72 comments

  1. This Indu character says they noticed fraudstets using credentials from other sites 18 months ago? I recall a press release when Intuit said they were not proactively advising customers to change passwords? If they new compromised accounts were reused in TurboTax, isnt that negligence? It seems this security guy Indu has no security background? How serious can they be about security?

    • I don’t want to jump to conclusions here about this Indu individual, but it just seems strange he doesn’t list himself as CISO at Intuit, and he seemingly has no background in security.

      Googling “intuit ciso”, I found two people who actually claim to be CISO at Intuit:

      Jerry Archer, 2007-2009
      Eric Martin, 2010-2013

      but nobody since 2013. I wonder if Intuit doesn’t really have a CISO and this Indu guy is just some senior manager/executive stepping in while the position is vacant? Seriously though… for a company that handles people’s SSNs, you would expect that they have a seasoned CISO and a really strong security team of uber hackers… something doesn’t seem to line up.

  2. 3 years ago, Turbo tax buttons guaranteed you paid 2 times to get your state refund, even if it was included in the package.

    Last year it tried again, I spent 3 hours on the phone till they sorted it out.

    This year after reading this, for the first time in over 11 years I’m using HR Blocks software, its cheaper, and if I’m taking a gamble anyway.

    I’m curious when the prosecution of helping criminals starts, to bad they took a good product and treated their customers so badly.

  3. Intuit’s two factor authentication is a sham. You have the choice of getting a challenge over email or sms. If your email is compromised, the bad guys will just use email for the 2FA and delete it when they get the email.

    A hacker can then subscribe to their products using a stolen credit card and then have access to your past tax returns.

    Also they do not let you delete your account. They refuse to delete your account even if you ask. There is no explanation. It’s probably because they don’t want to “lose” market share. So your personal info is on their site forever.

    All they offer is for you to obscure your profile. But, your tax returns are linked to your account so this does nothing. They won’t let you hide those returns from appearing in your account.

    So if they never delete accounts, then fraudulent accounts will never be deleted and hackers can keep trying to file bogus returns.

    Never open an online account with them.

  4. My husband had a fraudulent return filed in his name this year, and we just found out two days ago. This is real. It’s very sad all of the money that is being stolen from America.

  5. One of my coworker just came up with the best idea I heard all day.

    How about “Poisoning the Well”?

    Everyone setup a bunch of Honey Pot type databases with fake SSN, Medical, etc data.

    The bad guys will sell so much bad info no one will want any of it anymore.

    Thoughts?