22
Feb 15

TurboTax’s Anti-Fraud Efforts Under Scrutiny

Two former security employees at Intuit — the makers of the popular tax preparation software and service TurboTax — allege that the company has made millions of dollars knowingly processing state and federal tax refunds filed by cybercriminals. Intuit says it leads the industry in voluntarily reporting suspicious returns, and that ultimately it is up to the Internal Revenue Service to develop industry-wide requirements for tax preparation firms to follow in their fight against the multi-billion dollar problem of tax refund fraud.

Last week, KrebsOnSecurity published an exclusive interview with Indu Kodukula, Intuit’s chief information security officer. Kodukula explained that customer password re-use was a major cause of a spike this tax season in fraudulent state tax refund requests. The increase in phony state refund requests prompted several state revenue departments to complain to their state attorneys general. In response, TurboTax temporarily halted all state filings while it investigated claims of a possible breach. The company resumed state filing shortly after that pause, saying it could find no evidence that customers’ TurboTax credentials had been stolen from its network.

Kodukula noted that although the incidence of hijacked, existing TurboTax accounts was rapidly growing, the majority of refund scams the company has to deal with stem from “stolen identity refund fraud” or SIRF. In SIRF, the thieves gather pieces of data about taxpayers from outside means — through phishing attacks or identity theft services in the underground, for example — then create accounts at TurboTax in the victims’ names and file fraudulent tax refund claims with the IRS.

Kodukula cast Intuit as an industry leader in helping the IRS identify and ultimately deny suspicious tax returns. But that portrayal only tells part of the story, according to two former Intuit employees who until recently each held crucial security positions helping the company identify and fight tax fraud. Both individuals described a company that has intentionally dialed back efforts to crack down on SIRF so as not to lose market share when fraudsters began shifting their business to Intuit’s competitors.

Robert Lee, a security business partner at Intuit’s consumer tax group until his departure from the company in July 2014, said he and his team at Intuit developed sophisticated fraud models to help Intuit quickly identify and close accounts that were being used by crooks to commit massive amounts of SIRF fraud.

But Lee said he was mystified when Intuit repeatedly refused to adopt some basic policies that would make it more costly and complicated for fraudsters to abuse the company’s service for tax refund fraud, such as blocking the re-use of the same Social Security number across a certain number of TurboTax accounts, or preventing the same account from filing more than a small number of tax returns.

“If I sign up for an account and file tax refund requests on 100 people who are not me, it’s obviously fraud,” Lee said in an interview with KrebsOnSecurity. “We found literally millions of accounts that were 100 percent used only for fraud. But management explicitly forbade us from either flagging the accounts as fraudulent, or turning off those accounts.

The allegations surface just days after Senate Finance Committee Chairman Orrin Hatch (R., Utah) said his panel will be holding hearings on reports about a spike in fraudulent filings through TurboTax and elsewhere. The House Ways and Means Committee is reportedly looking into the matter and has held bipartisan staff-level discussions with the IRS and Intuit.

The Federal Trade Commission (FTC) said it received 332,646 identity theft complaints in the calendar year 2014, and that almost one-third of them — the largest portion — were tax-related identity theft complaints. Tax identity theft has been the largest ID theft category for the last five years.

According to a recent report (PDF) from the U.S. Government Accountability Office (GAO), the IRS estimated it prevented $24.2 billion in fraudulent identity theft refunds in 2013.  Unfortunately, the IRS also paid $5.8 billion that year for refund requests later determined to be fraud. The GAO noted that because of the difficulties in knowing the amount of undetected fraud, the actual amount could far exceed those estimates.

SQUEEZING THE BALLOON

Lee said the scammers who hijack existing TurboTax accounts most often will use stolen credit cards to pay the $25-$50 TurboTax fee for processing and sending the refund request to the IRS.

But he said the crooks perpetrating SIRF typically force the IRS — and, by extension, U.S. taxpayers — to cover the fee for their bogus filings. That’s because most SIRF filings take advantage of what’s known in the online tax preparation business as a ‘refund transfer’, which deducts TurboTax’s filing fee from the total amount of the fraudulent refund request. If the IRS then approves the fraudulent return, TurboTax gets paid.

“The reason fraudsters love this system is because they don’t even have to use stolen credit cards to do it,” Lee said. “What’s really going on here is that the fraud business is actually profitable for Intuit.”

Lee confirmed Kodukula’s narrative that Intuit is an industry leader in sending the IRS regular reports about tax returns that appear suspicious. But he said the company eventually scaled back those reports after noticing that the overall fraud the IRS was reporting wasn’t decreasing as a result of Intuit’s reporting: Fraudsters were simply taking their business to Intuit’s competitors.

“We noticed the IRS started taking action, and because of this, we started to see not only our fraud numbers but also our revenue go down before the peak of tax season a couple of years ago,” Lee recalled. “When we stopped or delayed sending those fraud numbers, we saw the fraud and our revenue go back up.

Lee said that early on, the reports on returns that Intuit’s fraud teams flagged as bogus were sent immediately to the IRS.

“Then, there was a time period where we didn’t deliver that information at all,” he said. “And then at one point there was a two-week delay added between the time the information was ready and the time it was submitted to the IRS. There was no technical reason for that delay, but I can only speculate what the real justification for that was.”

KrebsOnSecurity obtained a copy of a recording made of an internal Intuit conference call on Oct. 14, 2014, in which Michael Lyons, TurboTax’s deputy general counsel, describes the risks of the company being overly aggressive — relative to its competitors — in flagging suspicious tax returns for the IRS.

“As you can imagine, the bad guys being smart and savvy, they saw this and noticed it, they just went somewhere else,” Lyons said in the recording. “The amount of fraudulent activity didn’t change. The landscape didn’t change. It was like squeezing a balloon. They recognized that TurboTax returns were getting stopped at the door. So they said, ‘We’ll just go over to H&R Block, to TaxSlayer or TaxAct, or whatever.’ And all of a sudden we saw what we call ‘multi-filer activity’ had completely dropped off a cliff but the amount that the IRS reported coming through digital channels and through their self reported fraud network was not changing at all. The bad guys had just gone from us to others.”

That recording was shared by Shane MacDougall, formerly a principal security engineer at Intuit. MacDougall resigned from the company last week and filed an official whistleblower complaint with the U.S. Securities and Exchange Commission, alleging that the company routinely placed profits ahead of ethics. MacDougall submitted the recording in his filing with the SEC.

“Complainant repeatedly raised issues with managers, directors, and even [a senior vice president] of the company to try to rectify ongoing fraud, but was repeatedly rebuffed and told Intuit couldn’t do anything that would ‘hurt the numbers’,” MacDougall wrote in his SEC filing. “Complainant repeatedly offered solutions to help stop the fraud, but was ignored.”

NO RULES OF THE ROAD

For its part, Intuit maintains that it is well out in front of its competitors in voluntarily reporting to the IRS refund requests that the company has flagged as suspicious. The company also stresses that it has done so even though the IRS still has not promulgated rules that require TurboTax and its competitors to report suspicious returns  — or even how to report such activity. Intuit executives say they went to the IRS three years ago to request specific authority to share that information. The IRS did not respond to requests for comment.

Intuit officials declined to address Lyons’ recorded comments specifically, although they did confirm that a company attorney led an employee WebEx meeting on the date the recording was made. But David Williams, Intuit’s chief tax officer, said what’s missing from the recorded conversation excerpted above is that Intuit has been at the forefront of asking the IRS to propose industry standards that every industry player can follow — requests that have so far gone unheeded.

“We have led the industry in making suspicious activity reports, and I’d venture to say that virtually all of the returns that Mr. Lee is quoted as referring to appear in our suspicious activity reports and are stopped by the IRS,” Williams said. “Whatever else Mr. Lee may have seen, I’m not buying the premise that somehow there was a profit motive in it for us.”

Robert Lanesey, Inuit’s chief communications officer, said Intuit doesn’t make a penny on tax filings that are ultimately rejected by the IRS.

“Revenue that comes from reports included in our suspicious activity reports to the IRS has dropped precipitously as we have changed and improved our reporting mechanisms,” Lanesey said. “When it comes to market share, it doesn’t count toward our market share unless it’s a successful return. We’ve gotten better and we’ve gotten more accurate, but it’s not about money.”

Williams added that it is not up to Intuit to block returns from being filed, and that it is the IRS’s sole determination whether to process a given refund request.

“We will flag them as suspicious, but we do not get to determine if a return is fraud,” Williams said. “It’s the IRS’s responsibility and ultimately they make that decision. What I will tell you is that of the ones we report as suspicious, the IRS rejects a very high percentage, somewhere in the 80-90 percent range.”

Earlier this month, Intuit CEO Brad Smith sent a letter to the commissioner of the IRS,  noting that while Intuit sends reports to the IRS when it sees patterns of suspicious behavior, the government has been limited in the types of information it can share with parties, including tax-preparation firms.

“The IRS could be the convener to bring the States together to help drive common standards adoption,” Smith wrote, offering the assistance of Intuit staff members “to work directly with the IRS and the States in whatever ways may be of assistance…as the fight against fraud goes forward.”

ZERO FALSE POSITIVES

Lee and MacDougall both said Intuit’s official approach to fighting fraud is guided by a policy of zero tolerance for so-called “false positives” — the problem of incorrectly flagging a legitimate customer refund request as suspicious, and possibly incurring the double whammy of a delay in the customer’s refund and an inquiry by the IRS. This is supported by audio recordings of conference calls between Intuit’s senior executives that were shared with KrebsOnSecurity.

“We protect the sanctity of the customer experience and hold it as inviolate,” Intuit’s General
Counsel Michael Lyons can be heard saying on a recorded October 2014 internal conference call. “We do everything we can to organize the best screening program we can, but we avoid false positives at all costs. Because getting a legitimate taxpayer ensnared in the ‘you’re a bad guy’ area with the IRS is hell. Once your return gets flagged as suspicious, rejected and the IRS starts investigating, you’re not in a good place. More than 50 percent of people out there are living paycheck to paycheck, and when this is the biggest paycheck of the year for them, they can’t afford to get erroneously flagged as fraud and have to prove to the IRS who they are so that they can get that legitimate refund that they were expecting months ago.”

On the same conference call, MacDougall can be heard asking Lyons why the company wouldn’t want to use security as a way to set the company apart from its competitors in the online tax preparation industry.

“We don’t use security as a marketing tactic for Intuit,” Lyons explained. “We declared that this was one of our principles. It is always possible for Intuit to build a better mousetrap. But because it doesn’t solve the systemic problem of bad guys doing this, all it really does is shoot us in the foot and make it slightly easier for IRS to continue to kick the can down the road. What it does do is artificially harm our numbers and artificially inflate the competitive numbers associated with digital tax returns.”

Intuit’s Lanesey confirmed Lee’s claim that Intuit adds a delay — it is currently three weeks — from the time a customer files a refund claim and the time it transmits “scoring” data to the IRS intended to communicate which returns the company believes are suspicious. Lanesey said the delay was added specifically to avoid false positives.

“The reason we did that was that when we started this reporting, we weren’t accurate, and were ensnaring legitimate taxpayers in that process,” Lanesey said. “We slowed down and spent more time to review to make sure we could get more accurate and we have in fact done exactly that. The match rates between what the IRS rejects and what we send are now measurably higher today with the new reporting than they were then.”

Unfortunately, three weeks is about how long the IRS takes to decide whether to reject or approve tax refund requests. In an August 2014 report to Congress on the tax refund fraud epidemic, the GAO said that for 2014, the IRS informed taxpayers that it would generally issue refunds in less than 21 days after receiving a tax return — primarily because the IRS is required by law to pay interest if it takes longer than 45 days after the due date of the return to issue a refund.

Williams said Intuit is open to shortening its reporting delay.

“As we’ve gotten better at this and the IRS has gotten better at this, we can certainly look at shortening the timeframes,” he said. “Given the fact that over the past few years we’ve improved our speed, processes and techniques for reporting accurately, we can certainly explore whether they are able to take the data we give them and we are able to provide it to them in a way that is more useful.”

BUILDING A BETTER MOUSETRAP

The scourge of tax fraud is hardly a problem confined to TurboTax, but with nearly 29 million customers last year TurboTax is by far the biggest player in the market. In contrast, H&R Block and TaxAct each handled seven million prepared returns last year, according to figures collected by The Wall Street Journal.

Both Lee and MacDougall said they wanted to go public with their concerns because TurboTax and the rest of the industry  have for so long put off implementing stronger account security measures. MacDougall said he filed the whistleblower complaint with the SEC because he witnessed a pattern of activity within Intuit’s management that suggested the firm was not interested in stopping fraud if it meant throttling profits when none of its competitors were doing the same.

MacDougall said that about a year ago he had a meeting with the head of Intuit’s security division wherein security team members were asked to pitch their projects for the year. MacDougall said he thought his idea was certain to generate an enthusiastic response from higher-ups at the company: Build a fraud ‘honeypot.’

In information security terminology, a honeypot is a virtual holding area to which known or suspected fraudsters are redirected, so that their actions and activities can be monitored and mined for patterns that potentially aid in better identifying fraudulent activity. Honeypots also serve a more cathartic — albeit potentially just as useful — purpose: They tie up the time and attention of the fraudsters and cause them to waste tons of resources on fruitless activity.

“My project was going to be a fraud honeypot,” MacDougall recalled. “My pitch was that we would create a honeypot in TurboTax so that every time a fraudster came in and we figured it out, we’d switch them over to the honeypot version of the site so that we could waste their time, exhaust their resources, and at the end of the day they wouldn’t know they’d been scammed for several weeks, when they finally realized that none of their fraudulent returns had even been filed.”

But MacDougall said he was stunned when his boss emphatically rejected his idea for use on TurboTax accounts. Instead, she brought up the fraud-as-a-balloon analogy, MacDougall said.

“She said ‘You can use this on any other product except TurboTax’,” MacDougall said. “I asked why we wouldn’t want to use this on our flagship product, and her answer was that this was an industry problem and not just a TurboTax problem.”

whattodo copyOnly after Intuit was forced to temporarily suspend state filings earlier this month did the company’s chief executive announce plans to beef up the security of customer accounts. Intuit now says it plans to start requiring customers to validate their accounts, either via email, text message or by answering questions about their financial history relayed through the service by big-three credit bureau Experian.

Lee says those requirements are long overdue, but that they don’t go nearly far enough considering how much sensitive information Intuit holds about tens of millions of taxpayers.

“Tax preparers ought to apply similar ‘know your customer’ practices that we see in the financial markets,” he said. “When you give your most sensitive data and that of your family’s to a company, that company should offer you more security than you can get at Facebook or World of Warcraft,” Lee said, referring to two popular online businesses that have long offered the type of multi-factor authentication that Intuit just announced this month.

At a minimum, Lee said, tax preparation companies should require users to prove they have access to the phone number and email address that they assign to their account, and should bar multiple accounts from using the same phone number or email address. TurboTax and others also should allow only one account per Social Security number, he said.

“The point here is not to shame Intuit, but to educate the American public about what’s going on,” Lee said. “The industry as a whole, not just Intuit, needs to grow up and tackle this fraud problem seriously.”

Intuit’s David Williams said the company is focused on remedying some of the account issues raised by Lee and others.

“To be fair, our recent experience with the states has been a wake-up call that we are going to be more aggressive than anybody going forward, even if we were just acting consistently [with the rest of the industry] in the past,” he said. “That’s why we always talk about our anti-fraud efforts as evolving. We don’t have every great idea in the world, but we’re always looking at improving.”

Tags: , , , , , , , , , , , ,

175 comments

  1. Wow… this is really enlightening. I want Brad Smith, Intuit CEO, to eat his words now… last Friday on CNBC he said:

    “Our systems have not been breached at Intuit. We take privacy and security of our customers’ information as job one. We also apply the most advanced technologies and techniques to protect our customers. Unfortunately, with all the major breaches that are happening outside the tax system, people’s identities are being stolen and then they are attacking the US tax system to try to file fraudulent returns. Our job is to prevent that from happening.”

    “Our job is to prevent that from happening” seems to be in stark contrast to what these guys have revealed to us! What hypocrisy…

  2. Another nice post, Brian…and major props to Shane for having the guts and moral compass to drop a dime. Salute.

  3. The fundamental problem here is when there’s a data-breach, nobody goes to jail.

    If the executive management sells the data, and personally profits from it, while their company loses jobs and investors lose money, nobody goes to jail.

    Fix that one, you fix these issues.

    Used to be identity was established by name, location\billing address, and bank reference, and these things could be easily audited. Now, they (the government) wants non-reputable biometrics, and people refuse to follow along because they believe, and correctly mind you, that only cattle need that kind of verification. They believe they are not sovereign if they are forced into needing it.

    In other news, to sign up for Obamacare, you need to have a credit profile with Experian. Yep, the same company who’s exec management sold America’s personal information to the Russians.

    http://market-ticker.org/akcs-www?post=229863

    What a wonderful, corrupt government.

    • this holds truth, as an argument, in the case of intuit’s turbotax, but that’s because they took advantage of a problem they recognized as existent, when they had a way to fix it, which was already proven to be fixed, prior to its halt.

      I wouldn’t argue the same for, i.e., microsoft or adobe, because they DON’T profit from it, and simply forgetting a vulnerability in the code shouldn’t hold a fraud charge, or nearly the whole coding profession would ALSO come to a halt….hold the criminals responsible – that means the fraudsters; just because the criminals happen to be the fraudsters AND turbotax in THIS case doesn’t imply it’s that way in EVERY case.

    • Although sending people to prison is the favorite way to punish those whose behavior we disagree with, it doesn’t seem to be very effective.

      (I could say break the law, but nowadays, really, their are so many in public office, or their cronies, Jon Corzine for example, that are not breaking the law, but are just as guilty of stealing as the cybercriminals ;^)

      The U.S. has the largest prison population per capita by far of any “developed” nation, yet it does not stop, or even seem to deter, crime. That’s because those deluded enough to commit crimes usually are deluded enough to think they will not be caught. ;^)

      When a financial crime is committed, the criminal is caught & sent to prison but all of his assets are not always confiscated.

      The financial criminals, e.g. Bernie Madoff, Kevin Mitnick, etc., are no usually threatening to the public in a physical sense, they’re not going to mug you, or rob you, or beat you up, or murder you.

      The obvious solution is not to put them in prison, costing you & I a fortune to maintain, but to take all of their money & all past assets that were given or sold to others.

      Putting Bernie Madoff in prison does nothing to reassure me that my walk in the park, or that of my loved ones, is safe from harm.

      Strip him of his money & ban him from ever engaging in anything related to his crime, & I’ll be happy to say, “Hi Bernie! How’s it going?” when I see him. ;^)

  4. I happen to sympathize with Intuit here. I also identify with Mr Lee and Mr MacDougall.

    I appreciate that Lee and MacDougall are willing to sacrifice their own livelihood to bring this issue to light. No doubt this is a serious issue that all Americans are stakeholders to. It shows strong character that these individuals were willing to protect our country and its citizens to the point of (potential) personal detriment.

    On the other hand, Intuit 1) doesn’t stop the fraud from occurring by building hurdles for crooks, 2) increases its development costs for building these hurdles, and 3) decreases its revenue (both through decreases in fraudulent returns and by driving legitimate users to other products due to false positives or additional complexity in the software).

    It seems to me that it would be counter to Intuit’s fiduciary duty to intentionally increase costs and decrease revenue. In this case, building a ‘better mouse trap’ does nothing to protect its customers or shareholders or even non-customers.

    Mr Lee, Mr MacDougall, and Inuit were, or are still, in a position to affect some degree of change. They could reduce or prevent their software from being used to commit fraud. This step, in its own, does not lower fraud and does not protect identities. However, when combined with industry wide efforts, would help reduce fraud and could reduce this form of identity theft. I would love to see the IRS implement (or require tax preparers to implement) basic hurdles to reduce fraud that pass a cost/benefit analysis. It may be that some basic changes in our tax payment, calculation, or collection system could have large efficiencies in processing and security.

    We still need to look at the reasons why theft is occurring and attempt to prevent it. Right now it seems relatively easy and profitable to preform tax fraud. Taking away some of the motivations and increasing the risks for fraudsters seems like a good direction to move in.

    • So are you saying a US business can operate knowingly or neglectfully in support of criminal activity to protect its own financial goals? Even if those benefits are at the expense of individual victims and taxpayers expenses? Hmmm seems like we have laws against that?

      • Turbo Tax is just tool. It makes filing taxes easier for legitimate taxpayers and criminals alike. It is not Intuit’s responsibility, duty, or right to enforce law – that’s the role of the executive and judicial branches of government.

        It is Intuit’s responsibility to maximize profits and protect shareholder investment. As the article states, stopping fraud through their tool did nothing to further either goal and also did not reduce fraud.

        Don’t blame the tool, blame the criminal.

        • They are more than a generic tool or utility its a service that handles Private financial information for consumers. As such they should be required to operate in an ethical way when dealing with this information or profiting from the service. Similar to healthcare orgs or financial institutions protecting your person information they are legally responsible for misuse of it. The difference I see and to your point both financial institutions and healthcare organizations do not benefit financially supporting criminal activity. If TT or any Tax prepare have a business model that allows them to profit off criminal activity with no downside then penalties need to be put in place to make them operate ethically. Similar to merchants that accepting stolen credit cards do not receive funds and potentially can be held liable for damages by card issuers. Criminals will always take advantage of weaknesses. If the weakness is a company profits off their activity then how that company operates ethically to prevent this needs to be governed.

        • I generally agree with that LAST line, “don’t blame the tool, blame the criminal.” However, a tool doesn’t include the external server. Turbotax doesn’t provide simply the tool, it provides the service, which includes a server. In other word, even if the tool fails, they have obligation to filter out the bad returns via the second net, when the first one fails.

          • Intuit, due to its market share, is certainly in a unique position to combat abuse. While Intuit can and should protect their customers, I can’t say what obligation they hold to those that are not their customers.

            Intuit made the decision to play a passive role in this matter. Without direction from the IRS or federal guidelines I cannot blame them.

            I am glad to see that my state (KS) recently started requiring additional information in the form of a drivers license number to file a return. I believe this is likely to combat fraud. I would love to see similar low cost methods implemented at the Federal level.

            • I’d be curious to know what portion of database compromises include drivers license numbers.

              Unfortunately, the more often some piece of information is requested, the more likely that information is to be collected, retained, and leaked/compromised.

              This is why one time tokens are better than static data…

      • the person above your comment forgets that while turbotax, if this pans out as, indeed, correct, would not be responsible for the fraud itself, they would be responsible for willful recklessness – that is, allowing the problem to happen, not by providing the tool, but more-so, KNOWING the problem, and DELIBERATELY allowing it to grow, when they already had a solution which worked, to fix it. It could be construed as a “Conspiracy to commit fraud” charge, at the biggest possible charge.

        • Well I might be missing some info here, but how does one account filing 100 tax returns prove they are 100% fraudulent?

          And how would this “fix”, i guess you mean the honeypot idea, 100% not cause innocent customers frustration from false positives? Something I’m not sure has even been done before in this business?

          • I saw this answer online

            “In accordance with IRS regulations, you can use the TurboTax software to e-file up to five (5) federal tax returns. You can prepare as many returns as you want, but only five can be e-filed.”

            So is it what Rob Lansey meant, they only get paid on the accepted e-filed returns, and not the other 95 prepared? And so what did Macdougal mean then about 100 returns for one account?

            “Our license agreement doesn’t allow the use of TurboTax for commercial or professional tax preparation. If you need to e-file multiple returns and you are a professional tax preparer, take a look at our ProSeries or Lacerte software.”

            This answers my question as well.

            • You can attempt to file hundreds of time. The cap is only on successful filings. Intuit benefits only on filings that are accepted by the IRS, not on all attempts.

              Intuit only receives cash when the IRS pays out, but they paid out at least 5.8 billion last season, so that definitely happens a lot. Also, for the filings where IRS accepted, but didn’t pay, or paid less than the licensing fee, Intuit may still report the revenue/sales event, and then charge off the unpaid owed money as “bad” debt. From an accounting perspective, even unpaid accepted returns benefit Intuit.

            • The 5 successful filings cap is per account. There are no restrictions on how many accounts you can create.

              • ““If I sign up for an account and file tax refund requests on 100 people who are not me, it’s obviously fraud,” Lee said in an interview with KrebsOnSecurity.”

                How is that possible if the cap is 5? Instead of a honeypot, why wouldn’t the ultimate solution be to only let an account “attempt” returns on 5 socials? I find it hard to believe thats not already the case.

                And how do we know that 5.8 billion is all from fraudulent returns? Thats quite an assumption.

                • And if one account is indeed only allowed to “attempt” returns on 5 social security numbers.

                  How do you determine multiple emails from multiple ip addresses are fraudulent? Is it a realistic expectation for intuit to do that, especially if peoples identities are already stolen?

                  A honeypot idea, is after you’ve already made the determination someone is a fraud. But how do you determine that. I’m still not buying the 100 return attempts per single account.

                  Now intuit themselves has said they can “prepare” 100 returns. But they have to snail mail them, and they don’t get paid on them.

                  • What I meant to say is how do we know 5.8 billion all went to intuit. It didn’t.

                  • What I meant to say is how do we know all that money went to intuit? That is related to all filings in general, is it not?

                  • When I was a mtg processor, I was constantly looking up peoples credit reports. Sometimes people are getting their credit report ran so many times but multiple companies it brings their score down. They are supposed sign an authorization disclosure, but alot of times companies never bother.

                    I’m more curious about what the other online tax prep companies do.

                • “why wouldn’t the ultimate solution be to only let an account “attempt” returns on 5 socials? I find it hard to believe thats not already the case.”

                  Try it for yourself. It’s still allowed in the product today. Also, I think that’s kind of the point they were making. This is a simple control that Intuit apparently hasn’t decided to use.

                  “What I meant to say is how do we know 5.8 billion all went to intuit. It didn’t.”

                  The 5.8b went to fraudsters. If you assume that an average fraud return is ~$3,000. This would account for roughly 1.9million fraudulent returns that were paid on. Let’s further assume that Intuit only benefited from 60% of those (40% going to the competition) – that would still leave ~1.1m returns that Intuit got license fee’s paid for by the tax payers for fraud.

                  “And how do we know that 5.8 billion is all from fraudulent returns? Thats quite an assumption.”

                  That’s not an assumption at all — that’s the number reported by the IRS via the GAO.

                  • You were implying all that fraud money went to intuit themselves, which is what I was disputing. Of course fraud is a huge problem, but its not all intuit.

                    Also even if intuit only allowed 5 socials per account. As you said, the crook could just make multiple emails. How do you propose to stop that?

                    I always suggest phone verification, either by text or voice.

                    • I think you misunderstood. She/he/they didn’t seem to imply that to me. They also said, assume it’s not all Intuit.

                      “I always suggest phone verification, either by text or voice.”

                      From the article, looks like the former employees suggested:
                      “Intuit repeatedly refused to adopt some basic policies that would make it more costly and complicated for fraudsters to abuse the company’s service for tax refund fraud, such as blocking the re-use of the same Social Security number across a certain number of TurboTax accounts, or preventing the same account from filing more than a small number of tax returns.”

                      and

                      “tax preparation companies should require users to prove they have access to the phone number and email address that they assign to their account, and should bar multiple accounts from using the same phone number or email address. TurboTax and others also should allow only one account per Social Security number”

                    • “At a minimum, Lee said, tax preparation companies should require users to prove they have access to the phone number and email address that they assign to their account, and should bar multiple accounts from using the same phone number or email address. TurboTax and others also should allow only one account per Social Security number, he said.”

                      Ok, I must of missed this good suggestion to bar mutliple accounts for the same phone number. This would not only force crooks to paper file some returns. But it definitely would also help people who get their passwords stolen or new accounts opened up with their social.
                      |
                      But I don’t agree they should only allow one social per account/phone number. Because many people do taxes for their whole family and friends. Sometimes even more then 5. And some people might get left out if they don’t have a phone to receive a text.

                      One could argue, Intuit is being generous by not making people buy a new account for every return, if they are using a deluxe package to get more deductions.

                    • “But I don’t agree they should only allow one social per account/phone number. Because many people do taxes for their whole family and friends. Sometimes even more then 5. And some people might get left out if they don’t have a phone to receive a text.”

                      The phone/email part could be tied directly to the account, not the identity. Meaning if there was a user account, CooloutAC, then that account should have a password, a phone number, and an email address associated with it. The system should cause CooloutAC to get a text message or voice call to the number that they have to respond to, and should get an email to the email address that the user has to do something with to prove they have access to the number/address.

                      Once CooloutAC’s account is created, then they could add the identity information that they want to do taxes for.

                      I read the suggestion to mean that if an account using SSN 123-45-6789 already exists in the system, that the system shouldn’t let someone create a new account also using SSN 123-45-6789. With turbotax currently, you can set up limitless accounts with the same SSN.

                      Other types of online services that are keyed to SSN do not allow for this, such as https://www.creditkarma.com.

                  • Exactly right, but I took his suggestion to mean one social per account, which i’d disagree with.

              • When I was a mtg processor, I was constantly looking up peoples credit reports. Sometimes people are getting their credit report ran so many times but multiple companies it brings their score down. They are supposed sign an authorization disclosure, but alot of times companies never bother.

                I’m more curious about what the other online tax prep companies do.

    • David Hoffman

      Do something to prevent fraud, as long as it does not reduce profits, seems to be your viewpoint. Sometimes you should be a leader in your industry instead of a follower.

  5. Intuit = Accessory to Fraud, pure and simple. Considering they actually directly profit from the fraudulent claims and they clearly chose negligence due to that profit motive, that should make it pretty clear their actions are criminal. We need a full audit of their activities and taxpayers need to be paid back in addition to any other penalties.

  6. Intuit is committed to providing our customers the best, safest, most convenient and secure tax products in the industry. With the increasing criminal attacks on the US tax system at both the federal and state level, and the constantly evolving methods that cybercriminals use, we recognize that we must continuously accelerate and strengthen the measures we take to fight fraud.

    Allegations by former Intuit employees in a blog today are without merit and are based on these individuals’ misunderstanding of the facts and their mischaracterization of our business.

    Any suggestion that Intuit or any of its leaders made decisions to sacrifice customer security for financial gain doesn’t hold water.

    Our customers’ privacy and security is job one. We are passionate about protecting legitimate taxpayers, while providing them with a fast, safe and secure way to file their taxes and get the refunds that they deserve.

    No one does more than Intuit to help the IRS fight fraud. There is absolutely no benefit to Intuit to try to process a fraudulent return. We do not get revenue from returns we have identified as suspicious and then the IRS rejects, and Intuit does not get paid through the refund transfer process unless the IRS accepts the return as valid and actually issues a tax refund. Moreover, Intuit’s market share is not based on submitted returns; it is based on accepted returns.

    We have no reason to believe that the IRS depended on our suspicious activity reporting to make its own determinations, and several reports from the GAO and IRS advisory committees support this contention.

    We believe there is no industry partner that provides more or better reporting, or is taking a stronger leadership role both with the IRS and with the industry to help solve the cyberfraud problem than Intuit.

    For more on Intuit’s efforts and for additional response to these allegations, please read our detailed rebuttal at https://security.intuit.com/intuitsfightagainsttaxfraud.html

    • Gee Rob, I’ve got to go with the insider guys who don’t work there anymore. Your credibility is seriously damaged here.

    • “No one does more than Intuit to help the IRS fight fraud. There is absolutely no benefit to Intuit to try to process a fraudulent return. We do not get revenue from returns we have identified as suspicious and then the IRS rejects, and Intuit does not get paid through the refund transfer process unless the IRS accepts the return as valid and actually issues a tax refund. Moreover, Intuit’s market share is not based on submitted returns; it is based on accepted returns.”

      I read this as motivation to do exactly as these former employees are suggesting. You don’t get paid if the IRS rejects it, so you don’t tell them you have suspicions, making it more likely they accept it. That means you do make money on fraudulent claims. Also, I don’t buy the argument that it’s such a small number that the money is insignificant to Intuit revenue. I’ve seen Intuit bend backwards to claim an even smaller amount of revenue. Even if it’s insignificant to Intuit, it’s not insignificant to individual taxpayers that are your customer!

      I also reject the premise that Intuit won’t do more because it doesn’t stop bad people from filing fraudulent claims. If you truly believe that, ask your bank to blank your account passwords. Those passwords aren’t stopping bad guys from account takeovers, so they aren’t needed.

      Lastly, the idea that the security employee was told to set up a trial on another product to test before going live on TT, seems unbelievable to me. I only have perception to base this on, but in my past dealings with Intuit, one branch of the business has exactly zero idea of what’s happening elsewhere in the business. Intuit has had some of the worst internal communication I’ve ever encountered. So by telling him to try it out elsewhere is essentially telling him to stick it where the sun doesn’t shine. Maybe that’s why he feels he was being shut down.

    • Rob, I respect your job in defending your company but my personal experience last week sitting on hold for two days straight severely impacts your companies credibility with me.

      1. I had 3 accounts on your systems from over a decade ago and could not get them deleted after sitting on hold for an hour and a half.
      2. Asked several times if I was and Anthem customer which I have never been.
      3. When asked if the fraudulent account that filed a return with my SSN would be shut down I was told it is not my account.
      4. When asked if me and my wife will receive credit monitoring due to the incident I was told no because we are not customers.
      5. Today received email notification my incident ticket was closed and asked me to take a survey.

      So a bit hard to feel your company has customers or ex customers best interest in mind or that it shows any responsibility for criminals use of its systems.

    • Rob, when you say:

      “We do not get revenue from returns we have identified as suspicious and then the IRS rejects, and Intuit does not get paid through the refund transfer process unless the IRS accepts the return as valid and actually issues a tax refund. Moreover, Intuit’s market share is not based on submitted returns; it is based on accepted returns.”

      so are you admitting to the fact that when a fraudster is successfully able to steal from the US tax payer, that Intuit does get paid? Since that would be an accepted return by the IRS, right? So, by holding back on reporting fraud to the IRS, and hence increasing the chances of the fraud being successfully executed, Intuit gets to generate more revenue, right? Thanks for making that clear to all of us…

    • thanks for the refund

      Hey Bob, haven’t used that junkware in years since it went, well, went to junk. but, i see what’s going on here, you’re just in the CYA mode at this point, there’s no security from your Co. to the consumer, it’s all just smoke and mirrors. that’s ok bob, we reap what we sow, don’t we, bob? have a nice life. i’m sure you’ll be pounding the pavement in per-suit of a new job soon. as always, enjoy.

    • Rob, what I would appreciate would be a voluntary do-not-file-list and by that I mean that I don’t use TurboTax, so I’d like to be able to register with you so that under no circumstances would any return matching my info be allowed to process. Provide me that ability and I’ll be much more inclined to believe in the good faith of your handling.

    • Concerned Customer

      “[the] Allegations [] are without merit and are based on these individuals’ misunderstanding of the facts and their mischaracterization of our business.”

      “As you can imagine, the bad guys being smart and savvy, they saw this and noticed it, they just went somewhere else,” Lyons said in the recording. “The amount of fraudulent activity didn’t change. The landscape didn’t change. It was like squeezing a balloon. They recognized that TurboTax returns were getting stopped at the door. So they said, ‘We’ll just go over to H&R Block, to TaxSlayer or TaxAct, or whatever.’ And all of a sudden we saw what we call ‘multi-filer activity’ had completely dropped off a cliff but the amount that the IRS reported coming through digital channels and through their self reported fraud network was not changing at all. The bad guys had just gone from us to others.”

      “We don’t use security as a marketing tactic for Intuit,” Lyons explained. “We declared that this was one of our principles. It is always possible for Intuit to build a better mousetrap. But because it doesn’t solve the systemic problem of bad guys doing this, all it really does is shoot us in the foot and make it slightly easier for IRS to continue to kick the can down the road. What it does do is artificially harm our numbers and artificially inflate the competitive numbers associated with digital tax returns.”

      Ok Rob Lanesey – Serious question for you – Is it is fair to assume that Mike Lyons understands the Intuit tax business? Because from what Mike Lyons is quoted as saying, your rebuttal doesn’t make sense.

      “Intuit officials declined to address Lyons’ recorded comments specifically”

      Your entire statement failed to address what Mike Lyons said. Why?

  7. WOULD NOT RECOMMEND TURBO TAX. Grand total $106 for my return. Just felt deceiving that they wait till the very end to tell you “hey now that you’ve done all the work… we are gonna rip you off.” I was expecting a charge of maybe $40 bc I looked at their charges on the website, boy was I wrong.
    I will say it is easy to file with their website, but I’d rather do a little more work and wait a little longer so I can keep my $106 dollars.

    Lesson learned though, do your homework about companies.

  8. Wow, what a great piece of reporting!
    Thanks to the guys who came forward and to Brian for another great article. You always do a great job, in depth, fact based, the kind of stuff we can’t get anywhere else.

    Thank-you Kindly!

  9. “Robert Lanesey, Inuit’s chief communications officer, said Intuit doesn’t make a penny on tax filings that are ultimately rejected by the IRS.” — except they weren’t reporting it, that’s the point. If they don’t report it, they don’t get rejected, and if it doesn’t get rejected, they get paid – after all, he didn’t say they don’t get paid if they DO get accepted, now did he?

    • by the way, note that Williams points out about suspicious return reports not being a definite rejection, however he fails to include what happens if NO report is filed, where even a potential influence on whether or not it gets accepted, is not present, let alone a likeliness of 80%. Quite the opposite.

  10. What Intuit seems to be missing is that for every fraudulent return, a legitimate taxpayer is disadvantaged. I’d pay a premium for tax software that aggressively checked for fraud so long as I was allowed to challenge a false positive by proving my identity.

  11. blah blah I didn’t see anything about why these two douches are FORMER employees. I’d wager that, they want to see more than certain changes made, like money in their pockets.

    • “they want to see more than certain changes made, like money in their pockets.”

      Interesting take. How would they monetize this?

  12. There are two elements to the tax fraud situation that haven’t been mentioned. First is the galling complexity of the tax code. Simplify the code and the IRS could spend more time working on anti-fraud measures. Second is the continuing GOP war on the IRS. It is one of their favorite whipping boys and they keep cutting its funding, making it more difficult for the IRS to audit taxpayers or implement better fraud detection.

    • The IRS has been a “favorite whipping boy” of the GENERAL PUBLIC for decades, and that’s not dependent on any party affiliation. Guess what? They deserve it. Sure, we can blame all sorts of folks for the nightmare we call the tax code, but the IRS itself has been a major pain in the ass to just about everyone at one time or another and in one way or another.

  13. Every time I think I can’t be shocked further by the shady business practices of a big corporation, it turns out I’m wrong.

  14. Money laundering is illegal.
    Assisting or facilitating money laundering is illegal.
    What makes this any different?

  15. Ok..now where do we Turbo users go to do our online returns?

    I’m not comfortable using TT after reading about them in this article.

    Why in the world wouldn’t they do everything they could to protect people?

    I’m pretty disgusted because TT is not cheap and it feels creepy to know they don’t care about being a stickler on security considering how many people are going thru them and exposing their financial lives at that!

    The fact that They actually had people who wanted to tighten the security but they didn’t agree? So, let the fraud continue? No, DO SOMETHING TURBO!

    Again, who has the best security for online tax returns now?

    The IRS should Fine all of these companies if they feel that their not using the utmost in security to stop fraud once it’s realized that there is a high % of fraudulent Returns.

  16. I have been using Turbo tax for 6 years. When I went to file my federal return last night I received an error message. My tIN was already used for the 2014 tax year. I caled TT and they told me I must have filed twice. We’ll I called the IRS today and they told me that on the 14th there were multiple attempts to file my return and they were all rejected. Then on the 17th one more attempt and it was accepted. The refund already went out. So I’ll be waiting 6+ months to get my refund. Thanks turbo tax.

  17. thanks for the refund

    these tax filing companies need to be sued out of existence. why are you all so surprised at this. don’t tell me you didn’t see it coming, because it stand out like a russian lie because that’s where all you money is going of late. get your billions back Am3riKa!

  18. Intuit shouldn’t worry so much about profits as senior management incompetence. They committed one of the the most epic fails in corporate history when they divested themselves of Digital Insight in 2013, an online banking provider for small banks.

    Intuit bought DI in 2007 for 1.3 billion dollars. http://www.americanbanker.com/btn/20_1/-299029-1.html

    In 2013 they sold it for a billion dollars to Thoma Bravo, a private equity firm, losing 300 million dollars plus all of their time and capital investments.

    Three MONTHS later, Thoma Bravo sold Digital Insight to NCR for 1.6 billion.

    http://fortune.com/2013/12/03/how-thoma-bravo-made-600-million-in-3-months/

    So they blew a billion dollars in six and a half years. Why a shareholder lawsuit against Intuit hasn’t occurred is way beyond me.

    • OMG! that’s incredible…. but to be fair, the acquisition was done by previous CEO, Steve Bennett, while the sale was done by current CEO Brad Smith. Either way, as a whole, there does seem to be a deficiency in their competence.

      Although, now that I think about it, if they can’t do security right for the online tax industry, it must have been a greater liability being in the financial services industry where there are more regulations to comply with. Perhaps the urgency to divest Digital Insight was to relieve themselves of that liability since they don’t have a clue about security. Just speculating…

    • Ah yes , Digital Insight . That seemed a bit odd indeed. The stock has gained ~50% since Intuit dumped that company (and market cap gained 9 billion) so the shareholders are probably not complaining that much. Rumor is that Mr. MacDougall is in fact working for DI now. The irony.

      Can anyone guess why these disgruntled former employees didn’t act while they were receiving generous paychecks from Intuit, but only after their employment with the company ended?

      • “Can anyone guess why these disgruntled former employees didn’t act while they were receiving generous paychecks from Intuit, but only after their employment with the company ended?”

        What’s your guess?

        • Both employees quit and both tried to change from the inside. Seems they valued integrity over compromise more than Intuit’s own security officer and Executives

          • Both employees “worked from home” most of the time so they could pursue their side gigs, keep up with social media and start their own companies while they were on Intuit’s clock.
            New management came in and cramped their style.

            • Interesting how you Intuit guys are trying to smear the employees who reported this, rather than address the allegations they’ve raised. Scared much?

              Did Mr MacDougall or Mr. Lee force Mr. Lyons to state that Intuit has been putting profits over its customer’s security? Nope. Did they force him to say that implementing good security would force them to lose fraudulent traffic (a good thing in my book btw)? No they didn’t. Intuit is being judged over its own actions, not those of the whistleblowers.

              How about you address the issues at hand before you try smearing the messengers. You guys do understand that this only makes you look afraid right? I have a feeling Intuit is in quicksand and just doesn’t know it yet. The more they thrash around, the deeper they sink themselves.

              Give it up – address the allegations. Although I have a feeling the IRS and Congress will be doing that as well.

              • I understand intuits position. In this country we have an innocent until proven guilty motto. Which means we would rather let thousands of people go free then ruin one innocent persons life.

                Meaning the IRS can really ruin your life, or if a tax return is delayed and some poor person is depending on that money, that can also ruin their life. Sort of like how BK is always explaining that sometimes robbing someones credit is not a victimless crime either. When funds get delayed for any reason it can hurt people.

                Also, “suspicion” is not enough to go on. Another point that intuit has, that is not wrong, is that it wouldn’t stop fraud for the taxpayer because they will just go to another company. But this is one way to put a foot on the governments ass to pass regulations.

                • “I understand intuits position. In this country we have an innocent until proven guilty motto. Which means we would rather let thousands of people go free then ruin one innocent persons life.”

                  You seem to have things backwards here. From what’s being discussed, Intuit incentives lives being ruined by making it easy to perform tax fraud through their system. They further seem to be putting their customer’s identity at risk by not providing adequate authentication/security controls to protect access to the account.

                  • Your the one who responds with backward screen names Mr backwards lol.

                    I don’t think its true that intuit lets a single account attempt to file returns on 100 diff social security numbers. And if they do indeed do that, wouldn’t a smarter solution be to only let them attempt returns on 5 social security numbers? And afterwards deny any attempt with a social different then the first 5?? And we are only assuming intuit doesn’t do this in the first place, or am I missing something?

                    And how would a honeypot stop anything except hurt innocent people, IF as intuit says, the crooks will just move on to another service provider? How is anything but regulations going to help the taxpayer?

                    And to even have a honeypott one has to prove “100%” as these former employees claim, that these accounts are fraudulent? I don’t see how they can do that. A honeypot is after the fact, how do they prove they are fraudulent in the first place?

                    • I agree with intuit that anything other then laws and regulations is not really helping the taxpayer. Nothing will change if its true, which they seem to have proven, that the crooks just move on to a competitor service. The ONLY thing that WILL change with a honeypot idea, is that potentially people who weren’t going to be hurt in the first place, then might be.

                      Maybe this will get the ball rolling with congress though.

                    • “I don’t think its true that intuit lets a single account attempt to file returns on 100 diff social security numbers.”

                      They do allow this. You can try it for yourself at turbotax.intuit.com.

                      “And if they do indeed do that, wouldn’t a smarter solution be to only let them attempt returns on 5 social security numbers? And afterwards deny any attempt with a social different then the first 5?”

                      There are many additional controls to try, but yes, I think you have the right idea.

                      “And we are only assuming intuit doesn’t do this in the first place, or am I missing something?”

                      You are missing something. Not an assumption. It’s a fact. One you can verify yourself right now.

                      “And how would a honeypot stop anything except hurt innocent people, IF as intuit says, the crooks will just move on to another service provider?”

                      That’s kind of the point. Intuit is seemingly knowingly servicing criminals. They’re correct in wanting all preparers to enact similar anti-fraud controls, but they’re failing their customers, and the american people, by putting short term profits ahead of the bigger picture. By “building a better mousetrap” and eliminating fraud from their system, and pushing the fraud to their competition, they’d have a much stronger leg to stand on to tell the IRS to make everyone use the same controls that they’ve proven to be effective.

                      “How is anything but regulations going to help the taxpayer?”

                      That process has to start somewhere. Can’t legislate requirements that haven’t been proven out. Chicken/Egg sort of problem.

                      “And to even have a honeypott one has to prove “100%” as these former employees claim, that these accounts are fraudulent? I don’t see how they can do that. A honeypot is after the fact, how do they prove they are fraudulent in the first place?”

                      I tend to agree with you here. The honeypot idea sounds pretty dumb. I think they put forth many other control ideas though that would be more effective.

                      “Maybe this will get the ball rolling with congress though.”

                      Likely will.

            • Were you part of the new management?

              • @Mr. Backards,

                Well I disagree, because if we don’t pressure the IRS themselves and instead pressure Intuit to make changes to its own system, then the “process” will go nowhere. The problem will be swept under the rug, along with intuit. And some competitor will take their place and the fraud will continue to grow. How do you propose we pressure every company? IMO, intuit is doing the right thing by pressuring the gov’t.

                And, I guess to play devils advocate again, as you say, Even if they limit emails to only 5 socials. As you have said, someone can just make multiple emails.

                So what are these other, more, controls that you would suggest to stop that? I always suggest verifying cell phone numbers for accounts. But believe it or not some poor people don’t have cell phones or limited texts and minutes. And these are probably the people depending on their return the most.

                I think the biggest problem, is that the IRS will send a refund check to anywhere, without any questions. I can tell the IRS to send a refund check to the cardboard box in an alleyway outside a local crackhouse and they probably would…lol. I think thats what makes it easiest for these fraudsters and something thats always baffled me.

                If we only blame intuit and their debit cards, well then that takes the pressure off the IRS.

                • These former employees, are the ones who gave intuit, “a leg to stand on” Because now the pressure is on the IRS.

                • While I agree the IRS needs to improve in my case it was the IRS Systems that stopped the fraud filing as they obviously flagged data that did not make sense.

                  My focus on TT and any e.file provider is there seems to be a lack of responsibility and consumer protection requirements to ensure filings sent to federal and state governments through private company systems are legitimate.

                  If they were liable and possibly fined for fraudulent filings unless they put specific security controls in place that reduced fraud it would become part of doing business if you want to make a profit processing American’s private financial information for tax returns.

                  This is exactly what banks and credit card issuers do to merchants they require them to put specific controls(PCI) which require annual audits to confirm. If not compliant they can be fined or ability to process credit cards can be pulled. Also if a breach happens and they are not compliant they become liable for losses.

                  So before anyone hops on the Government burdening to private business what I described above is private sector sharing risk and responsibility in order to maintain security for individual consumers.

                • I think both should be pressured.

            • Don’t worry Shane, I still support you.

  19. Are we really looking for a solution or are just killing time?

    The IRS, as everyone knows, has powers that are outside the law (reminding me more of the gestapo than a government agency.)

    It operates without due process. (It can freeze your assets preventing you from taking it to court, even though you may have an open & shut case.)

    Why not just make the IRS more functional & transparent by having it create the software that tells you exactly how much you owe.

    Shouldn’t that really be their job anyway, instead of putting their requirements in printed form that is often too vague to really be sure how much you legally owe?

    It’s got the funds, over $3 trillion to date, & it’s just February. Make they produce something useful for a change instead of an almost incomprehensible (to the average person) set of documents.

    This is the 21st century, for Pete’s sake, & it has precedents (Lightweight Portable Security Linux (LPS) is produced & maintained by the Department of Defense. )

    But Intuit could be a major contributor to someone’s campaign fund, I suppose, then the idea is dead in the water.

    • Yes the IRS brings in trillion+ dollars in revenue…..to run the entire federal government and not just that agency! How do you think our military and highway projects get funded? And all of those documents shoveled out by the IRS. Well, you can thank Congress for that mess. The Tax Code is a result of Congress passing all of those complex tax laws and creating loopholes. Not the IRS. Did you not learn anything during your high school civics class? You know, the public education your received partically funded by federal (but mostly local/state) taxes.

  20. Kudos, Brian! This is one of the most insightful articles I have read on the topic of SIRF. A couple of comments:

    1. As our Founding Fathers intended, states continue to be the laboratories of democracy. Several state DOR’s are implementing highly sophisticated models to detect and stop refund fraud — whether it comes as a result of identity theft or from ol’ fashioned cheating. These states are starting to see eye-opening results through prevented and recovered fraudulent claims and payouts. Kentucky, Louisiana, New Jersey, and New York are among the leaders. Here is a specific example (Kentucky DOR), where they are having great initial success to help fight fraud: http://blogs.sas.com/content/statelocalgov/2015/02/06/analytics-making-a-difference-in-tax-fraud-kentucky-protects-taxpayer-money-uncovers-fraud-schemes/.

    2. Some of the folks that you interview imply that there is a trade-off between paying tax refunds quickly and paying them correctly. To be clear, this is a false trade-off. Credit card companies are able to make sub-second decisions on whether a credit card transaction is valid. Tax agencies don’t have this same pressure to make a sub-second decision — in the worst case, they have an overnight batch process during which they must make a decision to pay a refund. That’s an eternity, if you choose to use advanced analytics instead of outdated business rules and/or manual reviews.

    • >Some of the folks that you interview imply that there is a trade-off between paying tax refunds quickly and paying them correctly.

      The Intuit arguments completely overlook the disservice they do to the real taxpayer who files later than a thief (possibly using their product). The genuine filer and victim must wait 6 to 14 months for the investigation to complete and finally get their refund.

  21. Separate from the topic of this story, I often wonder why any sane person would electronically file a state or federal return via a 3rd-party online platform, such as Intuit/TurboTax, H&R, etc.

    If a person chooses to file electronically, wouldn’t it make more sense to file directly into the state and fed system(s) instead of parking this most sensitive data on a 3rd-party platform (potentionally managed by epic boobs) AND on the required state and federal platforms.

  22. OMG, I just used Turbo tax to do my tax. I sure hope I don’t get taken advantage of. I did not know there was a problem until someone just this minute told me about it. My tax return is next to nothing so hopefully no one messes with me. The good thing is the problem has been publicized and that should put wrongful doing to a stop.

  23. Several forums for Mac users have complaints that Turbo Tax for Mac uploads the return to Intuit even when they want just to print locally and file paper copies. The Windows version does NOT upload the return unless you want to file electronically.

    So I wonder if there’s a difference in fraud between Mac users and Windows users?

  24. So the IRS needs to prove TurboTax complicit in fraud, have a judge fine them the earnings from fraud and then add to that the proceeds made of those fraudulently obtained monies.

    I’m surprised the card vendors aren’t rolling dockets of fines to them on the back of this deliberate negligence too.

    Crime should not pay. Corporate or otherwise.

  25. Went to file taxes yesterday via Turbo Tax. Received an error message that the social security number has already been used to file a return. After waiting on hold for an hour the representative informed me that someone created a new account and used my husband and my social to file taxes. They claim their system wasn’t compromised and our social security numbers were breached from an outside source.
    Okay, as a customer of Turbo Tax for 7 years did it not set off any alarm on their end that someone created a new account with our social security numbers when 2 weeks before this happened I had already used our real account to enter in almost all the information? Wouldn’t their be SOME security in place to cross reference this??? This is just scary!!!! Never again Turbo Tax!!!!

    • Ya its crazy they didn’t have two factor authentication. It should be a law for their business. One method I like is sending a notice to your cell phone for you to confirm by text message or even voice. But then what if you don’t have a cell phone?

      BK has articles about how bulks of socials, and even secret question answers on people are sold online. If there was no turbo tax they might of just did it the old fashioned way or use another service.

      I think the main problem is the IRS themselves repeat what intuit says about getting people refunds as quickly as possible. But they should probably have more control over where the refund is sent to. Thats something I never understood, and is the fault of the IRS themselves.

      • While I agree the IRS needs to improve in my case it was the IRS Systems that stopped the fraud filing as they obviously flagged data that did not make sense.

        My focus on TT and any e.file provider is there seems to be a lack of responsibility and consumer protection requirements to ensure filings sent to federal and state governments through private company systems are legitimate.

        If they were liable and possibly fined for fraudulent filings unless they put specific security controls in place that reduced fraud it would become part of doing business if you want to make a profit processing American’s private financial information for tax returns.

        This is exactly what banks and credit card issuers do to merchants they require them to put specific controls(PCI) which require annual audits to confirm. If not compliant they can be fined or ability to process credit cards can be pulled. Also if a breach happens and they are not compliant they become liable for losses

        This is how the Private sector ensures a safe consumer environment and spreads risk and responsibility across the credit card eco system. Seems the Tax filing system should look at it as a model.

        • Unlike banks and credit cards, these fraudsters don’t need companies like TT to exist to commit their fraud.

          • Fraudsters will always be there is to make it harder for them and minimize their impact to consumers and taxpayers. If caught on TT systems it makes the impact minimal than sending to IRS or state.

            • As intuit says, they aren’t the ones denying anybody. Just flagging a return as suspicious. Its still going to go to the IRS and its up to them to make the final decision.

  26. Our mutual friend, Lawrence, should have the inside track on this reward.

  27. Here’s something to ponder that I am struggling with.

    How do you feel about having a private company that you no longer do business with hold your old tax returns?

    Should you have a right to force them to delete this data?

    Do they have a right to hold it indefinitely?

    For anyone who has used an online preparer these questions hold pause if the private company basically now owns that information.

    • I still can’t believe experian only got a slap on the wrist for selling our personal info to a hacker. And then claimed they knew nothing about it, even though the money was right on the books.

  28. Anybody notice an important implication here? If Intuit is driven to not reduce the fraud flow because of noticeable reduction in revenue, then tax ID fraud is more than a small fraction. I believe that it is a very large problem driven by the idiosyncrasies of our tax system. It’s not just using another’s credentials without their permission and filing before they do, which in itself is a large problem, but it also includes filing for low income people who normally don’t file and getting refunds through the tax credits. This can be done with without their knowing participation.

    • I suspect you may be right, I don’t think it is insignificant revenue to Intuit. Their response here and elsewhere already indicate they DO PROFIT from fraudulent tax returns *that are successful* and accepted by the IRS. Just read between the lines of what they’ve been stating and it becomes clearer.

      Furthermore, looking back at the earlier comment by “Angry About”, if that person’s posting is true, for the 2012 tax year Intuit made $300M in revenue from successfully filed fraudulent tax returns.

      I think there are definitely some truths in the comments posted here. I don’t know if they are by Mr Lee. or Mr. MacDougall, but I have to wonder if there may be some Intuit insiders that are commenting here since some of the details are rather esoteric and revealing.

      Take for example, the post by Matt Johnston supporting Shane. A LinkedIn search reveals there is a Matt Johnston who works on the Intuit security team. So, there must be other Intuit insiders that know the truth that Lee and MacDougall are unveiling for us. I wouldn’t be surprised if we see more ex-Intuit employees or Intuit insiders start coming out of the wood work on this issue.

      • I recently became aware of comments posted to this article using my name (Matt Johnston). I am the Matt Johnston who works at Intuit, as you can verify with my related comment posted to LinkedIN page regarding this matter. Previous comments posted here under the name “Matt Johnston,” were in fact NOT written by me. Someone appears to be using my name fraudulently, or the comments posted in support of Shane McDougall were written by another Matt Johnston unaffiliated with Intuit.

        I (the Matt Johnston who does work at Intuit) DO NOT support Shane McDougall, his opinions, his actions, or his accusations in any way.

        • Will the real jj2 please stand up?

        • I can’t be the only one enjoying the delicious irony of an Intuit employee complaining that someone fraudulently stole his identity. Lololololololol….. tone deaf or what?

        • Wait, did an intuit employee (Matt) really just complain about their identity being stolen and used without their permission?

          Oh the irony. 🙂

        • I can’t be the only one enjoying the delicious irony of an Intuit employee claiming that someone has fraudulently used his identity. LOLOLOLOLOL. Tone deaf or what?

  29. Area Hedge Fund Operator

    Intuit can expect multiple lawsuits easily resulting in billions in damages and lost business over this (this being multiyear accessory to mass identity theft and refund transfer fraud).

    Intuit stock, INTU, is currently comically overpriced ($97) relative to this brewing massive scandal.

    Now why in the world would Intuit CEO Brad Smith on Feb 23, 2015 sell 192,237 shares of INTU stock ($18,487,432)? That’s 18 and a half million dollars drenched in identity theft, Brad.

    • I doubt anything will happen to them over this issue, because it wasn’t their data that was compromised. Crooks are just using their service. They def should have two factor authentication, but the ball is passed to the IRS to make those regulations. Intuit has said all the right things.

      The thing that hurt them bad was forcing people with deluxe package to buy the more expensive premier package. Which I think they now offered refunds and retracted, after a huge backlash, I could be wrong. Maybe that was Brad Smiths boneheaded greedy idea.

      The fraud allegations might have something to do with the fact, apparenlty, TT has like 30 million customers, while their closest competitor only has like 8? haha

      The real root of the fraud problem is the IRS sends a refund check to any address. TT just makes it convenient for them.

      • That is what I thought until I went looking today.

        No, the address is unimportant. The fraudsters supply a credit card or bank account number to be used for the refund.

  30. I logged onto Turbo Tax Feb 2 and found out a return had already been filed on Feb 1st. I understand that there are bad people in the world, but someone filing a fraudulent tax return in my name was completely preventable.
    First, I’ve always filed with Turbo Tax, and I find it ridiculous that someone was able to create a second account using my same social. I can’t even make a second Walmart account with the same email without getting a message “this email is already in use”. I don’t see why our socials should be any different.
    Second, I work part time. The income reported by the fraudster is about FOUR times my AGI from last year. You’d think this would have been a red flag!
    Third, despite notifying TurboTax, the IRS, and the FTC on Feb 2nd (the day after the fraudulent return was made), the crook got their money on Feb 9th. Plenty of people won’t find out they’re victims of fraud until weeks, or even months later. But to not stop a known case of fraud with a week’s notice is just nauseating. No wonder there are billions of dollars stolen every year if the IRS fails to stop even the reported cases of tax fraud!
    So, while this fraudster got their money within a week, the innocent victim is forced to wait an estimated six months before they’ll see their tax return. An excellent case of punishing the victim.

    • TT Fraud Victim

      Sorry to hear cheri. Also feel your sentiment that in todays age of identity theft we should expect much more sophisticated prevention checks from Tax Preparation services especially one that dominates the market.