Intuit: Anti-fraud Improvements by IRS Fuel Up To 3700 Percent Rise in Phony State Filings
Scam artists stole billions of dollars last year from the U.S. Treasury by filing phony federal tax refund requests on millions of Americans. But as Uncle Sam has made this type of fraud harder for thieves to profit from, the crooks have massively shifted their focus to conducting refund fraud at the state level. Or at least according to Intuit Inc., the makers of TurboTax: The company says it believes that shift is responsible for a whopping 3700 percent increase in fraudulent state tax refund filings this year in some states.
File ’em Before the Bad Guys Can
Earlier this month, TurboTax was forced to briefly suspend state tax refund filings while it investigated the source of the unprecedented fraud spike. To learn more about the run-up to this extraordinary step and other tax fraud trends this year, I talked with Indu Kodukula, chief information security officer at Intuit.
Kodukula explained that in years past the dominant form of tax return scams the company has dealt with stemmed from phony federal tax refund requests. But this tax season, things changed dramatically.
“The IRS has gotten much better than a few years ago from the perspective of fighting fraud,” Kodukula said. “We think what’s happening is that as a result the fraudsters are starting to target the states.”
The data released by the Treasury Inspector General for Tax Administration (TIGTA), which oversees the work of the IRS, suggests the IRS does indeed appear to have improved at flagging and ultimately denying fraudulent federal tax returns. In an interim report on the 2014 tax filing season, TIGTA said the IRS identified and confirmed 28,076 fraudulent tax returns involving identity theft. That was down significantly from a year earlier (PDF), when the IRS identified and confirmed 85,385 fraudulent tax returns involving identity theft.
THE ROLE OF UNLINKED RETURNS
Kodukula said tax fraudsters have evolved in response to increased information sharing by the IRS with state revenue departments about phony tax returns received at the federal level. He described a process that began about three years ago, when Intuit and TurboTax received express permission from the IRS to share information about suspected bogus tax refund requests.
“It has been our understanding that this information is in turn being shared with [state treasury departments], Kodukula said. “But there are 46 states in the Union where taxpayers can file what’s called an ‘unlinked return,’ meaning they can file a state return without having a file a federal return at the same time. So when the [tax fraudsters] file an unlinked return, it leaves the state at its own disposal to fight this fraud, and we think that’s what has taken the states by surprise this year.”
States allow unlinked returns because most taxpayers owe taxes at the federal level but are due refunds from their state. Thus, unlinked returns allow taxpayers who owe money to the IRS to pay some or all of that off with state refund money.
Unlinked returns typically have made up a very small chunk of Intuit’s overall returns, Kodukula said. However, so far in this year’s tax filing season, Intuit has seen between three and 37-fold increases in unlinked, state-only returns. Convinced that most of those requests are fraudulent, the company now blocks users from filing unlinked returns via TurboTax.
“It’s very hard to imagine a fundamental demographic shift that could cause that kind of pattern,” Kodukula said. “Our thought is that the vast majority of this is clearly not legitimate activity.”
ACCOUNT TAKEOVERS FUELED BY PASSWORD RE-USE
Not only have the fraudsters shifted from attacking the IRS to robbing state coffers, but the methods they use to steal taxpayer data also are evolving. Kodukula explained that traditionally most of the bogus refund requests were the result of what the company calls “stolen identity refund fraud” or SIRF. In SIRF scams, the thieves gather pieces of data about taxpayers from outside means — through phishing attacks or identity theft services in the underground, for example — then create accounts at TurboTax in the victims’ names and file fraudulent tax refund claims with the IRS.
But Kodukula said that over the past 18 months, Intuit has watched fraudsters shift from SIRF to account takeovers, wherein scammers compromise TurboTax credentials by exploiting human nature: The tendency for people to re-use passwords across multiple sites. This technique works because a fair percentage of users re-use passwords at multiple sites. When a breach at one site exposes the email addresses and passwords of its users, fraudsters will invariably try the stolen account credentials at other sites, knowing that a small percentage of them will work.
“Over the past one-and-a-half years, we started to see much more of this type type of account takeover attack, where a customer’s TurboTax credentials were compromised at another site,” Kodukula said, describing wave after wave of attempts by fraudsters to log in at TurboTax using huge lists of credentials leaked in the wake of breaches at other companies.
Currently, about 60 percent of the returns flagged as likely fraudulent by Intuit appear to come from SIRF, while the other 40 percent are the result of account takeovers, Kodukula said. But the account takeover attacks are definitely growing in frequency and intensity, he said.
“From the list validation attacks we’ve seen, we know the credentials came from somewhere else,” he added. “When you look at credentials that have never been used in our system [trying to log in] it’s a pretty good indicator that those are credentials not from our space.”
Security experts (including this author) have long called on TurboTax to implement two-step authentication for customers to help address the account takeover the problem of password re-use by consumers. Earlier this month, Intuit announced it would be implementing this very feature, although the company’s choice of approaches may fall short of what many security experts think of when they talk about real two-step or two-factor authentication.
Kodukula said TurboTax began rolling that Feb. 13, and that the company is currently evaluating customer logins — requiring additional authentication for returning customers who log in from a computer or device the company has never seen previously associated with that customer’s account. Those users will be forced to re-login using one of three additional authentication methods of the customer’s choosing: Email verification; enter a special code sent via text message; or a series of knowledge-based authentication (KBA) questions from big-three credit bureau Experian.
“We’re currently challenging about 20 percent of returning users [from the previous tax season] who are logging in, which is fairly standard,” Kodukula said. “Our current MFA approach is to provide a challenge to devices we don’t recognize and we have a 15-month history of devices. Our intent is to clear that backlog over the coming weeks so that we essentially clean out our entire portfolio of devices over the next few weeks.”
WHAT TO DO IF YOU’RE A VICTIM
If you file your state taxes this year and discover that your state return has already been filed, you should report the matter to your state revenue agency. For a list of state agencies, their hotlines and Web sites, see the second half of this page.
Intuit is encouraging all previous and current TurboTax customers to log into their accounts to see if there has been a return fraudulently filed. The company also is encouraging users to verify their bank account information and be sure that hasn’t been changed, as well as any other contact information associated with the account. Customers who detect errant changes can call TurboTax customer service at 800-944-8596. The company says it’s also offering free credit monitoring service for customers that have had account compromises.
If you become the victim of identity theft outside of the tax system or believe you may be at risk due to a lost/stolen purse or wallet, questionable credit card activity or credit report, etc., you are encouraged to contact the IRS at the Identity Protection Specialized Unit, toll-free at 1-800-908-4490 so that the IRS can take steps to further secure your account.
That process is likely to involve the use of taxpayer-specific PINs for people that have had issues with identity theft. If approved, the PIN is required on any tax return filed for that consumer before a return can be accepted. To start the process of applying for a tax return PIN from the IRS, check out the steps at this link. You will almost certainly need to file an IRS form 14039 (PDF), and provide scanned or photocopied records, such a drivers license or passport.
Also, consider placing a fraud alert or freeze on your file at the major credit bureaus. If crooks have enough of your personal information to file a fraudulent tax return in your name, those same lowlifes can use that data to commit other crimes. Placing a fraud alert on your credit file every 90 days is the cheapest (as in free) way to block creditors from granting new lines of credit in your name, and from unnecessarily dinging your credit score.
You are entitled to a free copy of your credit report from each of the three major credit bureaus annually. The only site you need to obtain this free copy is annualcreditreport.com, or by phone via 877-322-8228. Everywhere else will try to sell you a report, or offer a “free” report if you agree to sign up for some kind of subscription service — usually credit monitoring.
If you have been the victim of identity theft, or if you don’t anticipate needing to take out a loan or apply for new lines of credit anytime soon and you’d rather not deal with fraud alerts, placing a freeze on your credit file may be the smarter option.
A security freeze gives consumers the choice to “freeze” or lock access to their credit file against anyone trying to open up a new account or to get new credit in their name. As Consumers Union writes, “when a security freeze is in place at all three major credit bureaus, an identity thief cannot open a new account because the potential creditor or seller of services will not be able to check the credit file. When the consumer is applying for credit, he or she can lift the freeze temporarily using a PIN so legitimate applications for credit or services can be processed.”
Forty-nine states and the District of Columbia now have laws on the books allowing consumers to freeze their credit (Michigan is the holdout). Many of these laws allow the placement of a freeze for free if the consumer has a police report documenting an identity theft episode; for those without an ID theft scare notched on their belt, most states allow for the placement of a freeze for a $10 fee. See this site for more details on the various state freeze laws and instructions on how to obtain them.
Consumers also can reduce their exposure to identity theft by opting out of unsolicited credit card or insurance offers. Doing this, via www.optoutprescreen.com, or 888-5OPT-OUT, should block most unsolicited applications and reduce the incidence of identity theft. Doing so removes your name, address and personal identifiers from lists supplied by the Equifax, Experian, TransUnion and Innovis credit reporting agencies that are used for preapproved and pre-screened offers of credit or insurance.
Many consumers turn to credit monitoring services to protect them and their loved ones from identity thieves. Before you shell out good money for such a service, check out the primer I wrote about the uses and limitations of credit monitoring services.
Also, check to see if an organization that stores your information has potentially jeopardized in a recent data breach. Chances are they are already offering credit monitoring to you for free. For example, some 80 million+ Americans are likely to get this offer from Anthem, the health insurance giant that recently announced that it would be notifying affected members by snail mail about credit monitoring offers. Some 56 million Home Depot shoppers also are eligible thanks to their data breach in Sept. 2014.
Virtually any company listed in the past year in my Data Breaches category is offering it, but my site is hardly an exhaustive list. California’s Office of the Attorney General has a searchable list of companies that have recently reported data breaches, and nearly all of those firms are offering free monitoring services for affected consumers.
Brian, the sentence “See this site for more details on the various state freeze laws and instructions on how to obtain them” doesn’t actually contain any link…
Also, what do you do if you find out you’ve had someone file a fake federal return in your name?
Thanks
Thanks, added the link.
As for federal tax fraud, call the IRS (800-908-4490) or check out the resources on the IRS homepage.
One problem I have with all those credit monitor sites is that you need to provide your SSN to them.
So your zero-liability credit card gets exposed, and as a response you provide some credit monitor company your SSN, birth date and full address … I just don’t get that.
OK, perhaps you were already planning on getting credit monitoring, in which the free offer is a good deal. Also some of these credit monitor companies are solid companies that are around for some time. But you also see some breaches companies now offering services from less known smaller entities.
IMHO it is only a matter of time before some of these companies actually lose your data …
Was the state tax fraud related directly to TurboTax — was the fraud perpetrated via thier software or access to their customers’ information? Were TurboTax customers the primary victims?
(Note: I’m an employee at Intuit, and a regular reader of KrebsOnSecurity.)
At this point, there is no evidence suggesting that Intuit or TuboTax systems have been compromised. Palantir conducted an external security assessment which drove this conclusion. Public statement by the company: http://blog.turbotax.intuit.com/2015/02/11/turbotax-update
The identify theft and fraudulent tax filings are a tax prep industry-wide problem. As far as why TurboTax specifically was the one to attract the attention on this, there are two likely reasons:
1. TurboTax is (by far) the market leader, processing a huge percentage of tax returns, which makes fraud cases more likely to have been filed with TurboTax than other software. (It’s also an attractive target for criminals, since a random US citizen is most likely to have filed with TurboTax previously, so attempting to re-use credentials to gain access to the account is more likely to be successful.)
2. TurboTax, until last week, allowed e-filing unlinked returns (as discussed in the above article). Other tax prep companies did not. While there are some legitimate reasons for doing this, it makes it a lot easier for criminals to commit fraud. Based on the significant uptick in fraud seen, TurboTax decided to stop allowing unlinked returns, which ultimately will protect the vast majority of people from fraud.
As far back as 3 years ago, I would try to explain to potential customers (businesses both large and small) the potential risk of not having an ISMS plan, and perpetually executing on said plan. So many would stop me mid-sentence and say “…but we’re not in retail, don’t accept credit cards, and therefore we don’t have anything a cyber-criminal would want.”
My response would be; ‘How about your HR and payroll records? They contain all of your employees info including the W2’s generated at year end…’
Them: ‘Even if thieves get that info, what can they do with it? ‘
Me: ‘They can file your employees taxes, and have refunds redirected to them’
Them: ‘Awww, c’mon, the IRS would never let that happen…but thanks for your time. We have our data security under control with our firewall and our anti-virus’
Do people who use their CDs have a problem or is just people who do their taxes online. I use the CD and have had a problem with my Federal taxes. Someone filed a 1040A using my info late last year. The IRS held up payment because of a social security problem. I don’t know what is going to happen with the state. I am receiving some fraud protection from Home Depot. Will intuit step up to the plate next?
The problem is not specific to TurboTax or the method by which you file.
A scam artist who has abused your Social Security Number to file a false federal or state return in your name, before you filed yourself, will cause the IRS or state to stop processing your return unless you can verify your identity.
Some crooks buy lists of SSNs from clerks at dentists offices or similar places that have them on record.
The entire crime can be committed without a computer, although the criminal groups that specialize in this scam prefer computers and efiling for the productivity.
I hope that helps.
S.
Another good article , keep them up Krebs !
I have been a victim of identity theft and credit card fraud shortly after purchasing my home. I believe my info leaked through the bank or Realtor.
Twice over 3 years someone called my credit card company’s as me and requested new cards to be sent, intercepted them at my mail box or requested a different address for delivery.
At what point is it recommended to change social security numbers?
Also it is a good idea to alert your Credit card company and bank of the breach and request to change your mothers maiden name to a password, also request that if the password cannot be answered the only course of action to be to physically visit a bank branch with ID.
http://www.ssa.gov/pubs/EN-05-10064.pdf
Seems to be the official answer.
Good luck.
Bill, there is no mechanism for changing your SSN. Your SSN is assigned for life and can never be changed, mostly to prevent fraudulent activity.
That’s incorrect. Please read http://www.ssa.gov/pubs/EN-05-10064.pdf
You can jump to page 7 if you like:
«If you decide to apply for a new number, you will need to prove your identity, age and U.S. citizenship or immigration status. For more information, ask for Your Social Security Number And Card (Publication Number 05-10002). You also will need to provide evidence you are having ongoing problems because of the misuse. Keep in mind that a new number probably will not solve all your problems. This is because other governmental agencies (such as the IRS and state motor vehicle agencies) and private businesses (such as banks and credit reporting companies) will have records under your old number. Along with other personal information, credit reporting companies use the number to identify your credit record. So using a new number will not guarantee you a fresh start.»
In the current environment of massive personal data breaches, no one can afford to assume that his or her Social Security number is secure any longer. The best recourse for the prudent consumer is to place a credit freeze at all of the major bureaus. That’s the only proactive thing we can do to truly bring our credit back under our own control. As Brian has written on many occasions, a freeze is the only way to ensure that credit in your name won’t ever be extended to fraudsters.
Really, this “opt-in” to credit issuance is the way that the bureaus should be operating already, but based on history I think it’ll still be a few years before people start waking up to the fact that SSN is a useless authentication mechanism. Leaving the credit application system wide open to anyone, then trying to react after the fact when credit is stolen is such a dumb way for the modern economy to operate. Only when this starts sinking in will Congress be forced to act and legislate a (hopefully well considered) solution.
After Anthem got hacked I decided to take all of your advice and some from PBS guests about this issue. I froze my (and my spouse’s) accounts on all 3 top credit agencies. I then read in one of your recent posts to get off the mailing lists of all 3 major credit agencies.
I swear! I am going to cash. This is just so much crap to put up with. BTW, I hate carrying around hundreds to support my business habits.
Rick Blaine
Owner 1942 Cafe Americain in Casablanca
I thought Café Américain only dealt in cash. At least according to Captain Renault. And being in Morocco, they don’t have to file with the IRS.
One could follow the path I took last year….move to Florida, which does not have a state income tax.
The weather is also much better than in Fairfax, Virginia.
but Florida has Stand Your Ground gun laws, which I do not support. We no longer visit Florida or buy Florida Natural orange juice (as a boycott until SYG is repealed). For winter warmth, visit the desert area near Palm Springs/Joshua Tree National Park.
In that case I recommend the opposite corner of the USA, my current home state of Washington, which also does not have a state income tax.
Florida is far from alone in having “stand your ground” state laws. They are just the most well-known thanks to the Trayvon Martin case.
Nice article Brian, In my opinion Intuit has some blame here as their bulk emailing practice’s have been somewhat sup par when it comes to security. It has not been easy to tell between a phishing / bogus and a Intuit marketing email as an Intuit email does not even have my name this aspect is often a major clue of a bogus email the lack of domain keys in the name of Intuit is a second item of note I have seen
I really don’t understand why the Fed and State taxing authorities just don’t issue PIN numbers every year to submit returns as another proof of identity? Most States now have websites where they provide taxpayers with personal payment and tax records, why not a PIN code changed often to enter with the tax return? Its not foolproof, but it will make things difficult for cheats. If no PIN is provided, the return could be considered suspicious and delay sending a refund until it is further investigated.
They actually have this PIN system, but you can only use it if you were the victim of a false return once.
Even more funny is that they also have such a system in place for the e-payments. These use a PIN they assign plus a password you assign. Granted, a one-time PIN, but still something that is not on file everywhere like you SSN. Plus the password you pick makes it very secure.
Seems to me the IRS IT system are just not ready for this to scale up? They have it, why not scale it up?
The IRS uses the excuse that they are underfunded – but nobody points out that the savings alone would fund it several times over! Ach! The gubbamint is hopeless!
Indeed, but the catch-22 is that in order to save that money several times over, they need a budget increase to implement the system.
And getting a budget increase in this political climate, especially with the IRS is being treated as a punching bag by politicians, is simply not going to happen.
I have never used TurboTax, but had fraudulent returns filed this year. Obviously, there are many places a thief could get your information. Fortunately, North Dakota does some checking on e-filings and detected the questionable return. Too bad the IRS doesn’t do this as a fraudulent federal return was filed as well.
“Everywhere else will try to sell you a report, or offer a “free” report if you agree to sign up for some kind of subscription service”. As a U. S. resident I googled “how many credit reporting agencies are there”. The first two hits were .gov sites:
http://www.whitehouse.gov/blog/2012/07/17/so-how-many-consumer-reporting-companies-are-there
http://files.consumerfinance.gov/f/201207_cfpb_list_consumer-reporting-agencies.pdf
There are credit reporting agencies that have specialties.
Sometimes Brian mentions Innovis.
Personally I froze my credit w/ the big 3 + Innovis (aka the big 4).
+1
Here is a “blast from the past” (Nov 14, 2002) about Innovis: http://www.bankrate.com/brm/news/mortgages/20021114a.asp
and another description a little more current: http://blog.smartcredit.com/2011/06/20/who-is-innovis-are-they-a-fourth-credit-bureau/
Using credit reports from four credit bureaus translates into being able to get an annual credit report every three months. Innovis has a consumer assistance “800” number.
Nice work Brian. Just an FYI, the state of Michigan now allows residents to freeze their credit report with the 3 major bureaus.
http://michigan.gov/ag/0,4534,7-164-17337_20942-182414–,00.html
Ah, good. I was wondering if that state legislature would ever accomplish anything besides nonsense like requiring women to buy rape insurance and censuring legislators who mentioned the word “vagina.” Now all they’ve got to do is work out how to their fix roads and bridges before they get pummeled back to dirt roads and fall down, respectively. But I’m sure they’ll just find something more pointless and partisan to spend their time on.
Hmm. One thing the feds and states can do is this:
Eliminate penalties for reasonably-sized underpayments, and encourage people to withhold a little less.
I’m guessing that both federal and state tax accounts with a $10 balance due on April 15th are safe from this particular scam.
I don’t know about the state case, but for the IRS instances, the fraudulent returns included fake W2s or similar to enable the filer to receive way more money than the legitimate filer would be entitled to receive.
The fraud wasn’t about stealing the refund for a filer, it was about pretending that a filer was entitled to a huge refund, and then asking for that refund.
The main reason that the IRS initially couldn’t do anything is that the IRS doesn’t receive the W2 or similar records long enough in advance of the legislatively imposed deadline for issuing a refund. — Once the real documents arrive, the IRS would detect there’s a problem, but the refunds would have been issued to prepaid cards, the cards would be emptied, and the money would be long gone.
The fraud was closer to making up an imaginary person w/ an imaginary job (and possibly imaginary children) and then slapping a legitimate SSN onto the package.
If the state fraud is anything like the federal fraud, then adjusting the withholding for people wouldn’t have any impact on the fraud.
It sounds like the state return fraud was fairly successful for a while, which argues that states probably have similar failings (inability to reconcile a filed return w/ “trustworthy” supporting data submitted through other channels).
They are not so much getting your money. They are claiming false income, false deductions, etc. The whole return is false.
The IRS has checks in place, and a large percentage of false returns actually get rejected. But don’t forget that around 40% of the US pays close to zero Federal income taxes after taking all deductions. On top of that a lot of people have a close to zero balance after standard employer witholdings. So any non-standard deduction takes them into refund territory.
Last lets not forget this type of fraude is very new. Five years ago it was almost non-existant.
So it is not that odd tat many slip through the cracks.
We cannot trust traditional email anymore. Binfer on the other hand bypasses cloud storage servers making it very safe to send secure email. Check it out: http://www.binfer.com.
Ollie, the majority of Tax ID Theft cases are not “stealing your refund.” The fraudsters are making up numbers that can’t be checked for months. They don’t care whether the victim has a refund due or not. When a refund is due the real taxpayer, it will eventually get paid.
Unfortunately, TIGTA and GAO reports on the patterns and the statistics are lagging indicators.
I do see a silver lining in the TurboTax/state fraud calamity in that there are now more agencies (government and commercial), taxpayers, security experts and legislators with more “as it happens” awareness.
Police blotters around the country are lighting up like Christmas trees. The public is more aware of the need to report their case to their local police, the IRS, credit agencies, the FTC, newscasters etc.
I have been tracking online reports for over a year on my twitter feed and am hopeful that we see a real benefit from crowd sourcing trend to alert the statistics gatherers about trends in a more timely fashion.
https://twitter.com/ancestralmanor
I was unexpectedly faced with some KBA questions which were obviously derived from a credit report when I tried to log in to a web site (I don’t recall which one) recently. How am I supposed to remember who issued the loan for a car I bought 30 years ago? Naturally, I failed the KBA test, so I could not log in. I wasn’t going to go research the issue when sitting in front of a blinking cursor, which would no doubt time out while I did so. Given Experian’s history and the errors in credit reports generally, that sort of “knowledge” is far from secure or accurate. There are better authentication methods.
I agree. Same thing happened to me when I attempted to file for credit freezes last week (anthem worries): Experian brought up stuff about my student loans (haven’t had one in over 20 years!), amount of my last car loan (5 years ago?), etc. I failed as well and had to snail-mail the PII to them (sheesh!).
I’ve had problems with Experian, too. It’s been over a month, and I still have NOT received confirmation that a security alert has been placed on my acct with them. And Experian has made it virtually impossible to reach a human by phone, UNLESS you sign up for one of their services.
The other three agencies aren’t doing that. I’ve had NO problems dealing with any of the others. It’s just Experian.
I’m beginning to think Experian is *purposefully* making things difficult in order to reduce or eliminate “free” services that the law requires.
So I’m considering filing a complaint about Experian with my state AG, and I would encourage others with similar problems to do likewise. Maybe if enough pressure is brought to bear by enough state AG’s, then they will HAVE to fix things.
You could also lodge a complaint with the Consumer Financial Protection Bureau. I hear they get on it like a junk yard dog!
Another problem with KBA… they don’t always know the answer themselves, they’re data mining.
Yes, it can be MUCH easier for “the bad guys” to circumvent KBA (and they don’t care how many accounts they lock out in the process) than it is for an individual to remember these obscure details. KBA will never go away as long as companies can make money by pretending to offer multi-factor authentication (“I’ll ask for MANY things they know, not just one! That’ll prove how important security is to me!”).
JANE on FEB 18th 2015 said:
“Another problem with KBA… they don’t always know the answer themselves, they’re data mining. ”
Exactly. Another way to try and stay private is to Never Give Out Your Social Security Number. This means at dental or MD offices, etc. If any one requests it, ask (demand) an alternate option. My dental office ignorant receptionist claimed they “had to have it for billing purposes” in which I reminded her that I was paying cash, and had nothing TO bill. Don’t let them bully you into sharing such private information.
“When the consumer is applying for credit, he or she can lift the freeze temporarily using a PIN so legitimate applications for credit or services can be processed.”
This seems like it would be a sensible default, rather than something exceptional that you have to take action every three months to sustain.
And then there’s this: “most states allow for the placement of a freeze for a $10 fee”
In other words, what the credit bureaus are saying is “we aren’t *supposed* to give out lines of credit in your name to anyone but you, but we will give them out to anyone who finds out some fairly easily discovered facts about you unless you pay us an extra ten bucks every three months, and only then will we use a stronger form of authentication to give them only to you.”
Sounds a lot like extortion when it’s phrased that way, doesn’t it? All it needs is one finishing touch:
“Nice credit rating you have there. It’d be a shame if something happened to it.”
I absolutely agree with this. Our current credit system is a relic of the 20th century, and it’s failing miserably under 21st century threats. I think it will require an act of Congress to force the bureaus to update these outdated “assumed trustworthy” business practices that are harming both creditors and consumers.
Yep, it’s extortion.
But for the time being, I’m paying the extortion because the alternative is bad.
Besides, someone can file a class action lawsuit later and get me a refund :).
Do you think you could put up a page listing every data breach that you hear about? You have the tag for articles, but it would be pretty helpful to have a straight list to refer people to. If you hosted such a list then you could link each one to the article you write up of course.
Does the California list cover businesses and entities that don’t do business in California? That’s the reason I was looking for something from you.
It’s possible the California list also covers companies whose customers are in California.
All things considered, I suspect the California list is “good enough” for most victims.
Maintaining such a list would be a full time job, I’d rather California do it than someone else (well, it’d be nice if http://www.ftc.gov/about-ftc/bureaus-offices/bureau-consumer-protection did it, but short of them, California seems fairly well equipped to handle it — the only other reasonable alternative is NY).
Troy Hunt runs a fantastic public service website at https://haveibeenpwned.com. You can search by your email address, and it will tell you if that address has been publicly disclosed in a breach or “paste”. You can also sign up to be notified as soon as your address appears in the contents of a future breach or paste.
Of course, this will only let you know about publicly disclosed breaches, but it’s a good start.
The ID Theft Resource Center publishes a weekly update to data breaches large and small. If there is a more complete list, I’d like to know. http://www.idtheftcenter.org/ITRC-Surveys-Studies/2015databreaches.html
Whether it was the IRS (or Treasury or FBI), this example of a TurboTax user who’s information was breached had agents following up at his home this past weekend. http://www.mcall.com/news/local/watchdog/blog/mc-irs-investigating-local-fraudulent-tax-filing-through-turbotax-20150218-story.html
There’s a fundamental problem that no one seems to be aware of concerning all these suggestions to move away from the SSN as the primary identifier.
Right now, the SSN is The One Ring That Rules Them All. So, of course, all the Bad Boys are chasing after it, and spending enormous amounts of time & energy figuring out — and exploiting — all the various weaknesses in the current systems that allow them to get it.
If, however, *something else* replaces the SSN as the primary identifier, e.g. a PIN, or what-have-you, then guess what? All the Bad Boys will stop chasing after the SSN, and begin to chase after whatever has been chosen as The *NEW* Ring That Rules Them All. And the Bad Boys will begin to spend enormous amounts of time & energy figuring out — and exploiting — all the various weaknesses in the *NEW* systems that will allow them to get it, WHATEVER it is.
And if you do not think that the Bad Boys WILL succeed in this endeavor, then either you don’t understand history and human nature very well, or you haven’t really *thought* about it very much.
The core problem is much simpler:
1) that the SSN is used as a password, while it is more like a user-name.
2) there is no central database to verify any info for validity.
It is no problem to replace SSN by a PIN, as a PIN can be unique for every service, but even if not, can be changed if compromised. Bad guys will try to get your PIN, but unlike SSN, once they have it their window of opportunity is limited. With SSN it is forever.
Of course this does mean that everytime you want to open credit, you either have to go in person, or go to send a notorized copy in. Secrecy does conflict with convinience, and many don’t realise it.
Also privacy does. One of the main reasons why ID theft works is because the US does not have a central database of where people live. Many Euroopean countries have and ID theft like we have is close to zero due to that. So e.g. you cannot have your tax refund send to an address other than the one in the central database. And changing that master-addess can only be done in person as a city hall or so. Hence the privacy price for this security is steep …
If you get an IRS PIN number now (http://www.irs.gov/Individuals/Electronic-Filing-PIN-Request), would that prevent some fraudster from scamming you?
Not in this case. The scam was against individual states as opposed to the federal government.
I’m not sure how stupid individual states are.
Conceivably, any citizen can move to any state at any time. I’d hate to have to get ~54 (federal + DC + 50 states + Guam + Puerto Rico) PINs to guard against this.
This is basically the fault of the individual states, and it should be their job to fix it / protect against it.
A PIN is one way to implement a multi stage authentication system, serving several purposes. First, you have need the “code book” to other “code books.” Not as easy to tie one data breach to another. Then, if you are launching a real fraud ring campaign, the patterns of breaches act like radioactive dye providing traces in the computer systems that can be triangulated.
Can I just have them shut off internet access for my “tax account” and only send\receive through snail mail?
Used to be identity and debt were tied to property, which made identity trivially auditable.
Now banks are attempting to tie identity to individuals so that you can treat the individuals as property, which requires you securely tag the individuals. Unfortunately, biometrics fail more often than not and are not a feasible solution.
The fraudsters are doing us a favor, but I fear for what this government will do next.
You are them. You caIl the shots. I drive to my CPA’s office, hand them the docs they need to do my taxes, within a week they call me and tell me how much my refunds are (I’ve always been happy w/the results). They then do direct deposit into my bank minus a fee that IMO is well worth it. The onus is on them for accuracy, proper filing protocols, etc… – no IRS punctilios. I get a copy of the report mailed to me and that’s it. Works great going on six years now.
Wrong on at least TWO counts.
First of all, read and understand the tax law: no matter who prepares your taxes, ultimately *YOU* bear the responsibility for what’s on *YOUR* return.
Second, you seem to be missing the whole point of this article: there’s NOTHING in your chosen filing protocol (ot any other, for that matter) that prevents a Bad Actor from filing a return using your name and SSN, together with totally fictitious data, and claiming a refund WEEKS before you have ever assembled and delivered ANY papers to your CPA.
I respectfully disagree; you need not shout. I have a right to trust my CPA. I give him all of the tax documents required. They are issued by entities that by law must issue me accurate, precise (to the penny) statements. I review them quickly & it’s easy as pie to see that they are 100% correct. I don’t need to interpret the law. I don’t have to do anything except sign the completed forms which come out just fine, thank you very much. I do as it says in the Bible and “give to Ceasar that which is Ceasar’s”. I have nothing to hide. I follow the law. I have a right as a US Citizen to continue to proceed in this manner until the Doomsday clock hits midnight. Brian is a modern day hero and I certainly do discern from his wisdom & knowledge.
I utimately decide, however, to follow His path as it is revealed to me. Thanks Brian, et al…
Peace & Godspeed as we “Fight the good fight of faith, lay hold on eternal life, whereunto thou art also called, and hast professed a good profession before many witnesses.”
1 Timothy 6:12
No one said you don’t have a right to *trust* your CPA; what EstherD said is that *legally* you (not your CPA) are responsible for the information filed on your tax return.
I trust my CPA, too. But if the information on the return is wrong (due to innocent mistyping, for instance), *I* (not my CPA) have to answer to the IRS when they decide to audit me.
Well good luck to you then, as you may have some splainin’ to do.
Myself, I would love RSVP the IRS and do lunch or something apropos with them 😉
If fraudsters are making up returns and slapping a stolen SSN number on it this should be more easily discovered. The taxing authorities have your past returns and can look back to get a reasonable estimate of what your numbers should look like. For example, filing status, dependents, types of income within some reasonable fluctuation could be flagged. They could score historical returns and delay refunds for any return which falls out of that parameter without first more information. It could be as easy as sending an email to an old email address on file and ask for conformation that the return was actually filed. It seems much more can be done by the government agencies than is now being done.
They already do all this.
As I said higher, 40% of the US has close to zero Federal tax liability and even more have it after standard employer witholdings.
So any deduction will take you into refund territory. E.g. just claim some medical expenses boom, there it is. And it is very hard (expensive and time consuming) for the IRS to verify that you didn’t have that expense.
Let’s also not forget that to file a fraudulent tax return sing TurboTax or any other eFile system one typically still need last years AGI (or their PIN) to the dollar accurate. It is harder than some people think!
Hence that is why many of these frauds are either W2-theft related or like in this article users that used the same password for their taxes as their favorite blog website.
Hence, sorry if I’m harsh, but as this article demonstrates, a big part of the blame are the users of TurboTax themselves.
Of course TurboTax should have multi-factor authentication for something as important as taxes, but users who recycle passwords have *also* themselves to blame.
Anthem has updated the credit monitoring and identity recovery services posted on anthemfacts.com
I don’t know if you are required to wait for their snail mail notice to fully register. I was able to do step 1 without prior receipt of the notice as long as a check a box to verify I am a potentially affected customer. I want to document my efforts to get help as fraudsters can use your info in 24 hours, they don’t have to wait the weeks it takes Anthem to notify “Potentially affected customers”.
This is a large issue in Florida. Criminals are doing nothing more than paying off people who work in small doctors’ offices that located in low-income neighborhoods and surrounding areas.
With the payoff, comes the reward: patient records. In these records are name, address, SSN, DOB, etc.
After the information is “bought” they file false tax returns and request the refunds be sent to their drop addresses via the IRS’s convenient pre-paid VISA card.
Do you think the IRS matches the addresses of people to the addresses to which refunds are sent? NO
being someone in the security industry, I’ve never heard of Indu Kodukula, the CISO of Intuit. Looking him up on LinkedIn, he doesn’t even list Intuit as an employer, but I think it’s him since he’s connected to Brad Smith (Intuit CEO) and other Intuit people. Who is this guy? He has no security background at all, appears to have been a COO at Limelight and Manager somewhere else.
Krebs: are you sure you were speaking to the CISO of Intuit?