February 22, 2015

Two former security employees at Intuit — the makers of the popular tax preparation software and service TurboTax — allege that the company has made millions of dollars knowingly processing state and federal tax refunds filed by cybercriminals. Intuit says it leads the industry in voluntarily reporting suspicious returns, and that ultimately it is up to the Internal Revenue Service to develop industry-wide requirements for tax preparation firms to follow in their fight against the multi-billion dollar problem of tax refund fraud.

Last week, KrebsOnSecurity published an exclusive interview with Indu Kodukula, Intuit’s chief information security officer. Kodukula explained that customer password re-use was a major cause of a spike this tax season in fraudulent state tax refund requests. The increase in phony state refund requests prompted several state revenue departments to complain to their state attorneys general. In response, TurboTax temporarily halted all state filings while it investigated claims of a possible breach. The company resumed state filing shortly after that pause, saying it could find no evidence that customers’ TurboTax credentials had been stolen from its network.

Kodukula noted that although the incidence of hijacked, existing TurboTax accounts was rapidly growing, the majority of refund scams the company has to deal with stem from “stolen identity refund fraud” or SIRF. In SIRF, the thieves gather pieces of data about taxpayers from outside means — through phishing attacks or identity theft services in the underground, for example — then create accounts at TurboTax in the victims’ names and file fraudulent tax refund claims with the IRS.

Kodukula cast Intuit as an industry leader in helping the IRS identify and ultimately deny suspicious tax returns. But that portrayal only tells part of the story, according to two former Intuit employees who until recently each held crucial security positions helping the company identify and fight tax fraud. Both individuals described a company that has intentionally dialed back efforts to crack down on SIRF so as not to lose market share when fraudsters began shifting their business to Intuit’s competitors.

Robert Lee, a security business partner at Intuit’s consumer tax group until his departure from the company in July 2014, said he and his team at Intuit developed sophisticated fraud models to help Intuit quickly identify and close accounts that were being used by crooks to commit massive amounts of SIRF fraud.

But Lee said he was mystified when Intuit repeatedly refused to adopt some basic policies that would make it more costly and complicated for fraudsters to abuse the company’s service for tax refund fraud, such as blocking the re-use of the same Social Security number across a certain number of TurboTax accounts, or preventing the same account from filing more than a small number of tax returns.

“If I sign up for an account and file tax refund requests on 100 people who are not me, it’s obviously fraud,” Lee said in an interview with KrebsOnSecurity. “We found literally millions of accounts that were 100 percent used only for fraud. But management explicitly forbade us from either flagging the accounts as fraudulent, or turning off those accounts.

The allegations surface just days after Senate Finance Committee Chairman Orrin Hatch (R., Utah) said his panel will be holding hearings on reports about a spike in fraudulent filings through TurboTax and elsewhere. The House Ways and Means Committee is reportedly looking into the matter and has held bipartisan staff-level discussions with the IRS and Intuit.

The Federal Trade Commission (FTC) said it received 332,646 identity theft complaints in the calendar year 2014, and that almost one-third of them — the largest portion — were tax-related identity theft complaints. Tax identity theft has been the largest ID theft category for the last five years.

According to a recent report (PDF) from the U.S. Government Accountability Office (GAO), the IRS estimated it prevented $24.2 billion in fraudulent identity theft refunds in 2013.  Unfortunately, the IRS also paid $5.8 billion that year for refund requests later determined to be fraud. The GAO noted that because of the difficulties in knowing the amount of undetected fraud, the actual amount could far exceed those estimates.

SQUEEZING THE BALLOON

Lee said the scammers who hijack existing TurboTax accounts most often will use stolen credit cards to pay the $25-$50 TurboTax fee for processing and sending the refund request to the IRS.

But he said the crooks perpetrating SIRF typically force the IRS — and, by extension, U.S. taxpayers — to cover the fee for their bogus filings. That’s because most SIRF filings take advantage of what’s known in the online tax preparation business as a ‘refund transfer’, which deducts TurboTax’s filing fee from the total amount of the fraudulent refund request. If the IRS then approves the fraudulent return, TurboTax gets paid.

“The reason fraudsters love this system is because they don’t even have to use stolen credit cards to do it,” Lee said. “What’s really going on here is that the fraud business is actually profitable for Intuit.”

Lee confirmed Kodukula’s narrative that Intuit is an industry leader in sending the IRS regular reports about tax returns that appear suspicious. But he said the company eventually scaled back those reports after noticing that the overall fraud the IRS was reporting wasn’t decreasing as a result of Intuit’s reporting: Fraudsters were simply taking their business to Intuit’s competitors.

“We noticed the IRS started taking action, and because of this, we started to see not only our fraud numbers but also our revenue go down before the peak of tax season a couple of years ago,” Lee recalled. “When we stopped or delayed sending those fraud numbers, we saw the fraud and our revenue go back up.

Lee said that early on, the reports on returns that Intuit’s fraud teams flagged as bogus were sent immediately to the IRS.

“Then, there was a time period where we didn’t deliver that information at all,” he said. “And then at one point there was a two-week delay added between the time the information was ready and the time it was submitted to the IRS. There was no technical reason for that delay, but I can only speculate what the real justification for that was.”

KrebsOnSecurity obtained a copy of a recording made of an internal Intuit conference call on Oct. 14, 2014, in which Michael Lyons, TurboTax’s deputy general counsel, describes the risks of the company being overly aggressive — relative to its competitors — in flagging suspicious tax returns for the IRS.

“As you can imagine, the bad guys being smart and savvy, they saw this and noticed it, they just went somewhere else,” Lyons said in the recording. “The amount of fraudulent activity didn’t change. The landscape didn’t change. It was like squeezing a balloon. They recognized that TurboTax returns were getting stopped at the door. So they said, ‘We’ll just go over to H&R Block, to TaxSlayer or TaxAct, or whatever.’ And all of a sudden we saw what we call ‘multi-filer activity’ had completely dropped off a cliff but the amount that the IRS reported coming through digital channels and through their self reported fraud network was not changing at all. The bad guys had just gone from us to others.”

That recording was shared by Shane MacDougall, formerly a principal security engineer at Intuit. MacDougall resigned from the company last week and filed an official whistleblower complaint with the U.S. Securities and Exchange Commission, alleging that the company routinely placed profits ahead of ethics. MacDougall submitted the recording in his filing with the SEC.

“Complainant repeatedly raised issues with managers, directors, and even [a senior vice president] of the company to try to rectify ongoing fraud, but was repeatedly rebuffed and told Intuit couldn’t do anything that would ‘hurt the numbers’,” MacDougall wrote in his SEC filing. “Complainant repeatedly offered solutions to help stop the fraud, but was ignored.”

NO RULES OF THE ROAD

For its part, Intuit maintains that it is well out in front of its competitors in voluntarily reporting to the IRS refund requests that the company has flagged as suspicious. The company also stresses that it has done so even though the IRS still has not promulgated rules that require TurboTax and its competitors to report suspicious returns  — or even how to report such activity. Intuit executives say they went to the IRS three years ago to request specific authority to share that information. The IRS did not respond to requests for comment.

Intuit officials declined to address Lyons’ recorded comments specifically, although they did confirm that a company attorney led an employee WebEx meeting on the date the recording was made. But David Williams, Intuit’s chief tax officer, said what’s missing from the recorded conversation excerpted above is that Intuit has been at the forefront of asking the IRS to propose industry standards that every industry player can follow — requests that have so far gone unheeded.

“We have led the industry in making suspicious activity reports, and I’d venture to say that virtually all of the returns that Mr. Lee is quoted as referring to appear in our suspicious activity reports and are stopped by the IRS,” Williams said. “Whatever else Mr. Lee may have seen, I’m not buying the premise that somehow there was a profit motive in it for us.”

Robert Lanesey, Inuit’s chief communications officer, said Intuit doesn’t make a penny on tax filings that are ultimately rejected by the IRS.

“Revenue that comes from reports included in our suspicious activity reports to the IRS has dropped precipitously as we have changed and improved our reporting mechanisms,” Lanesey said. “When it comes to market share, it doesn’t count toward our market share unless it’s a successful return. We’ve gotten better and we’ve gotten more accurate, but it’s not about money.”

Williams added that it is not up to Intuit to block returns from being filed, and that it is the IRS’s sole determination whether to process a given refund request.

“We will flag them as suspicious, but we do not get to determine if a return is fraud,” Williams said. “It’s the IRS’s responsibility and ultimately they make that decision. What I will tell you is that of the ones we report as suspicious, the IRS rejects a very high percentage, somewhere in the 80-90 percent range.”

Earlier this month, Intuit CEO Brad Smith sent a letter to the commissioner of the IRS,  noting that while Intuit sends reports to the IRS when it sees patterns of suspicious behavior, the government has been limited in the types of information it can share with parties, including tax-preparation firms.

“The IRS could be the convener to bring the States together to help drive common standards adoption,” Smith wrote, offering the assistance of Intuit staff members “to work directly with the IRS and the States in whatever ways may be of assistance…as the fight against fraud goes forward.”

ZERO FALSE POSITIVES

Lee and MacDougall both said Intuit’s official approach to fighting fraud is guided by a policy of zero tolerance for so-called “false positives” — the problem of incorrectly flagging a legitimate customer refund request as suspicious, and possibly incurring the double whammy of a delay in the customer’s refund and an inquiry by the IRS. This is supported by audio recordings of conference calls between Intuit’s senior executives that were shared with KrebsOnSecurity.

“We protect the sanctity of the customer experience and hold it as inviolate,” Intuit’s General
Counsel Michael Lyons can be heard saying on a recorded October 2014 internal conference call. “We do everything we can to organize the best screening program we can, but we avoid false positives at all costs. Because getting a legitimate taxpayer ensnared in the ‘you’re a bad guy’ area with the IRS is hell. Once your return gets flagged as suspicious, rejected and the IRS starts investigating, you’re not in a good place. More than 50 percent of people out there are living paycheck to paycheck, and when this is the biggest paycheck of the year for them, they can’t afford to get erroneously flagged as fraud and have to prove to the IRS who they are so that they can get that legitimate refund that they were expecting months ago.”

On the same conference call, MacDougall can be heard asking Lyons why the company wouldn’t want to use security as a way to set the company apart from its competitors in the online tax preparation industry.

“We don’t use security as a marketing tactic for Intuit,” Lyons explained. “We declared that this was one of our principles. It is always possible for Intuit to build a better mousetrap. But because it doesn’t solve the systemic problem of bad guys doing this, all it really does is shoot us in the foot and make it slightly easier for IRS to continue to kick the can down the road. What it does do is artificially harm our numbers and artificially inflate the competitive numbers associated with digital tax returns.”

Intuit’s Lanesey confirmed Lee’s claim that Intuit adds a delay — it is currently three weeks — from the time a customer files a refund claim and the time it transmits “scoring” data to the IRS intended to communicate which returns the company believes are suspicious. Lanesey said the delay was added specifically to avoid false positives.

“The reason we did that was that when we started this reporting, we weren’t accurate, and were ensnaring legitimate taxpayers in that process,” Lanesey said. “We slowed down and spent more time to review to make sure we could get more accurate and we have in fact done exactly that. The match rates between what the IRS rejects and what we send are now measurably higher today with the new reporting than they were then.”

Unfortunately, three weeks is about how long the IRS takes to decide whether to reject or approve tax refund requests. In an August 2014 report to Congress on the tax refund fraud epidemic, the GAO said that for 2014, the IRS informed taxpayers that it would generally issue refunds in less than 21 days after receiving a tax return — primarily because the IRS is required by law to pay interest if it takes longer than 45 days after the due date of the return to issue a refund.

Williams said Intuit is open to shortening its reporting delay.

“As we’ve gotten better at this and the IRS has gotten better at this, we can certainly look at shortening the timeframes,” he said. “Given the fact that over the past few years we’ve improved our speed, processes and techniques for reporting accurately, we can certainly explore whether they are able to take the data we give them and we are able to provide it to them in a way that is more useful.”

BUILDING A BETTER MOUSETRAP

The scourge of tax fraud is hardly a problem confined to TurboTax, but with nearly 29 million customers last year TurboTax is by far the biggest player in the market. In contrast, H&R Block and TaxAct each handled seven million prepared returns last year, according to figures collected by The Wall Street Journal.

Both Lee and MacDougall said they wanted to go public with their concerns because TurboTax and the rest of the industry  have for so long put off implementing stronger account security measures. MacDougall said he filed the whistleblower complaint with the SEC because he witnessed a pattern of activity within Intuit’s management that suggested the firm was not interested in stopping fraud if it meant throttling profits when none of its competitors were doing the same.

MacDougall said that about a year ago he had a meeting with the head of Intuit’s security division wherein security team members were asked to pitch their projects for the year. MacDougall said he thought his idea was certain to generate an enthusiastic response from higher-ups at the company: Build a fraud ‘honeypot.’

In information security terminology, a honeypot is a virtual holding area to which known or suspected fraudsters are redirected, so that their actions and activities can be monitored and mined for patterns that potentially aid in better identifying fraudulent activity. Honeypots also serve a more cathartic — albeit potentially just as useful — purpose: They tie up the time and attention of the fraudsters and cause them to waste tons of resources on fruitless activity.

“My project was going to be a fraud honeypot,” MacDougall recalled. “My pitch was that we would create a honeypot in TurboTax so that every time a fraudster came in and we figured it out, we’d switch them over to the honeypot version of the site so that we could waste their time, exhaust their resources, and at the end of the day they wouldn’t know they’d been scammed for several weeks, when they finally realized that none of their fraudulent returns had even been filed.”

But MacDougall said he was stunned when his boss emphatically rejected his idea for use on TurboTax accounts. Instead, she brought up the fraud-as-a-balloon analogy, MacDougall said.

“She said ‘You can use this on any other product except TurboTax’,” MacDougall said. “I asked why we wouldn’t want to use this on our flagship product, and her answer was that this was an industry problem and not just a TurboTax problem.”

whattodo copyOnly after Intuit was forced to temporarily suspend state filings earlier this month did the company’s chief executive announce plans to beef up the security of customer accounts. Intuit now says it plans to start requiring customers to validate their accounts, either via email, text message or by answering questions about their financial history relayed through the service by big-three credit bureau Experian.

Lee says those requirements are long overdue, but that they don’t go nearly far enough considering how much sensitive information Intuit holds about tens of millions of taxpayers.

“Tax preparers ought to apply similar ‘know your customer’ practices that we see in the financial markets,” he said. “When you give your most sensitive data and that of your family’s to a company, that company should offer you more security than you can get at Facebook or World of Warcraft,” Lee said, referring to two popular online businesses that have long offered the type of multi-factor authentication that Intuit just announced this month.

At a minimum, Lee said, tax preparation companies should require users to prove they have access to the phone number and email address that they assign to their account, and should bar multiple accounts from using the same phone number or email address. TurboTax and others also should allow only one account per Social Security number, he said.

“The point here is not to shame Intuit, but to educate the American public about what’s going on,” Lee said. “The industry as a whole, not just Intuit, needs to grow up and tackle this fraud problem seriously.”

Intuit’s David Williams said the company is focused on remedying some of the account issues raised by Lee and others.

“To be fair, our recent experience with the states has been a wake-up call that we are going to be more aggressive than anybody going forward, even if we were just acting consistently [with the rest of the industry] in the past,” he said. “That’s why we always talk about our anti-fraud efforts as evolving. We don’t have every great idea in the world, but we’re always looking at improving.”


175 thoughts on “TurboTax’s Anti-Fraud Efforts Under Scrutiny

  1. CooloutAC

    Wow, so some computer guys are honorable. I salute this guy Macdougal. I can’t believe intuit didn’t even have two factor authentication. And so they feel if they don’t make money on the fraud their competitiors will? Unbelievable. And they would probably make the industry needs a standard argument in court and win, even though they were caught on tape. This is some story.

    I’m curious what will be said at the hearing in congress. All these industry standards they keep saying are needed for internet businesses but we still haven’t seen anything happen yet.

    1. Peter

      Yep, all those identity theft services that are being offered are often companies that did not have your SSN and other data, untill you gave it to them to protect your zero-liability credit card from being abused …

  2. -stephen

    A stunning report. I am literally out of breath after reading it.

  3. Robert E. Lee

    How to test if your online tax preparer is safe to use:
    1. Do they require you to authenticate with something you know and something you have?
    ◆ If they only require a username and password, the data (SSN, address, employer information, salary) you share is at high risk of being accessed by identity thieves.
    ◆ A fraudster can use your account, change where the refund is supposed to be deposited, and file your taxes, collecting your refund.

    2. Do they make you prove that you are you?
    ◆ If they don’t, how can they differentiate the real you vs someone who knows your SSN and is pretending to be you?

    3. Do they block attempts to create multiple accounts using the same SSN?
    ◆ If you’re already a customer of theirs, and you try to set up a second account using the same identity, they should help you recover your existing account.
    ◆ By allowing a second account with the same SSN, a fraudster can easily impersonate you by creating their own account with your identity information.
    ◆ As long as the fraudster files taxes as you before you do, the fraudster gets your refund.

    If you said no to any of these questions, your tax preparer is not safe to use.

    1. Peter

      Agree on all counts, but just a nit here:

      “As long as the fraudster files taxes as you before you do, the fraudster gets your refund.”

      The fraudster does not get YOUR refund. That is what peopel often think. But the key is that their whole return is / could be bogus. They make up stuff, so they’ll possibly get a refund even if you own taxes.

      Of course they prefer to base it of actual facts so it has a higher chance of being accepted, but I’ve seen a friend been victim who was suddenly married to a different woman than his own 🙂 They didn’t have the data of his real wife, so they’ll used someone else to get the extra exemption.

      1. Robert E. Lee

        🙂 .. agreed on the nitpick. I almost revised that line a couple of times, but wanted to keep it simple. When I said “your refund”, what I really meant was “interferes with your ability to successfully file with the IRS”.

  4. Robert E. Lee

    I’d expect all online tax preparers to:
    1) Require customers to create accounts that filing activity can be tracked against.
    2) Only allow one account per identity (Social Security Number).
    3) Have the user prove who they are, or if they are filing on behalf of someone else, prove that they have legal permission to file on behalf of the identity that is not them
    4) Require the user to prove they have access to the phone number and email address they assign to their account, and don’t allow multiple accounts to use the same phone number or email address.
    5) Protect access to these accounts with strong authentication
    6) Shut down accounts that are linked to fraud.
    7) Flag sets of PII used in highly suspicious e-file submissions, and notify the credit bureaus.

    1. timeless

      TurboTax has always been designed so that one person, e.g. Head Of Household could buy one license and prepare all taxes for the household.

      Imagine a typical nuclear family: two adults, two children.
      Let’s say one child is 17 (in high school, applying for college), had a summer job. Perhaps received a little bit too much from the grandparents.

      Let’s say the second child is 20 (in college, has work study).

      Let’s say both parents work.

      This can easily be 3 federal returns (married filing jointly, dependent 1, dependent 2). It might be 4 federal returns.

      Inuit can’t realistically charge this family of 4 for 4 licenses. And it isn’t a great idea to require the head-of-household to create 4 accounts just to manage this.

      The next year, one of the 4 grandparents dies. And head-of-household (being a TurboTax user) inherits the privilege of filing closing taxes for the deceased (which is much more complicated than the normal 3 or 4 federal returns).

      Oh, for fun, the family lives in a state w/ income taxes, and the college student went to a different state (one not familiar to head-of-household) which also has income taxes. The second child that year enters college (different state, also w/ income taxes).

      So, the first year, there were actually at least 6 returns (3 federal, 2 * state A, 1 state B). *Possibly 3 state A depending on whether the college student worked in both states, possibly 4 if they parents decide to file separately at the state level, they can do that.
      The second year, it’s at least 8 returns, but probably closer to 10 or 12.

      Note: I’m not defending allowing an account to file 100 returns. That’s clearly an abuse of the licensing.

      OTOH, if TurboTax /were/ deploying a honeypot (and it appears they weren’t), then allowing fraudsters to submit all their fraudulent returns using a single trackable ID would actually be a *good* thing. It’s much easier to identify fraudsters if they don’t /try/ to look like normal customers.

  5. Robert E. Lee

    I don’t envy the position of the online preparers. They have to know their products are being used to commit fraud. The problem is, if they make SIRF difficult to commit via their product it will push their fraud customers, and a significant chunk of revenue, to any competitor with weaker controls.

    But instead of waiting for the IRS to enact new requirements, it would be great to hear a company say ‘SIRF? Not here. Not in our product.’ If a company proved successful at reducing its share of SIRF, it would be something the rest of the industry players would be compelled to follow. Shareholders could then force companies that continue to enable SIRF to release financial details about revenue generated from known fraud.

  6. Anon

    Great article. I think there is a mistake though. You refer to the security chief of Intel but I think you mean Intuit?

  7. Reader

    The real solution is for employers to be relieved of the collection and submission of employee taxes. Let people keep their income until it’s time to pay their taxes.

    Once the IRS and states stop holding onto money, there will be little need for tax refunds.

    1. EstherD

      Guess you haven’t studied much history, psychology, or accounting.

      History: When the Income Tax legislation was first passed, that was the system — no withholding. It failed miserably.

      Psychology: Do you really expect that folks living on the hairy edge (or marginal businesses, for that matter) will actually have the money available to pay their taxes at the end of the year? Not likely, because that would require an almost super-human resistance to the temptation to spend every penny as fast as its earned.

      Accounting: Do you really think that you could manage your cash flows if you only got paid ONCE a year? Doubtful, even if you do have top-notch cash management skills. And the government cannot do it, either. Just as you pay this month’s bills from this month’s paycheck, the government pays its current obligations from its current revenue — the money it collects from withholding and quarterly estimated tax payments.

      Taken all together, you end up with the current system, because it is the ONLY system that works at all, even if it doesn’t work as well as one might wish.

      1. Dan Martin

        Esther, I think you’ve made Reader’s points. 😉

        I agree with both of you.

    2. Mike

      That would solve a whole lot of problems, not just this. But with health care now coming under federal jurisdiction, I don’t see this ever happening. The IRS is getting many more tax collectors and that would certainly be enough to handle the inevitable increase of tax evasion cases that such a thing would surely create, but that isn’t the reason for hiring them.

    3. pboss

      Yeah, that won’t work. You think people are smart enough to put their taxes away during the year? Ha. A huge spike in stories about IRS collection agents when people can’t pay their thousands of dollars in taxes due would happen.

    4. Are U Crazy

      Letting people keep their money until they pay taxes? Why not let the inmates patrol the prisons as well since that will save money?

      The only people who would end up paying taxes are those who actually saved money. As can be witnessed by savings rates, that would be few and far in between.

    5. timeless

      That worked really well for Greece. (c.f. national default in Europe)

  8. Dennis F. Poindexter

    Ultimately, it goes back to IRS which has never cross-matched returns for Social Security Number. They were advised to do it when electronic returns were started in 1991, but refused. The CIO did not even look at the recommendation when handed to him. He said, “Oh, I heard about that.” One group did $8 mnillion that year, working out of Texas. It has grown since then and I hope it comes out in the hearings that are to be conducted. No matter how you cut it, $5 Billion is a lot of money to lose.

  9. Shonda Johnson

    I will never again allow TT to take their fee from my return. The ITS website shows my refund was sent last week and I’m STILL waiting for my money from TT. Next year, I will find another tax preparing service.

  10. IA Eng

    If online filing is a problem, then solve the problem by simply not allowing it to happen. All of these corporations sell software made to be used on a computer. Sure the initial cost may be a bit larger than what web site costs are, but then its up to the individuals to secure their own PII and file in a timely manner.

    Password reuse is retarded. People simply do not get it. If they used that password just once somewhere else that’s been breached, that password and email / user combination has probably been used by many a crook looking to find a site that has a credit card associated to it, so crooks can mail themselves purchases using other people’s cards.

    I take what these people say with a grain of salt. Remember, these funds can probably be tracked to accounts of the fraudsters, and the only way they can be convicted is if they file a false claim, get the money in their hands or bank accounts and then….the Feds can arrest them. I can envision the Feds telling a corporation to let the bogus filings pass, so the “uneducated crooks” get caught pretty easily. Sure, it probably only catches really small fish. But it probably thwarts many other wanna be crooks as well.

    There is a VERY simple solution to this issue, but the government wants no part of it. Charge a flat rate tax of 10-15% across the board with no refunds what so ever. The issue with tax fraud disappears, but others issues are sure to arise.

    1. Caffeineguru

      You can’t track the money to the fraudster’s bank account- It never goes to a fraudster’s bank account. It goes into the account of some poor sap that has bitten off on a classic scam like overpayment, etc. This makes multiple victims- the person who’s tax refund was fraudulently filed, and the person who has been scammed to let their account be used as the destination account.

      1. IA Eng

        And you’ve seen every case that ever happened? Including the first time criminals? Go read the DoJ website and be educated on how dumb some of these crooks really are. Some even had IRS employees helping them. It happens. It’s not always the “stereotypical way” people read and instantly believe.

        Sure, the “educated” crooks do it more sophisticated. I was NOT talking about them.

    2. CooloutAC

      You think its the government that wants no part of it? when 330,000 fraud claims or filed a year? what?

    3. D-C-M

      “There is a VERY simple solution to this issue, but the government wants no part of it. Charge a flat rate tax of 10-15% across the board with no refunds what so ever. The issue with tax fraud disappears, but others issues are sure to arise.”

      … and no deductions, no credits, no filing a return, no anything. Once the tax is paid/deducted/whatever, the transaction is complete (like a sales tax). Would we need the IRS? Yes, to catch those scamming this method, but hopefully this would be simpler.

      I love it: the KISS principle at work. However, this would likely be much too upsetting to actually implement – with politics and the many vested interests at play.

  11. Bob Easton

    Quote: “She said ‘You can use this on any other product except TurboTax’,”….

    Did I miss her name somewhere in the article?

    1. techvet

      The name wasn’t given, but “she” was Shane MacDougall’s former boss at Intuit. It reminds me of the line from “High Plains Drifter”:

      Mordacai: What did you say your name was again?
      The Stranger: I didn’t.

  12. TT Fraud Victim

    Have not used thier product since 2005 but was hit this year with a fraud filing through thier system that seemed to use old return data.

    Their attitude and scripted response when I spoke with their fraud hotline feed into this. They seemed to feel no responsibility to the situation and kept trying to blame outside sources. When I asked to confirm the fraud account would be closed and my old accounts deleted they seemed confused at my request and put me on hold indefinitely waiting to talk with someone to close my old accounts.

    Worst was when I asked if I can get the 3 year fraud monitoring being offered to current customers effected I was told I did not qualify as I am not a current customer.

  13. ChuckFonta

    As long as legitimate business can profit from criminal activities, there will not be much more than token resistance to these profitable activities. As long as credit card fraud, inventory shrinkage, etc. is charged off as “the cost of doing business” and profits are based on a percentage of the total cost of business, as well as bonuses, nothing will be done to inhibit this type of crime.
    Think about it!

  14. patti

    I’ve been worried about this for some time with android devices. I suspect it is a much bigger problem than we guess. And, for cell phones, there are no “simple” fixes, like upgrading your router… 🙁 I can’t seem to get any discussion started on this topic on android forums, either. I know it’s a flavor of linux, but I’ve been using linux for 20 years, and android forums seem nothing like standard linux forums I frequent.

  15. patti

    There’s a problem with complexifying systems – it costs a lot of money. I suspect that’s the real reason the IRS isn’t moving faster on this. Imagine setting up several hundread million PINs when nobody has ever had one before? (even assuming their antiquated software will allow this…)

    1. timeless

      Well, it’s worse, but yes, this is the starting problem.

      It requires money, and money requires authorization, and that requires an act of congress. And congress isn’t particularly interested in acting rationally.

      The second problem is that there’s no particularly good way to distribute PINs — not everyone has filed a return in a given year. There isn’t a complete address database for every person who files taxes in the US.

      There are a number of bad approximations:
      * last mailing address for previous filed tax year
      * Selective Service address (only males of military age)
      * there’s Social Security Agency payment address, but that’s only if you retired (or certain other special circumstances) and you paid into ssa (even government employees don’t)

      The third problem is that people aren’t good at retaining anything. A significant portion of people will lose their PIN. (Just as people forget their passwords.) Handling that requires a reset mechanisms — which is expensive and not easier than the previous problem.

      Oh, fwiw, 1/3 of Americans have Passports. So please don’t expect them to use their Passport as their ID (that’s up from 3% a few decades ago). Not everyone can access a birth certificate, not everyone has a valid photo id, not everyone drives, …

      If you remember the problems w/ Voter ID. This is worse. There are more tax-filers than voters (even felons are supposed to file taxes).

      And then you have the people who demand not to have a number.

  16. Angry About

    Just in case people are curious about the scale of the problem, in the 2012 tax filing year (that would be January to April 2013) TurboTax management knowingly filed tax returns that were 100% fraudulent (externally verified by their debit card vendor). That year over 10% of their volume (2.4 million returns) was in this category and generated revenue for TurboTax of over $300 million and $5.2 billion in fraudulent refunds.

    The approval to stop efforts to do anything about fraud went all the way to the Chairman of the Board, through direct involvement of the TurboTax General Manager, the head of Legal for Intuit Corporate, and through the President of Intuit. They all communicated under the heading of “Multi-Filers” and used obscure face-to-face only communication methods to avoid a digital trail of their activities.

    An just so everyone also knows, TurboTax is also trying to play this crisis to their advantage. They have been trying to break the IRS’ famous 7216 ruling that forbids using tax data for anything else except filing taxes. Intuit want’s the IRS to allow them to use their tax data for marketing and customer research. By putting the IRS on the spot as “not supplying the ability to stop fraud”… this is code for “you have to modify the 7216 ruling and let us use the data for other things”. And by the way, the line between “marketing” and “fraud detection” is very very thin.

    I am SO proud of Shane MacDougall for sticking his neck out… and so revolted at David Williams (as a former IRS administrator who is now “on the take” for an area his was previously in charge of).

    My advice… use an H&R block storefront (because LibertyTax and others uses TurboTax Pro behind their filings).

    1. Ken

      Dear “Angry About”:

      After 144 comments so far, I think your comment has been rather overlooked because if what you’re stating is true, this is very significant information. Can you backup your claims? How do you know this information?

      If this information is legit, for the sake of encouraging this industry to protect the 122M American tax payers, please contact Krebs or Mr. Lee or Mr. MacDougall or the IRS. We need to know the truth about what’s really going on and it seems you know more than those like myself reading this article and speculating.

  17. Andy

    correct me if I am wrong here? If a company suspects criminal activity and does not do everything it can to stop it and in fact does minimal job, thus allowing it to continue and benefits from it as an active participant in the overall fraud. sounds like a RICO case to me. If I file my taxes with TurboTax and then find I have been a victim of the fraud, I can ask for a grand jury case be opened using this article as evidence in a criminal conspiracy and name Intuit as a member of the criminal enterprise.

    1. timeless

      So, most criminal lawyers aren’t charged w/ RICO for arguing a case on behalf of their guilty clients. Lawyers are obligated to prepare a case as their clients direct.

      There are some exceptions — if a lawyer suggests to a criminal how to commit a crime, that could be RICO or some other criminal act.

      But normally, lawyers are obligated to retain confidentiality of their clients and do as their clients direct.

      There are similar provisions for Doctors. I’m pretty sure a doctor is obligated to treat a patient who presents with a gunshot wound. They might have an obligation to report after the fact, but they aren’t supposed to try to stop the victim from living/leaving.

      So, we’ve met Lawyers and Doctors, what about CPAs and Tax Preparers? (n.b. I’m none of these categories)

      http://www.irs.gov/pub/irs-utl/Guidance_Regarding_Professional_Obligations_Under_Circular_230.pdf

      > Selected Obligations Under Treasury Circular No. 230
      > Due Diligence.
      > You generally may rely in good faith and without verification on information furnished by your client
      > You must make reasonable inquiries if any information furnished to you appears to be incorrect, incomplete or inconsistent with other facts or assumptions.
      > Treasury Circular No. 230 §10.22, §10.34(d).

      > Errors and Omissions.
      > If you know that a client has not complied with the U.S. revenue laws or has made an error in,
      > or omission from, any return, affidavit,
      > or other document which the client submitted or executed under U.S. revenue laws,
      > you must promptly inform the client of that noncompliance, error,
      > or omission and advise the client regarding the consequences under
      > the Code and regulations of that noncompliance, error, or omission.
      > Depending on the particular facts and circumstances,
      > the consequences of an error or omission could include (among other things)
      > … civil penalties … criminal penalties …
      > Treasury Circular No. 230 §10.21.

      There might be more, but that first citation is pretty problematic. It’s similar to the obligation a lawyer has to represent a client — trust the client.

      Note that “reasonable inquiries” seems to be underdefined, and it sounds like Intuit has made hand motions indicating they’d like more definition. A reasonable court would probably forgive them on that point.

      Note that the obligation to report a client’s error to a client is great when the client is trying to interact for normal purposes w/ the IRS (or anyone else), the obligation to report to a fraudster that you know they’re a fraudster is not helpful, and is roughly the point Intuit made in their internal discussion — If a lawyer is told to tell a criminal defendant “we know you’re guilty, but we won’t tell anyone when you leave and go to the next lawyer”, that doesn’t do the prosecution/government any good. But in fact, that does apply to criminal lawyers, a lawyer can discover that a client is guilty, and decide they don’t want to defend the client anymore, but the lawyer is still (generally) bound by attorney-client-privilege.

      So, we see that our CPA behaves roughly like a Lawyer — not particularly surprising.

      But while there are people who suggest killing all the lawyers. This is a case where the first group you should complain about is the legislators, i.e. those who wrote the legal framework within which both lawyers and CPAs live.

      1. Ken

        your post here got me thinking about this differently. take the “online” factor out of the equation and considering this:

        “You must make reasonable inquiries if any information furnished to you appears to be incorrect, incomplete or inconsistent with other facts or assumptions.”

        So, I use my CPA every year for filing my taxes, he knows I’m Ken and my SSN is 123-45-6789. Now, a fraudster comes to him one day and claims to be “Ken” w/ SSN 123-45-6789 and wants my CPA to file his fraudulent return. My CPA notices that this guy is not the real “Ken”, and that he’s already working on a file with the SSN 123-45-6789. So, this would seem to me that the “information is inconsistent with other facts.” So, my CPA should make inquiries, right? Like, “Ken, can you show me some other identification?”

        The rule above might not be specific about “reasonable inquiries”, but take the face-to-face CPA scenario to online tax filing services… if a fraudster opens a new account claiming to be “Ken” with my SSN, and I already have an account with that tax service, it would seem that they need to perform some unspecified “inquiry”, yet, Turbotax (and H&R and others) seem to simply allow it with *no* inquiry at all. Right now, I can go create two accounts on Turbotax using the same SSN, and no where on the site do they “inquire” about anything at all. What they “should” do to be considered “reasonable inquiry” may be ambiguous, but they seem to do NOTHING at all. BTW, this is the same with H&R.

    2. CooloutAC

      I think this case is actually a microcosm for all internet businesses. Like target calling for industry standards. Like online game companies not doing enough to stop fraud and abuse.

      I believe they all feel the same way, They feel they are not going to waste resources to stop fraud abuse if noone else is. And they feel they would lose too much business and money for corrupt employees and the company in general, when fraudulent customers take their business elsewhere. This story is a real wakeup call.

      The problem that keeps getting discussed in congress is you can’t really have effective universal regulation for all types of internet businesses. Once again it seems anonymity is still the biggest problem on the internet. How customers are even allowed to be anonymous is amazing to me.

      The only thing bad for intuit is that recorded conversation. But Intuit could argue that in a case of a customer filing taxes for 100 individuals, its not their business. They might say they suspected something, but can argue its up to state or federal officials to determine criminal activity or not. I believe it could be someones home business, and he might actually be certified by his state, and intuit might feel its not up to them to determine. He might have 100 family members and friends he files for. And as they said, they report more fraud to the gov’t then anyone else, supposedly. The system is just that corrupt, and there really does need to be a change in the universal way we do internet businuess.

  18. Professional Security Expert

    Do NOT use any service such as LifeLock, these are all scams & a simple waste of your money.

    If you want real protection, setup a security freeze on your credit with all three major reporting agencies.

    https://www.experian.com/consumer/security_freeze.html
    http://www.transunion.com/securityfreeze
    https://www.freeze.equifax.com/Freeze/jsp/SFF_PersonalIDInfo.jsp

    It completely baffles me why no other security-minded professionals either know about this service and utilize it, or recommend it to others. This will stop just about every possible identity fraud available.

    1. BrianKrebs Post author

      By “no other security expert” I take it you’re not including me? I have recommended security freezes for years, steering people away from these credit monitoring services.

      1. DougEdwards

        One note about credit freezes, Social Security administration now uses Experian for initial online user validation, and you can’t establish an online account while a freeze exists. Above I see Intuit is indicating that they’ll use them for user validations of their accounts. So to interact online with either you have to drop the freeze and readd it. Not enough to make me remove the freezes I have in place. But this is something worth being aware of.

  19. Andrew

    Why set up an account? Can’t you just do taxes offline and then submit them? When I use Taxcut it must be supplies and read my last years saved return or it has no data on me at all. I have no online account, other then to buy the software.

  20. chris

    So, their position is that it is up to the IRS to identify fraud. Fair enough. How about we let the IRS implement return-free filing, which for millions of ppl would be a two-line web page at the IRS: “Here’s what you paid: XXX. Here’s what we think you owe: XXX”? This would make it easier for taxpayers, and easier for the IRS to detect fraud.

    Oh I forgot. Intuit and the other tax SW companies have lobbied against this approach.

    http://www.propublica.org/article/how-the-maker-of-turbotax-fought-free-simple-tax-filing

    1. Astyanax

      Of course they have. It would put them all out of business. You can’t fault a business for opposing an initiative that would destroy it.

      1. Chris

        Intuit doesn’t just do tax filing SW. I think they’ll be just fine. They do many other things (Payroll, Loans, Bookkeeping, just off the top of my head). IMO, their position in opposition to IRS handling these filings is pure rent-seeking and is objectionable in principle. Plus, many people seem not to realize that this easy simplification has been sought since Reagan was in office. Maybe it’s a good idea whose time has come.

  21. Jason R

    A simple name and address verification for the credit card would solve this. Only let people file their taxes with their own verified credit card.

    Intuit’s thinking: “But wait, that might hamper legitimate business, so we can’t have any of that, and fraud doesn’t cost us anything.”

    Slap them with a huge fine for not taking reasonable measures to secure tax filing. Fine them for the full amount of all identity-theft based fraudulent filings processed through them sounds about right. Somehow I think they’d change the way they process filings.

    1. timeless

      While I like the idea, many people don’t have credit cards.

      http://www.statisticbrain.com/credit-card-ownership-statistics/
      Percent of people in the US polled who did not have a credit card 23 %

      So, ~1/4 don’t.

      Percent of undergraduate students with a credit card 76 %

      So, ~1/4 don’t.

      You might claim that say 1/5 people in the US are under 15 and thus don’t need a credit card, but the survey would have excluded children. And even so, 1/20 is a lot of people.


      Things definitely need to change,
      #1. the IRS shouldn’t be obligated to process returns before it could reasonably have enough information to determine if a return is fraudulent.
      #2. the IRS should be allowed to run its own free filing system (which most people should be able to use).

      Unfortunately, #1 would require congress to vote against the interest of most tax payers. #2 would require congress to vote against big businesses w/ big lobbying investments.

      Oh, all of this would require congress to function. (We aren’t even going to see the cuts to 529 plans, which would only impact a very small portion of upper-class families.)

  22. curious

    What if the IRS created a rule that the originating online tax prep company used for filing bogus returns pay a penalty on each bogus return larger than the filing fee they collected. Wouldn’t this stop the filing fraud or at least slow it down considerably?

  23. Tess Man

    “Both individuals described a company that has intentionally dialed back efforts to crack down on SIRF so as not to lose market share when fraudsters began shifting their business to Intuit’s competitors.”

    Pretty much describes the weasels running most large corporations these days…

  24. mike~acker

    what is generally missing is digital authentication: how can you prove that your document is legitimate? the methodology was developed years ago by Martin Hellman and Whitfield Diffie: public key encryption.

    Today we face two major problems in commercial security:

    (1) O/S security: an operating system must not allow itself to be affected by the activity of an application program whether by error or by intent;
    (2) Document Authentication: we must all acquire and learn to use public key encryption. It isn’t hard particularly when the interface is baked into the application.

    If we continue with the ineffective measures we have used to date hacking will continue to get worse.

  25. Katrina L

    Literally disgusting! So shameful that a company can claim to care about the PI of their customers and allow something like this to rage on, simply to line their own pockets.

    Kudos to the former employees willing to step forward, no matter what the consequences.

    TT will lose a lot of its business once this article really gets media coverage. Hope all are listening up.

  26. JimV

    So why didn’t the Intuit top suits choose to implement the honeypot approach their security wizards developed?

    Simple…money talks (and usually in a very loud voice), and they likely perceived no upside as the scammers were increasing sales volume while there was no penalty (yet) or bad PR (again, yet) from providing the platform by which third-party miscreants were illegally gaming the IRS system. The terms ‘shortsighted’ and ‘proactive’ are essentially antonyms of good business practice where longer-term profit and enhanced reputation are concerned.

  27. Angry Subscriber

    I was one of the Turbo Tax customers that had my identity stolen this tax season. What Kodukula is trying to say the cause of the theft is ridiculous. I have very limited internet and credit card usage. The only way a thief would be able to get my name, address and SS# was directly from Turbo-Tax. It seems that this is another case of corporate greed and the customer is the to suffer. I am going through a nightmare to get this cleared up and I will be lucky if I see my refunds by late summer!!!

    1. TT Fraud Victim

      I’m with you on their assertion none of the data came from them being bull. Many of us find it to coincidental that the fraud filing where carbon copy of old returns with small tweaks. That does not happen simply from a criminal obtaining an SSN.

  28. mbi

    Simple solution, Make it a requirement that the processing agent guarantee the identity of the filer. Have the IRS then charge a fee equal or greater than the amount collected from the processing agent for all fraudulent returns to the IRS. It will take the incentive away from the processing agent to be lax in who uses their services.

Comments are closed.