72 comments

  1. Brian, the sentence “See this site for more details on the various state freeze laws and instructions on how to obtain them” doesn’t actually contain any link…

    Also, what do you do if you find out you’ve had someone file a fake federal return in your name?

    Thanks

  2. One problem I have with all those credit monitor sites is that you need to provide your SSN to them.

    So your zero-liability credit card gets exposed, and as a response you provide some credit monitor company your SSN, birth date and full address … I just don’t get that.

    OK, perhaps you were already planning on getting credit monitoring, in which the free offer is a good deal. Also some of these credit monitor companies are solid companies that are around for some time. But you also see some breaches companies now offering services from less known smaller entities.

    IMHO it is only a matter of time before some of these companies actually lose your data …

  3. Was the state tax fraud related directly to TurboTax — was the fraud perpetrated via thier software or access to their customers’ information? Were TurboTax customers the primary victims?

    • (Note: I’m an employee at Intuit, and a regular reader of KrebsOnSecurity.)

      At this point, there is no evidence suggesting that Intuit or TuboTax systems have been compromised. Palantir conducted an external security assessment which drove this conclusion. Public statement by the company: http://blog.turbotax.intuit.com/2015/02/11/turbotax-update

      The identify theft and fraudulent tax filings are a tax prep industry-wide problem. As far as why TurboTax specifically was the one to attract the attention on this, there are two likely reasons:
      1. TurboTax is (by far) the market leader, processing a huge percentage of tax returns, which makes fraud cases more likely to have been filed with TurboTax than other software. (It’s also an attractive target for criminals, since a random US citizen is most likely to have filed with TurboTax previously, so attempting to re-use credentials to gain access to the account is more likely to be successful.)
      2. TurboTax, until last week, allowed e-filing unlinked returns (as discussed in the above article). Other tax prep companies did not. While there are some legitimate reasons for doing this, it makes it a lot easier for criminals to commit fraud. Based on the significant uptick in fraud seen, TurboTax decided to stop allowing unlinked returns, which ultimately will protect the vast majority of people from fraud.

  4. As far back as 3 years ago, I would try to explain to potential customers (businesses both large and small) the potential risk of not having an ISMS plan, and perpetually executing on said plan. So many would stop me mid-sentence and say “…but we’re not in retail, don’t accept credit cards, and therefore we don’t have anything a cyber-criminal would want.”

    My response would be; ‘How about your HR and payroll records? They contain all of your employees info including the W2’s generated at year end…’

    Them: ‘Even if thieves get that info, what can they do with it? ‘

    Me: ‘They can file your employees taxes, and have refunds redirected to them’

    Them: ‘Awww, c’mon, the IRS would never let that happen…but thanks for your time. We have our data security under control with our firewall and our anti-virus’

  5. Do people who use their CDs have a problem or is just people who do their taxes online. I use the CD and have had a problem with my Federal taxes. Someone filed a 1040A using my info late last year. The IRS held up payment because of a social security problem. I don’t know what is going to happen with the state. I am receiving some fraud protection from Home Depot. Will intuit step up to the plate next?

    • The problem is not specific to TurboTax or the method by which you file.

      A scam artist who has abused your Social Security Number to file a false federal or state return in your name, before you filed yourself, will cause the IRS or state to stop processing your return unless you can verify your identity.

      Some crooks buy lists of SSNs from clerks at dentists offices or similar places that have them on record.

      The entire crime can be committed without a computer, although the criminal groups that specialize in this scam prefer computers and efiling for the productivity.

      I hope that helps.

      S.

  6. Another good article , keep them up Krebs !

  7. I have been a victim of identity theft and credit card fraud shortly after purchasing my home. I believe my info leaked through the bank or Realtor.

    Twice over 3 years someone called my credit card company’s as me and requested new cards to be sent, intercepted them at my mail box or requested a different address for delivery.

    At what point is it recommended to change social security numbers?

    Also it is a good idea to alert your Credit card company and bank of the breach and request to change your mothers maiden name to a password, also request that if the password cannot be answered the only course of action to be to physically visit a bank branch with ID.

    • http://www.ssa.gov/pubs/EN-05-10064.pdf
      Seems to be the official answer.

      Good luck.

    • Bill, there is no mechanism for changing your SSN. Your SSN is assigned for life and can never be changed, mostly to prevent fraudulent activity.

      • That’s incorrect. Please read http://www.ssa.gov/pubs/EN-05-10064.pdf
        You can jump to page 7 if you like:

        «If you decide to apply for a new number, you will need to prove your identity, age and U.S. citizenship or immigration status. For more information, ask for Your Social Security Number And Card (Publication Number 05-10002). You also will need to provide evidence you are having ongoing problems because of the misuse. Keep in mind that a new number probably will not solve all your problems. This is because other governmental agencies (such as the IRS and state motor vehicle agencies) and private businesses (such as banks and credit reporting companies) will have records under your old number. Along with other personal information, credit reporting companies use the number to identify your credit record. So using a new number will not guarantee you a fresh start.»

    • In the current environment of massive personal data breaches, no one can afford to assume that his or her Social Security number is secure any longer. The best recourse for the prudent consumer is to place a credit freeze at all of the major bureaus. That’s the only proactive thing we can do to truly bring our credit back under our own control. As Brian has written on many occasions, a freeze is the only way to ensure that credit in your name won’t ever be extended to fraudsters.

      Really, this “opt-in” to credit issuance is the way that the bureaus should be operating already, but based on history I think it’ll still be a few years before people start waking up to the fact that SSN is a useless authentication mechanism. Leaving the credit application system wide open to anyone, then trying to react after the fact when credit is stolen is such a dumb way for the modern economy to operate. Only when this starts sinking in will Congress be forced to act and legislate a (hopefully well considered) solution.

  8. After Anthem got hacked I decided to take all of your advice and some from PBS guests about this issue. I froze my (and my spouse’s) accounts on all 3 top credit agencies. I then read in one of your recent posts to get off the mailing lists of all 3 major credit agencies.

    I swear! I am going to cash. This is just so much crap to put up with. BTW, I hate carrying around hundreds to support my business habits.

    Rick Blaine
    Owner 1942 Cafe Americain in Casablanca

    • I thought Café Américain only dealt in cash. At least according to Captain Renault. And being in Morocco, they don’t have to file with the IRS.

  9. One could follow the path I took last year….move to Florida, which does not have a state income tax.

    The weather is also much better than in Fairfax, Virginia.

    • but Florida has Stand Your Ground gun laws, which I do not support. We no longer visit Florida or buy Florida Natural orange juice (as a boycott until SYG is repealed). For winter warmth, visit the desert area near Palm Springs/Joshua Tree National Park.

      • In that case I recommend the opposite corner of the USA, my current home state of Washington, which also does not have a state income tax.

      • Florida is far from alone in having “stand your ground” state laws. They are just the most well-known thanks to the Trayvon Martin case.

  10. Matthew Harrington

    Nice article Brian, In my opinion Intuit has some blame here as their bulk emailing practice’s have been somewhat sup par when it comes to security. It has not been easy to tell between a phishing / bogus and a Intuit marketing email as an Intuit email does not even have my name this aspect is often a major clue of a bogus email the lack of domain keys in the name of Intuit is a second item of note I have seen

  11. I really don’t understand why the Fed and State taxing authorities just don’t issue PIN numbers every year to submit returns as another proof of identity? Most States now have websites where they provide taxpayers with personal payment and tax records, why not a PIN code changed often to enter with the tax return? Its not foolproof, but it will make things difficult for cheats. If no PIN is provided, the return could be considered suspicious and delay sending a refund until it is further investigated.

    • They actually have this PIN system, but you can only use it if you were the victim of a false return once.

      Even more funny is that they also have such a system in place for the e-payments. These use a PIN they assign plus a password you assign. Granted, a one-time PIN, but still something that is not on file everywhere like you SSN. Plus the password you pick makes it very secure.

      Seems to me the IRS IT system are just not ready for this to scale up? They have it, why not scale it up?

      • The IRS uses the excuse that they are underfunded – but nobody points out that the savings alone would fund it several times over! Ach! The gubbamint is hopeless!

        • Indeed, but the catch-22 is that in order to save that money several times over, they need a budget increase to implement the system.

          And getting a budget increase in this political climate, especially with the IRS is being treated as a punching bag by politicians, is simply not going to happen.

  12. I have never used TurboTax, but had fraudulent returns filed this year. Obviously, there are many places a thief could get your information. Fortunately, North Dakota does some checking on e-filings and detected the questionable return. Too bad the IRS doesn’t do this as a fraudulent federal return was filed as well.

  13. “Everywhere else will try to sell you a report, or offer a “free” report if you agree to sign up for some kind of subscription service”. As a U. S. resident I googled “how many credit reporting agencies are there”. The first two hits were .gov sites:
    http://www.whitehouse.gov/blog/2012/07/17/so-how-many-consumer-reporting-companies-are-there
    http://files.consumerfinance.gov/f/201207_cfpb_list_consumer-reporting-agencies.pdf
    There are credit reporting agencies that have specialties.

  14. Nice work Brian. Just an FYI, the state of Michigan now allows residents to freeze their credit report with the 3 major bureaus.

    http://michigan.gov/ag/0,4534,7-164-17337_20942-182414–,00.html

    • Ah, good. I was wondering if that state legislature would ever accomplish anything besides nonsense like requiring women to buy rape insurance and censuring legislators who mentioned the word “vagina.” Now all they’ve got to do is work out how to their fix roads and bridges before they get pummeled back to dirt roads and fall down, respectively. But I’m sure they’ll just find something more pointless and partisan to spend their time on.

  15. Hmm. One thing the feds and states can do is this:

    Eliminate penalties for reasonably-sized underpayments, and encourage people to withhold a little less.

    I’m guessing that both federal and state tax accounts with a $10 balance due on April 15th are safe from this particular scam.

    • I don’t know about the state case, but for the IRS instances, the fraudulent returns included fake W2s or similar to enable the filer to receive way more money than the legitimate filer would be entitled to receive.

      The fraud wasn’t about stealing the refund for a filer, it was about pretending that a filer was entitled to a huge refund, and then asking for that refund.

      The main reason that the IRS initially couldn’t do anything is that the IRS doesn’t receive the W2 or similar records long enough in advance of the legislatively imposed deadline for issuing a refund. — Once the real documents arrive, the IRS would detect there’s a problem, but the refunds would have been issued to prepaid cards, the cards would be emptied, and the money would be long gone.

      The fraud was closer to making up an imaginary person w/ an imaginary job (and possibly imaginary children) and then slapping a legitimate SSN onto the package.

      If the state fraud is anything like the federal fraud, then adjusting the withholding for people wouldn’t have any impact on the fraud.

      It sounds like the state return fraud was fairly successful for a while, which argues that states probably have similar failings (inability to reconcile a filed return w/ “trustworthy” supporting data submitted through other channels).

    • They are not so much getting your money. They are claiming false income, false deductions, etc. The whole return is false.

      The IRS has checks in place, and a large percentage of false returns actually get rejected. But don’t forget that around 40% of the US pays close to zero Federal income taxes after taking all deductions. On top of that a lot of people have a close to zero balance after standard employer witholdings. So any non-standard deduction takes them into refund territory.

      Last lets not forget this type of fraude is very new. Five years ago it was almost non-existant.

      So it is not that odd tat many slip through the cracks.

  16. We cannot trust traditional email anymore. Binfer on the other hand bypasses cloud storage servers making it very safe to send secure email. Check it out: http://www.binfer.com.

  17. Ollie, the majority of Tax ID Theft cases are not “stealing your refund.” The fraudsters are making up numbers that can’t be checked for months. They don’t care whether the victim has a refund due or not. When a refund is due the real taxpayer, it will eventually get paid.

    Unfortunately, TIGTA and GAO reports on the patterns and the statistics are lagging indicators.

    I do see a silver lining in the TurboTax/state fraud calamity in that there are now more agencies (government and commercial), taxpayers, security experts and legislators with more “as it happens” awareness.

    Police blotters around the country are lighting up like Christmas trees. The public is more aware of the need to report their case to their local police, the IRS, credit agencies, the FTC, newscasters etc.

    I have been tracking online reports for over a year on my twitter feed and am hopeful that we see a real benefit from crowd sourcing trend to alert the statistics gatherers about trends in a more timely fashion.

    https://twitter.com/ancestralmanor

  18. I was unexpectedly faced with some KBA questions which were obviously derived from a credit report when I tried to log in to a web site (I don’t recall which one) recently. How am I supposed to remember who issued the loan for a car I bought 30 years ago? Naturally, I failed the KBA test, so I could not log in. I wasn’t going to go research the issue when sitting in front of a blinking cursor, which would no doubt time out while I did so. Given Experian’s history and the errors in credit reports generally, that sort of “knowledge” is far from secure or accurate. There are better authentication methods.

    • I agree. Same thing happened to me when I attempted to file for credit freezes last week (anthem worries): Experian brought up stuff about my student loans (haven’t had one in over 20 years!), amount of my last car loan (5 years ago?), etc. I failed as well and had to snail-mail the PII to them (sheesh!).

      • I’ve had problems with Experian, too. It’s been over a month, and I still have NOT received confirmation that a security alert has been placed on my acct with them. And Experian has made it virtually impossible to reach a human by phone, UNLESS you sign up for one of their services.

        The other three agencies aren’t doing that. I’ve had NO problems dealing with any of the others. It’s just Experian.

        I’m beginning to think Experian is *purposefully* making things difficult in order to reduce or eliminate “free” services that the law requires.

        So I’m considering filing a complaint about Experian with my state AG, and I would encourage others with similar problems to do likewise. Maybe if enough pressure is brought to bear by enough state AG’s, then they will HAVE to fix things.

        • You could also lodge a complaint with the Consumer Financial Protection Bureau. I hear they get on it like a junk yard dog!

    • Another problem with KBA… they don’t always know the answer themselves, they’re data mining.

      Yes, it can be MUCH easier for “the bad guys” to circumvent KBA (and they don’t care how many accounts they lock out in the process) than it is for an individual to remember these obscure details. KBA will never go away as long as companies can make money by pretending to offer multi-factor authentication (“I’ll ask for MANY things they know, not just one! That’ll prove how important security is to me!”).

      • JANE on FEB 18th 2015 said:

        “Another problem with KBA… they don’t always know the answer themselves, they’re data mining. ”

        Exactly. Another way to try and stay private is to Never Give Out Your Social Security Number. This means at dental or MD offices, etc. If any one requests it, ask (demand) an alternate option. My dental office ignorant receptionist claimed they “had to have it for billing purposes” in which I reminded her that I was paying cash, and had nothing TO bill. Don’t let them bully you into sharing such private information.

  19. “When the consumer is applying for credit, he or she can lift the freeze temporarily using a PIN so legitimate applications for credit or services can be processed.”

    This seems like it would be a sensible default, rather than something exceptional that you have to take action every three months to sustain.

    And then there’s this: “most states allow for the placement of a freeze for a $10 fee”

    In other words, what the credit bureaus are saying is “we aren’t *supposed* to give out lines of credit in your name to anyone but you, but we will give them out to anyone who finds out some fairly easily discovered facts about you unless you pay us an extra ten bucks every three months, and only then will we use a stronger form of authentication to give them only to you.”

    Sounds a lot like extortion when it’s phrased that way, doesn’t it? All it needs is one finishing touch:

    “Nice credit rating you have there. It’d be a shame if something happened to it.”

    • I absolutely agree with this. Our current credit system is a relic of the 20th century, and it’s failing miserably under 21st century threats. I think it will require an act of Congress to force the bureaus to update these outdated “assumed trustworthy” business practices that are harming both creditors and consumers.

    • Yep, it’s extortion.

      But for the time being, I’m paying the extortion because the alternative is bad.

      Besides, someone can file a class action lawsuit later and get me a refund :).

  20. Do you think you could put up a page listing every data breach that you hear about? You have the tag for articles, but it would be pretty helpful to have a straight list to refer people to. If you hosted such a list then you could link each one to the article you write up of course.

    Does the California list cover businesses and entities that don’t do business in California? That’s the reason I was looking for something from you.

    • It’s possible the California list also covers companies whose customers are in California.

      All things considered, I suspect the California list is “good enough” for most victims.

      Maintaining such a list would be a full time job, I’d rather California do it than someone else (well, it’d be nice if http://www.ftc.gov/about-ftc/bureaus-offices/bureau-consumer-protection did it, but short of them, California seems fairly well equipped to handle it — the only other reasonable alternative is NY).

    • Troy Hunt runs a fantastic public service website at https://haveibeenpwned.com. You can search by your email address, and it will tell you if that address has been publicly disclosed in a breach or “paste”. You can also sign up to be notified as soon as your address appears in the contents of a future breach or paste.

      Of course, this will only let you know about publicly disclosed breaches, but it’s a good start.

  21. The ID Theft Resource Center publishes a weekly update to data breaches large and small. If there is a more complete list, I’d like to know. http://www.idtheftcenter.org/ITRC-Surveys-Studies/2015databreaches.html

  22. Whether it was the IRS (or Treasury or FBI), this example of a TurboTax user who’s information was breached had agents following up at his home this past weekend. http://www.mcall.com/news/local/watchdog/blog/mc-irs-investigating-local-fraudulent-tax-filing-through-turbotax-20150218-story.html

  23. There’s a fundamental problem that no one seems to be aware of concerning all these suggestions to move away from the SSN as the primary identifier.

    Right now, the SSN is The One Ring That Rules Them All. So, of course, all the Bad Boys are chasing after it, and spending enormous amounts of time & energy figuring out — and exploiting — all the various weaknesses in the current systems that allow them to get it.

    If, however, *something else* replaces the SSN as the primary identifier, e.g. a PIN, or what-have-you, then guess what? All the Bad Boys will stop chasing after the SSN, and begin to chase after whatever has been chosen as The *NEW* Ring That Rules Them All. And the Bad Boys will begin to spend enormous amounts of time & energy figuring out — and exploiting — all the various weaknesses in the *NEW* systems that will allow them to get it, WHATEVER it is.

    And if you do not think that the Bad Boys WILL succeed in this endeavor, then either you don’t understand history and human nature very well, or you haven’t really *thought* about it very much.

    • The core problem is much simpler:
      1) that the SSN is used as a password, while it is more like a user-name.
      2) there is no central database to verify any info for validity.

      It is no problem to replace SSN by a PIN, as a PIN can be unique for every service, but even if not, can be changed if compromised. Bad guys will try to get your PIN, but unlike SSN, once they have it their window of opportunity is limited. With SSN it is forever.

      Of course this does mean that everytime you want to open credit, you either have to go in person, or go to send a notorized copy in. Secrecy does conflict with convinience, and many don’t realise it.

      Also privacy does. One of the main reasons why ID theft works is because the US does not have a central database of where people live. Many Euroopean countries have and ID theft like we have is close to zero due to that. So e.g. you cannot have your tax refund send to an address other than the one in the central database. And changing that master-addess can only be done in person as a city hall or so. Hence the privacy price for this security is steep …

  24. If you get an IRS PIN number now (http://www.irs.gov/Individuals/Electronic-Filing-PIN-Request), would that prevent some fraudster from scamming you?

    • Not in this case. The scam was against individual states as opposed to the federal government.

      I’m not sure how stupid individual states are.

      Conceivably, any citizen can move to any state at any time. I’d hate to have to get ~54 (federal + DC + 50 states + Guam + Puerto Rico) PINs to guard against this.

      This is basically the fault of the individual states, and it should be their job to fix it / protect against it.

  25. A PIN is one way to implement a multi stage authentication system, serving several purposes. First, you have need the “code book” to other “code books.” Not as easy to tie one data breach to another. Then, if you are launching a real fraud ring campaign, the patterns of breaches act like radioactive dye providing traces in the computer systems that can be triangulated.

  26. Can I just have them shut off internet access for my “tax account” and only send\receive through snail mail?

    Used to be identity and debt were tied to property, which made identity trivially auditable.

    Now banks are attempting to tie identity to individuals so that you can treat the individuals as property, which requires you securely tag the individuals. Unfortunately, biometrics fail more often than not and are not a feasible solution.

    The fraudsters are doing us a favor, but I fear for what this government will do next.

    • You are them. You caIl the shots. I drive to my CPA’s office, hand them the docs they need to do my taxes, within a week they call me and tell me how much my refunds are (I’ve always been happy w/the results). They then do direct deposit into my bank minus a fee that IMO is well worth it. The onus is on them for accuracy, proper filing protocols, etc… – no IRS punctilios. I get a copy of the report mailed to me and that’s it. Works great going on six years now.

      • Wrong on at least TWO counts.

        First of all, read and understand the tax law: no matter who prepares your taxes, ultimately *YOU* bear the responsibility for what’s on *YOUR* return.

        Second, you seem to be missing the whole point of this article: there’s NOTHING in your chosen filing protocol (ot any other, for that matter) that prevents a Bad Actor from filing a return using your name and SSN, together with totally fictitious data, and claiming a refund WEEKS before you have ever assembled and delivered ANY papers to your CPA.

        • I respectfully disagree; you need not shout. I have a right to trust my CPA. I give him all of the tax documents required. They are issued by entities that by law must issue me accurate, precise (to the penny) statements. I review them quickly & it’s easy as pie to see that they are 100% correct. I don’t need to interpret the law. I don’t have to do anything except sign the completed forms which come out just fine, thank you very much. I do as it says in the Bible and “give to Ceasar that which is Ceasar’s”. I have nothing to hide. I follow the law. I have a right as a US Citizen to continue to proceed in this manner until the Doomsday clock hits midnight. Brian is a modern day hero and I certainly do discern from his wisdom & knowledge.

          I utimately decide, however, to follow His path as it is revealed to me. Thanks Brian, et al…

          Peace & Godspeed as we “Fight the good fight of faith, lay hold on eternal life, whereunto thou art also called, and hast professed a good profession before many witnesses.”

          1 Timothy 6:12

          • No one said you don’t have a right to *trust* your CPA; what EstherD said is that *legally* you (not your CPA) are responsible for the information filed on your tax return.

            I trust my CPA, too. But if the information on the return is wrong (due to innocent mistyping, for instance), *I* (not my CPA) have to answer to the IRS when they decide to audit me.

            • Well good luck to you then, as you may have some splainin’ to do.

              Myself, I would love RSVP the IRS and do lunch or something apropos with them 😉

  27. If fraudsters are making up returns and slapping a stolen SSN number on it this should be more easily discovered. The taxing authorities have your past returns and can look back to get a reasonable estimate of what your numbers should look like. For example, filing status, dependents, types of income within some reasonable fluctuation could be flagged. They could score historical returns and delay refunds for any return which falls out of that parameter without first more information. It could be as easy as sending an email to an old email address on file and ask for conformation that the return was actually filed. It seems much more can be done by the government agencies than is now being done.

    • They already do all this.

      As I said higher, 40% of the US has close to zero Federal tax liability and even more have it after standard employer witholdings.

      So any deduction will take you into refund territory. E.g. just claim some medical expenses boom, there it is. And it is very hard (expensive and time consuming) for the IRS to verify that you didn’t have that expense.

      Let’s also not forget that to file a fraudulent tax return sing TurboTax or any other eFile system one typically still need last years AGI (or their PIN) to the dollar accurate. It is harder than some people think!
      Hence that is why many of these frauds are either W2-theft related or like in this article users that used the same password for their taxes as their favorite blog website.

      Hence, sorry if I’m harsh, but as this article demonstrates, a big part of the blame are the users of TurboTax themselves.

      Of course TurboTax should have multi-factor authentication for something as important as taxes, but users who recycle passwords have *also* themselves to blame.

  28. Anthem has updated the credit monitoring and identity recovery services posted on anthemfacts.com

    I don’t know if you are required to wait for their snail mail notice to fully register. I was able to do step 1 without prior receipt of the notice as long as a check a box to verify I am a potentially affected customer. I want to document my efforts to get help as fraudsters can use your info in 24 hours, they don’t have to wait the weeks it takes Anthem to notify “Potentially affected customers”.

  29. This is a large issue in Florida. Criminals are doing nothing more than paying off people who work in small doctors’ offices that located in low-income neighborhoods and surrounding areas.

    With the payoff, comes the reward: patient records. In these records are name, address, SSN, DOB, etc.

    After the information is “bought” they file false tax returns and request the refunds be sent to their drop addresses via the IRS’s convenient pre-paid VISA card.

    Do you think the IRS matches the addresses of people to the addresses to which refunds are sent? NO

  30. being someone in the security industry, I’ve never heard of Indu Kodukula, the CISO of Intuit. Looking him up on LinkedIn, he doesn’t even list Intuit as an employer, but I think it’s him since he’s connected to Brad Smith (Intuit CEO) and other Intuit people. Who is this guy? He has no security background at all, appears to have been a COO at Limelight and Manager somewhere else.

    Krebs: are you sure you were speaking to the CISO of Intuit?