurboTax and key them into the free site. Saves me the filing fee yet eliminates the paper filing.

  5. The incentives for Intuit seem a little skewed. Obviously they don’t want a rep for customers being victimized. But if the bad guys are using (presumably legit, paid for) versions of TurboTax to file fake returns, then those sales are extra income for TurboTax.

    • Last time I checked, people who find committing fraud without moral qualms have even a lesser issue with pirating TurboTax….

  6. I much prefer e-filing over the old-fashioned way: my personal data isn’t at risk while traveling through snail mail, I can update a not-yet-filed return as each piece of documentation arrives, and if I am due a refund it arrives far faster. But yes, it’s a bit messed up when a criminal could file a fraudulent return before I have received everything I need to file a legitimate return.

    @Jon, I have no inside knowledge, but I rather imagine the fraudulent returns are of the free sort, so Intuit is not making any money from them. If you are a crook, there’s no reason to fraudulently file a more complex return for a fee when you can just as easily file a fraudulent 1040-EZ for free :-/

    @Brian, you mentioned your return was “filed for you” last year — was unraveling that mess an ordeal or was it fairly straightforward? Do you have any suggestions for those that would like to file quickly but are still awaiting required documentation?

    • A couple of years ago, someone filed a fraudulent Federal return in my name. The IRS was very helpful once I found out. Now they send me a special PIN to use each year when I e-file. Perhaps the states are not as capable in that regard.

      • I am a victim this year and the irs won’t tell me anything but it will take up to 180 days for it to be looked at I need help

        • The IRS has limited resources. A Tax Examiner has to review both returns and manually make the corrections.

    • David= please reconsider. Postal mail is flawed also. Too many hands touch mail, especially during holidays or tax filing time.
      Also DO NOT get your refunds in the mail- get it electronically sent to your bank. Again, thieves are looking for checks- esp. when a mailbox is easily broken into
      Anyone hear of the “come steal me flag?” That is the red flag on unlocked boxes that most of the country uses. An open invitation. Next worst- those condo/pigeon boxes that can be easily pried open in the back.
      Finally, avoid having checks sent to any postal box- other than the post office. Sorry- MailBoxesEtc, but once the mail enters the door, an employee puts it in your personal box. The USPS is off the hook once it is handed to the employee. At least USPS postal boxes are watched by video cameras.

      • You do not have to mail a paper return by USPS, you can bring it to a local IRS office and pass it in directly to the IRS.

      • Well here in a big city, we don’t worry about that as much, as we do a guy hijacking wireless signals. Him walking up to my mailbox will be seen by neighbors. Even if not confronted in the act we will get a description. But Him parking up the block and setting up an MITM attack or working on cracking my router, is most likely going to go unoticed.

        I guess its the opposite in the country. You guys are more worried about your mailbox which is in the driveway, as opposed to the stoop. And an anonymous car parked near you, is probably going to look suspect, especially if your the only property in the area, he might get confronted.

    • Hasn’t been that big a deal so far, but ask me again after this tax filing season is over. 🙂

      • I had my taxes “filed for me” for tax year 2012. Did the whole form 14039, and got my refund about 3 months later. Fast forward to tax year 2013. I could not e-file for that year because the IRS could not match the required data from my legitimate 2012 return. Be prepared for an id theft issue to mess up at least two years worth of returns.

  7. A lot of these tax fraudsters are crimanal synicates who work out of the state prisons systems using people on the outisde to file fake tax returns via online services.

    • That doesn’t sound like an educated “analysis.” In fact, it doesn’t just sound like it – it isn’t, no offense.

      Most of this data is organized through use of malware. The people who end up using it, are simply kids and wannabe fraudsters. They often end up in jail, but they aren’t perpetrated by the people in jail – at most they got there for doing it, and will continue to do it after they are out.

  8. The way to protect against the type of hack this was, as well as most others, is the “same old-same old” … always have the runtime modules running of reliable anti-virus and anti-malware s/w on the computer you use for all home / business dealings, update their signatures DAILY, and then run regular scans. This will protect you from most all malicious install’s and intrusions on your local machine. And of course, NEVER open ANY e-mail attachments of suspicious e-mails nor click on any of their embedded links. (It’s usually quite easy to spot bogus e-mails anyway.) As far as the web goes, never visit any questionable web sites (gaming sites are BAD for viruses as well as kids), celebrity and related sites, and of course, visit porn sites at your own peril (morally as well as financially).

    Good luck to all 2014 tax filers 🙂

    • I do all those things (anti-virus, anti-malware, daily scans, realtime protection) and it didn’t prevent my info from being stolen (most likely from Intuit servers).

      And Intuit can claim “they were not breached” all they want. There are plenty of ways Intuit could have exposed our personal info – disgruntled employee or a lost backup tape are just 2 examples off the top of my head.

      The IRS told me the fraud return that used my SSN did not look like a normal identity theft tax return (furthering my suspicions that the info was stolen from Intuit).

      I hope the states (and others) continue to look deeper into this….

      • Apparently my social security was stolen, and I only ever entered it online one time many years ago on a government site.

        Like many other posters have said, selling our social security numbers is big business and common practice.

      • Have you ever considered the fact that Antiviruses don’t work? Having “protection” doesn’t exclude you from being infected. In fact, most people who use these “super-secure” systems don’t know when they’re being infected, and assume they’re safe because of it. They do nothing to protect, so don’t rely on something to tell you whether you’re clean or not, because it won’t work most of the time. Daily scans only work as good as the signatures, realtime protection only as good as behaviors, but there are obvious ways malware will evade, and signatures are capable of being changed, code is capable of being crypted. Behaviors are not a key sign either. It also goes the other way, not just with NOT detecting badware, but also picking up on GOODware, often the very things trying to protect you from the bad stuff, to put it simply.

  9. I’m pretty sure this means we no longer have to file our 2014 state taxes.

  10. I mail in the state form. The fed CD version is transmitted at the time you file it. Now I might mail the Fed the return. Do not file with the online form version.
    It’s reached a point were criminals can brute force any website info anywhere.

  11. Got hit with a fraudulent fed and state return this week (found out when I tried to eFile last night).

    IRS says the fraud return does not look like normal identity theft, as it was filed as a Joint Return and has my wife’s correct name and SSN. I don’t keep anything financial online, so the most possible sources for that info would be Intuit servers and my HD.

    With thousands of suspected fraudulent state eFile returns piling the up in many states over the last few days, Intuit would seem to be a likely source. I had eFile PINs enabled, so the scammers either had access to old return with AGI, SSN, and SOB or the eFile PINs themselves.

    So what does Intuit do ???

    After only 24 hours they turn back on the eFile $$$ spigot and claim there was no compromise of their systems. I suggest they look again.

    • I think you may be correct! Why is it only affecting Turbotax users

    • There are PLENTY of turbotax cr*dential harvesters out there. If you kept nothing online, how could it be from intuit servers? It’s easy discernably malware. Intuit is definitely capable of being compromised, but not every detail hijack is server-side. In fact even when servers are compromised, it often-times starts out as local.

  12. Brian, Do you think SQRL would help with this also instead of just 2 factor authentication? It looks promising and then the thieves would have any password to steal? Check out Steve Gibson’s website to find out more about it.

  13. Intuit DOES keep a copy of all tax returns that you E-file. Doesn’t matter if you purchased the software at a retailer or file directly from the TurboTax site. When you E-file, you first send your return to their server, its then sent to the IRS after they capture all of your information and tax data. Intuit uses all the data that we give them in TurboTax, Quicken and Mint. Just keep in mind Intuit has a copy of every tax return that has ever been E-filed with TurboTax.

  14. After an earlier story on tax fraud from KOS, I sent a nice letter to IRS asking for a PIN. Nothing. Like calling down an alley and not even getting an echo. Remember, there are members of Congress who are crippling the IRS, budget-wise..

    • per the IRS web site “As part of an ongoing pilot program, all taxpayers who filed federal returns last year from Georgia, Florida or the District of Columbia are eligible for an Identity Protection PIN (IP PIN) that will help protect them from tax-related identity theft, according to the Internal Revenue Service.” If you live in one of these states or have been a victim in past years you would get an IP Pin.

  15. Update:

    TurboTax has resumed efiling for states and according to its latest press release, “Intuit implemented targeted security measures to combat the type of fraudulent tax activity that it is seeing. These additional steps include the implementation of Multi-Factor Authentication, a proven technology for protection against identity theft.”

    http://www.intuit.com/company/press-room/press-releases/2015/TurboTax-resumes-efiling-for-states/

    • Pretty sure that once hackers have compromised your security, adding MFA isn’t going to help. MF A only works if you you are 100% sure the person who signs up controls the second factor.

      I am also skeptical of any “security fix” that can be implemented in a single day.

      • but believe it, because it’s true. While some malware species such as Zeus can bypass it, it’s but one piece of the puzzle, and not a big one either.

        If it’s your account, I doubt you’ll be entering someone else’s phone number, and if you do, I doubt they’ll validate authentication through your computer and their phone, to steal your details you allowed them to take….

  16. I got back my state which was small. I new that would be the amount.so my federal I hope will be fine too..

  17. Got message a couple years ago my return was rejected. Tuned out that Turbo tax made an error when copying over dependent tax return (teenagers). The lesson learned was not to trust any tax prep software. Manually review all of the forms generated before filling electronically. If this state tax glitch is Turbo Tax’s fault, they will spin it so it looks like it’s not their fault.

    I had to file everything by paper to fix mistake made by the TT software.

    • The only problem with that is when Congress changes the tax law (annually!) and you miss a new deduction because you’re not an expert on tax law but TurboTax is. I have made enough on saved taxes to pay for TurboTax several times over.

  18. Guess Fedora 21 running Kernel 3.18.5 and latest Chrome is not supported. LAME TurboTax!!!! but at least they made me enter a 6 digit code sent to my email for a scene of added security.

    Let’s make sure TurboTax Online works like it should for you

    We recommend installing one of the following supported web browsers.
    See the full list of system requirements for TurboTax Online
    Install Chrome
    Install Firefox
    Install IE
    Install Safari

    No thanks, continue without updating browser

  19. Good thing they had that superbowl ad saying anyone could file for free.

  20. Is there any actual information about state sponsorship of this? There are powerful forces who would like an excuse to start a war…

  21. Document Authentication in the Digital Age

    Are you who you say you are?

    How can I verify that you are who you say you are?

    Is this important?

    In some cases: authentication is not only important — it is vital.

    Let us consider Federal Tax: Forms 1040.

    We must all file our tax forms, every year, under penalty of law. Unfortunately we have some crooks around who like to file a phony tax return so they can scam some money from the IRS. They might use YOUR Social Security number for this and if they do then the IRS will reject your 1040 — stating: you already filed. Next, about 3 years from now — they will send you a nasty letter demanding settlement of variances. They are not nice about doing this.

    How might you authenticate your 1040 in such a way that crooks will fail should they attempt to file a phony return using your Social Security Number?

    The IRS will need a means by which it can AUTHENTICATE your return. You can’t just say “I’m Jones”. Anyone can do that.

    I would like to refer you now to the testimony of Whitfield Diffie, given November 2013 at a Marshall Texas patent lawsuit, defending NewEgg supply Company. This was reported by Ars Technica 2013-11-25 http://arstechnica.com/tech-policy/2013/11/newegg-trial-crypto-legend-diffie-takes-the-stand-to-knock-out-patent/

    The relevant part is under the heading: A brief history of public-key crypto

    In part: There was one other big need: proving authenticity. “The receiver of the document can come into court with the signed document and prove to a judge that the document is legitimate,” he said. “That person can recognize the signature but could not have created the signature.”

    Read the above very carefully: the problem we are solving here is the need to produce a digital signature which can be recognized — i.e. verified, or authenticated, — but which cannot be created by an intruder, scam artist, crook, or hacker etc.

    Doing this is a mathematical problem, and a difficult one. Fortunately for most of us that work has already been done and we are all free to make use of the mechanism. This can be obtained at no cost through the Gnu Privacy Guard (GnuPG) or as PGP4WIN. Alternatively PGP/Desktop could be used.

    IMPLEMENTATION

    Given that you have either the Gnu Privacy Guard or PGP/Desktop installed your tax software could be programmed to SIGN your tax return for you, using either PGP/Desktop, or the Gnu Privacy Guard.

    Needless to say the IRS would have to be notified that this would be an optional procedure. Implementing it would not be particularly difficult: a DETACHED signature could be used. The tax return — as in use today, would then be “Zipped” together with the detached signature and the resulting .ZIP container sent to the IRS.

    The IRS would then observe that they had received a PGP signed return. For this they would simply download the required Public Key from one of the commonly used keyservers. This way they would obtain your public key. To authenticate your public key you would need to have taken you key to your local credit union and obtained an authenticating signature for it before you uploaded it to the keyserver.

    One more thing: The IRS would need to note that you would be using a PGP signature henceforth. They don’t have any problem doing this sort of thing: If you file 1040ES you will get new 1040ES forms every year after that.

    Once the digital signature protocol were established the IRS would then reject any return from you that was not signed or that had an invalid signature. An invalid signature would indicate someone other that the proper person signed the return — or — that someone had altered the return — after it was signed.

    we need to start implementing effective security procedures for all our electronic commerce. if we continue doing things as we have up until now we are going to get more and more hacking.

    • We need a serious discussion of this. GPG seems very appropriate at this time. Can this be discussed/moved to a more public forum – a blog or linux user forum?

      • thanks, Patti. I certainly hope this gets a lot of serious discussion. While I think it is unlikely that the Linux Foundation would abandon the Gnu Privacy Guard (GnuPG) it should be noted that PGP/Desktop, offered by Symantec Corp. is an alternate solution.

        note that some of the respondents here offer short solutions that fail to proper address the need for AUTHENTICATION.

        it is important to read carefully and understand what Mr. Whitfield Diffie said:

        “The receiver of the document can come into court with the signed document and prove to a judge that the document is legitimate,” he said. “That person can recognize the signature but could not have created the signature.”

        You need public key encryption to do this, — and this is what needs to be done.

        Packaged Technology can make it easy for everyone to use.

        • Yes, you’re absolute right about authentication being a key part of the puzzle. One big problem is that identity theft (credential theft), not algorithm sabotage, is the new MO, and pgp/gpg doesn’t address that directly. Second, the electronic world, where everything is stored, is beginning to seem a lot like Europe in the decades before WW-I. One wonders about how to prepare for what may be coming?

  22. Do you know how many hands might steal mail if you send tax return in via postal mail?

    Do you know how many countries without privacy protection laws and reciprocity with the US your Internet traffic flows through?

  23. This is a huge problem and it’s getting large enough so they have to do something. Watch this 60 minutes video, IRS doesn’t even match your SSN and name so 40% of the fake returns pay off!

    http://ducknetweb.blogspot.com/2014/09/one-more-reason-to-license-data.html

    You get a notice that your return has already been filed and the fun starts. Even Eric Holder has had fake returns filed on his SSN.

  24. I always do my withholding so I owe taxes… Meaning I don’t have a refund to steal!

    • You do understand that these tax fraudsters don’t care if you’re actually owed a refund or not? They lie to the IRS (they are, after all, fraudsters).

      • Very good point, and as another on this thread pointed out, the IRS will come after you for their fraud. Some very good intel at this point would be information on what the IRS is doing about this, how many people are being hit, and how to protect? It’s very worrysome.

      • Is it legally helpful to create a GPG signature and attach it to an income tax return? On could do that fairly simply on a paper return, if one wound up being audited or in court. How protective is it if you use the same tax preparar every year – I imagine in an audit or court that would help establish precedent as well as requiring more stolen credentials.

      • Putting aside the moral obligations we’re supposed to have to the Government and the IRS, this is a good idea because when fraud does occur, they wouldn’t be stealing our money. Instead, we got it when we were paid as opposed to loaning it interest free to the Feds. I’d rather fight with them to prove I didn’t do it than fight with them trying to collect money that’s rightfully mine. I’ll be seeing my HR department and make the necessary adjustments on my withholdings

  25. Sorry for all the posts – but I thought I should share this: http://www.irs.gov/Individuals/Get-An-Identity-Protection-PIN

    • And on that page I found this :

      Credit Security Freeze with Equifax

      If you have placed a credit security freeze with Equifax, you must contact Equifax to have the freeze temporarily removed. This will allow you to continue to register or use guest access. Once you have your IP PIN or are no longer attempting to register, you may contact Equifax to resume the freeze unless you have it scheduled to resume automatically.

  26. And these phone calls from phishers is/are different from the other four to five health related phone calls? I would bet their calls at least have someone available to talk with you. Not have you hold for the next available operator.

  27. ChoppedBroccoli

    Any chance this is related to dumps from the Anthem hack?

    I know tax fraud is rampant every year, but shutting down the entire state filing software for Quicken seems like it was a bit higher than Inuit expected. Wonder if its extra easy this year with the Anthem data leaked

  28. I just checked on the TurboTax site and 2-factor is not turned on yet. In fact, the phone number in the account settings is in plain text…fully visible!

  29. FBI is now investigating as to whether a Turbotax breach / data leak caused the spike in Fraud filings:

    http://news.yahoo.com/fbi-probe-fake-tax-filings-turbotax-wsj-021853578–sector.html

  30. So what is the answer to the safest way to file????