March 5, 2015

Intuit, the makers of TurboTax, recently introduced several changes to beef up the security of customer accounts following a spike in tax refund fraud at the state and federal level. Unfortunately, those changes don’t go far enough. Here’s a look at some of the missteps that precipitated this mess, and what the company can do differently going forward.

dyot copy2

As The Wall Street Journal noted in a story this week, competitors H&R Block and TaxAct say they haven’t seen a similar surge in fraud this year. Perhaps the bad guys are just picking on the industry leader. But with 29 million customers last year — far more than H&R Block or TaxAct (which each had about seven million) — TurboTax should also be leading the industry in security.

Keep in mind that none of the security steps described below are going to stop fraud alone. But taken together, they do or would provide more robust security for TurboTax accounts, and significantly raise the costs for criminals engaged in this type of fraud.

NO EMAIL VALIDATION

Intuit fails to take basic steps to validate key account information, such as email addresses and mobile numbers, and these failures have limited the company’s ability to enact stricter account security measures. In fact, TurboTax still does not require new users to verify their email address, a basic security precaution that even random Internet forums which don’t collect nearly as much sensitive data require of all new users.

Last month, KrebsOnSecurity featured an in-depth story that stemmed from information provided by two former Intuit security employees who accused the company of making millions of dollars knowingly processing tax refund requests filed by cybercriminals. Those individuals shared a great deal about Intuit’s internal discussions on how best to handle a spike in account takeovers and fraudsters using stolen personal information to file tax refund requests on unwitting consumers.

Both whistleblowers said the lack of email verification routinely led to bizarre scenarios in which customers would complain of seeing other peoples’ tax data in their accounts. These were customers who’d forgotten their passwords and entered their email address at the site to receive a password reset link, only to find their email address tied to multiple identities that belonged to other victims of stolen identity refund fraud.

In mid-February, Intuit announced that it would begin the process of prompting all users to validate their accounts, either by validating their email address, answering a set of knowledge-based authentication questions, or entering a code sent to their mobile phone.

In an interview today, Intuit’s leadership sidestepped questions about why the company still does not validate email addresses. But TurboTax Chief Information Security Officer Indu Kodukula did say TurboTax will no longer display multiple profiles tied to a single email address when users attempt to reset their passwords by supplying an email address.

“We had an option where when you entered an email address, we’d show you a list of user IDs that were associated with that address,” Kodukula said. “We’ve removed that option, so now if you try to do password recovery, you have to go back to the email associated with you.”

NO PHONE VALIDATION

As previously stated, TurboTax doesn’t require users to enter a valid mobile phone number, so multi-factor authentication will not be available for many new and existing customers. More importantly, in failing to require customers to supply mobile numbers, Intuit is passing up a major tool to combat fraud and account takeovers.

Verifying customers by sending a one-time code to their mobile that they then have to enter into the Web site before their account is created can dramatically drive up the costs for fraudsters. I’ve written several stories on academic research that looked at the market for bulk-created online accounts sought after by spammers, such as free Webmail and Twitter accounts. That research showed that bulk-created accounts at services which required phone verification were far more expensive than accounts at providers that lacked this requirement.

True, fraudsters can outsource this account validation process to freelancers, but there is no denying that it increases the cost of creating new accounts because scammers must have a unique mobile number for every account they create. TurboTax should require all users to supply a working mobile phone number.

NO NOTICE OF ACCOUNT CHANGES

Until very recently, if hackers broke into your TurboTax account and made important changes, you might never know about it until you went to file your return and received a notification that someone had already filed them for you. This allowed fraudsters who had hijacked an account to wait until the legitimate user had filled out their personal data, and then change the bank account to which the refund would be credited.

On Feb. 26, 2015, Intuit said it would begin notifying customers via email if any user profile data is altered, including the account password, email address, security question, login name, phone number, name or address.

NO ‘KNOW YOUR CUSTOMER’ VALIDATION

According to the interviews with Intuit’s former security employees, much of the tax refund fraud being perpetrated through TurboTax stems from a basic weakness: The company does not require new customers to do anything to prove their identity before signing up for a TurboTax account. During the account sign-up, you’re whoever you want to be. There is no identity proofing, such as a requirement to answer so-called “out-of-wallet” or “knowledge-based authentication” questions.

Out-of-wallet questions are hardly an insurmountable hurdle for fraudsters. Indeed, some of the major providers of these challenges have been targeted by underground identity theft services. But these questions do complicate things for fraudsters. Intuit should take a cue from credit score and credit file montitoring service creditkarma.com, which asks a series of these questions before allowing users to create an account. And, unlike turbotax.com — which will happily let multiple users create accounts with the same Social Security number and other information — creditkarma.com blocks this activity.

Kodukula said Intuit is considering requiring out of wallet questions at account signup. This is good news, because as I noted in last month’s story, Intuit’s anti-fraud efforts have been tempered by a focus on zero tolerance for “false positives” — the problem of incorrectly flagging a legitimate customer refund request as suspicious. Given that focus, Intuit should do everything it can to prevent fraudsters from signing up with its service in the first place.

LAX ACCOUNT RECOVERY TOOLS

In an interview with KrebsOnSecurity last month, Kodukula said a recent spike in tax refund fraud at the state level was due in part to an increase in account takeovers. Kodukula said a big part of that increase stemmed the tendency for people to re-use passwords across multiple sites.  “This technique works because a fair percentage of users re-use passwords at multiple sites,” I wrote in that article. “When a breach at one site exposes the email addresses and passwords of its users, fraudsters will invariably try the stolen account credentials at other sites, knowing that a small percentage of them will work.”

But according to the whistleblowers, Intuit has historically made it quite easy for fraudsters to hijack accounts by abusing TurboTax’s procedures for helping customers recover access to accounts when they forgot their account password and the email address used to register the account. Users who forget both of these things are prompted to supply their name, address, date of birth, Social Security number and ZIP code, information that is not terribly difficult to obtain cheaply from multiple ID theft services in the cybercrime underground.

In fact, the whistleblowers related a story about how they sought to raise awareness of the problem internally at Intuit by using TurboTax’s account recovery tools to hijack the TurboTax account of the company’s CEO Brad Smith.

Kokudula said that pursuant to changes made in the last two weeks, users who try to recover their passwords will now need to successfully answer a series of out-of-wallet questions to to complete that process.

UNLINKED STATE RETURNS

As I wrote last month, a big reason why the spike in tax refund fraud disproportionately affected TurboTax is that until very recently, TurboTax was the only major do-it-yourself online tax prep company that allowed so-called “unlinked” state tax filings.

States allow unlinked returns because most taxpayers owe taxes at the federal level but are due refunds from their state. Thus, unlinked returns allow taxpayers who owe money to the IRS to pay some or all of that off with state refund money.

Unlinked returns typically have made up a very small chunk of Intuit’s overall returns, Intuit’s Kodukula explained. However, so far in this year’s tax filing season, Intuit has seen between three and 37-fold increases in unlinked, state-only returns. Convinced that most of those requests are fraudulent, the company now blocks users from filing unlinked returns via TurboTax. According to The Wall Street Journal, neither TaxAct nor H&R Block allowed users to file unlinked returns.


135 thoughts on “Intuit Failed at ‘Know Your Customer’ Basics

  1. Dav

    Intuit appears to have declared war on its customer base, I for one after 10 years have switched to HR block. Worked fine.

  2. JR in Chicago

    Does this problem only affect online filers? Would filing by snail mail avoid the problem?

    1. Malcolm

      You’d avoid the problem filing over snail mail as long as you did the entire process manually/off-line. If you complete the work online and just print the forms to submit via snail mail, you’re just as vulnerable.

    2. CooloutAC

      Don’t think it matters. If they steal your TT password, most likely your personal computer is already compromised or you got phished, and they already have your social and information.

      The crooks could just use snail mail too. It would be more time consuming and costly for them, but it wouldn’t stop them.

      1. Answers

        Should tax data really be protected only by single factor authentication?

    3. timeless

      Depends which problem you’re talking about.

      1. Fraudsters creating an account with your (unverified) email address — not addressed by working offline
      2. Fraudsters creating an account with someone’s email address and your SSN (and filing because you do) — not addressed by working offline
      3. Thieves hijacking an account you created with TurboTax — addressed because the account doesn’t exist

  3. Doug

    I am now expecting several things to happen.

    – Class action lawsuit or similar from some victim.

    – Criminal charges against company officials with links to tax scammers.

    Should be amusing.

    1. CooloutAC

      Intuit is not liable for any of these victims, because first of all, intuits data wasn’t breached, and they didn’t fail to follow any regulations.

      What I find amusing, is people don’t care how the crooks got their social and information or passwords, and they don’t care the IRS sends a refund check to any address. Actually its not amusing, its sad and suspicious at the same time.

      1. null

        My social was stolen from a school I went to, not once but twice. That was a long time ago, 10 years maybe ? So its too late to worry about it.

      2. Answers

        What is amusing is how often you (cooloutac) say Intuit isn’t at fault.

        1) Intuit knowingly facilitates SIRF – they allow anyone to file with any identity set – even if Intuit/turbotax already has an (or several) account with the same SSN.

        2) Turbotax lacks proper authentication controls. Even now, their additional challenges hardly constitutes proper MFA. Their account recovery is still a mess.

        When an intuit customer has their account taken over because of Intuit’s authentication or account recovery security weaknesses, it IS intuit being compromised. When that Intuit compromise leads to a customer’s SSN, that of their spouse, or children, Intuit should be liable for that breach.

        If you continue to say it’s the user’s fault that intuit’s authentication is weaker than Gmail, you will continue to expose yourself as an ignorant hack, or on the take of Intuit… but either way your comments are laughably wrong.

        1. CooloutAC

          1) So does the IRS. Which means, if TT didn’t even exist, the same victims would still be victims, regardless.

          2) When a Keylogger on your machine, or an MITM attack, steals your passwords and hijacks your account. You can’t blame intuit. And its already TOO LATE> Furthermore, the issue doesn’t seem to be stolen accounts, It seems to be NEW accounts opened up with the same socials.

          What you should really blame is the IRS sending a refund check to any random address.

  4. Bruce

    Brian: Can you comment on possible issues with the Canadian edition of TurboTax?

    1. Answers

      The canadian tax fraud problem is less for a couple of reasons; 1) canada does not allow for the Refund Transfer (RT) process. 2) it’s a two stage attack, as the fraudster would have to get certain information from the CRA.

      It is still possible, but at a much higher cost to the attacker. If I were a canadian tax refund fraudster, I’d rather target the US system. Much easier (thanks TurboTax!).

    2. Pat Suwalski

      Shouldn’t be a problem, since all of the taxi submissions are made to the CRA directly via their servers. The taxi software just generaties the .tax file for you.

    3. timeless

      It’s a bad return on investment. The CAD is losing too much against the dollar for thieves to focus on it.

      Also, there are fewer provinces, so fewer sets of foolish filing procedures for take advantage of.

      Old threats:
      http://www.cra-arc.gc.ca/nwsrm/lrts/2013/l131210-eng.html

      But seriously, I’m sure there are potential flaws there. The CRA was vulnerable to Heartbleed (and someone actively attacked them using it…– and was caught and prosecuted)

      http://www.cra-arc.gc.ca/ntcs/ntrnt_scrty-eng.html
      Doesn’t fill me with confidence — I suspect that one could perform a did account takeover at the CRA based on the reset questions. I wonder if the CRA does account information change notifications. (I don’t have an account and am not in a hurry to create one)

      If you have an account and are willing to change some information and find out if they notify you about it, that’d be great — please share with us.

  5. Bob

    They’re one of my customers. Intuit was already in the process of requiring mobile phone numbers before 2015 tax season. Mainly for ease and security for account recovery. Previously it was buried in billing information and was optional. So perhaps late, but is in the TTOL product now and linked to the customer’s record in Salesforce.

  6. CooloutAC

    I wonder how many of these victims social security numbers were being sold in bulk in the dark web.

    I still remember BK’s article about experian selling info oN Americans to some hacker in the range of 200 million people….. I wonder what is the most likely place cyber thieves steal peoples social. Because it doesn’t look like they were attained from intuit servers.

  7. Bill Hendricks

    Another great article, Brian, thanks.

    I worked at TurboTax at 6 years before starting my own tax software company 1.5 years ago. Unfortunately, even startups like mine are subject to SIRF (stolen identity refund fraud). I’ve reported the specifics to the IRS numerous times and they basically shrug their shoulders and say there is nothing they can do. It’s infuriating.

    I have a potentially crazy idea to defer fraudsters from using out site to commit this type of fraud that I’d love feedback from this community on… Some crooks are dumb enough to submit their bank account routing number and account number to have the stolen refund direct deposited into their bank account. For those cases that we are 100% sure fraud has been committed, I am considering posting the crook’s bank account info with a Robin Hood style call to action – “White hat hackers, steal from the thieves!”

    Rest assured that the bank account info is encrypted and stored securely in our database, but we can decrypt it. And we’d only do this for cases are 100% sure are fraud – it’s really obvious, I can elaborate on the algorithm and processes we used to detect it.

    Terrible idea or genius idea? If you knew my company was doing this, would it make you less likely to use our service? I’m trying to deter the crooks, not make honest people worried about the security of their information and scare them away from using us. I am running a business at the end of the day.

    1. William

      Terrible idea, because you don’t own the account information; the bank owns the account. The bank is the find decider of who has lawful access to that account, not you.

      1. Bill Hendricks

        Thank for the feedback, William. That seems to be the consensus (terrible idea). I am just frustrated and was brainstorming extreme solutions.

        I’ll continue to work with IRS, reporting suspicious returns.

        1. Greg Scott

          Bill, great intent, but yeah, bad idea. If you know the crooks’ bank account info, why not go to the effected bank? But the other scary part of your proposal is, if I’m a good guy and you can decrypt my bank info, by definition, you’re storing my encryption key. What’s to stop a bad guy from going after my bank info?

          – Greg Scott

  8. William

    The account holder owns the money in the account; the bank is the owner of the account and has the power to close the account.

    I need to read up on my banking terminology.

  9. Bill

    Months ago intuit suddenly and unexpectedly changed the password on mint.com to link my account with an old account I had on turbo tax. I love the MINT.COM service and I’m afraid I’m going to have to stop using it because I no longer trust Intuit. At the time I thought it strange, in light of this fraud it is alarming.

    1. CooloutAC

      So in Sweden they don’t accept your return filed from any random address or account, and they don’t send your refund check or debit to any random address or account? lol

      Thats all the IRS really has to stop doing. IF people complain about it, too bad, its for their own good.

  10. Sharon Sergeant

    Trending contemporaneous Tax ID Theft reports for the last 14 months can be found on my twitter feed at
    https://twitter.com/ancestralmanor

    Please, note:

    Online police blotter reports have increased this tax season compared to last.

    Tax ID Theft reports by people who attempted to file right away in the early tax season dramatically increased.

    State tax targets came to the forefront this year when 19 states AND TurboTax had to temporarily shut down state return processing, add security/authentication and delay refund processing.

    The jury is still out on the question of how TurboTax 2013 accounts were compromised.

    State and Federal tax refunds that were flagged as questionable, caused the issuance of paper checks rather than requested electronic deposits AND
    resulted in substantial reports from people who had not filed returns yet.

    Indictment, prosecution and conviction reports are most frequently for schemes that span 2-10 years ago.

    Such prosecutions do include some cases where dead people were used as targets – even after the December 2012 through May 2013 assertions that the IRS was
    using the DMF as a fraud filter.

    The latest statistic and audit details by TIGTA are for the 2013 filing season, ie 2 years old.

    The escalation of IRS impersonator scams began last season and continues.

    The FTC now combines multiple agency reports to provide it’s annual statistics. Tax ID Theft hotbeds have expanded.

    The Tampa, Florida police coalition that sounded the alarm three years ago has actually changed the way law enforcement agencies work together, nationwide – and dramatically reduced the Tampa area fraud.

    Financial institution detection has increased for red flag notices.

    Sharon Sergeant

Comments are closed.