Tax Refund Fraud


17
Aug 15

IRS: 330K Taxpayers Hit by ‘Get Transcript’ Scam

The Internal Revenue Service (IRS) disclosed today that identity thieves abused a feature on the agency’s Web site to pull sensitive data on more than 330,000 potential victims as part of a scheme to file fraudulent tax refund requests. The new figure is far larger than the number of Americans the IRS said were potentially impacted when it first acknowledged the vulnerability in May 2015 — two months after KrebsOnSecurity first raised alarms about the weakness.

Screenshot 2015-03-29 14.22.55In March 2015, I warned readers to Sign Up at IRS.gov Before Crooks Do It For You — which tracked the nightmarish story of Michael Kasper, one of millions of Americans victimized by tax refund fraud each year. When Kasper tried to get a transcript of the fraudulent return using the “Get Transcript” function on IRS.gov, he learned that someone had already registered through the IRS’s site using his Social Security number and an unknown email address.

Two months later, IRS Commissioner John Koskinen publicly acknowledged that crooks had used this feature to pull sensitive data on at least 110,000 taxpayers. Today, the Associated Press and other news outlets reported that the IRS is now revising those figures, estimating that an additional 220,000 potential victims had Social Security numbers and information from previous years’ tax filings stolen via the IRS Web site.

“In all, the thieves used personal information from about 610,000 taxpayers in an effort to access old tax returns,” the AP story notes. “They were successful in getting information from about 334,000 taxpayers.”

A BROKEN PROCESS

The IRS’s experience should tell consumers something about the effectiveness of the technology that the IRS, banks and countless other organizations use to screen requests for sensitive information.

As I reported in March, taxpayers who wished to obtain a copy of their most recent tax transcript had to provide the IRS with the following information: The applicant’s name, date of birth, Social Security number and filing status. After that data is successfully supplied, the IRS uses a service from credit bureau Equifax that asks four so-called “knowledge-based authentication” (KBA) questions. Anyone who succeeds in supplying the correct answers can see the applicant’s full tax transcript, including prior W2s, current W2s and more or less everything one would need to fraudulently file for a tax refund.

These KBA questions — which involve multiple choice, “out of wallet” questions such as previous address, loan amounts and dates — can be successfully enumerated with random guessing. But in practice it is far easier, as we can see from the fact that thieves were successfully able to navigate the multiple questions more than half of the times they tried.

If any readers here doubt how easy it is to buy personal data on just about anyone, check out the story I wrote in December 2014, wherein I was able to find the name, address, Social Security number, previous address and phone number on all current members of the U.S. Senate Commerce Committee. This information is no longer secret (nor are the answers to KBA-based questions), and we are all made vulnerable to identity theft as long as institutions continue to rely on static information as authenticators.

Unfortunately, the IRS is not the only government agency whose reliance on static identifiers actually makes them complicit in facilitating identity theft against Americans. The same process described to obtain a tax transcript at irs.gov works to obtain a free credit report from annualcreditreport.com, a Web site mandated by Congress. In addition, Americans who have not already created an account at the Social Security Administration under their Social Security number are vulnerable to crooks hijacking SSA benefits now or in the future. For more on how crooks are siphoning Social Security benefits via government sites, check out this story.

THE IRS IS STILL VULNERABLE

The IRS has responded to the problem of tax ID theft partly by offering Identity Protection PINs (IP PINs) to affected taxpayers that must be supplied on the following year’s tax application before the IRS will accept the return. However, according to Kasper — the tax ID theft victim whose story first prompted my reporting on the Get Transcript abuse problem back in March — the IRS.gov Web site allows consumers who have lost their IP PINs to recover them, and incredibly that feature is still using the same authentication method relied upon by  the IRS’s flawed Get Transcript function.

Continue reading →


9
Jun 15

Firms Could Be Forced to Disgorge Profits from Tax Refund Fraud

Last week, KrebsOnSecurity ran an interview with Julie Magee, Alabama’s chief tax administrator, to examine what the states are doing in tandem with the IRS and others to make it harder for ID thieves to commit tax refund fraud — a $6 billion a year problem. Today we’ll hear from John Valentine, chair of Utah’s State Tax Commission, about the challenges his state faced this year, as well as the prospect that tax preparation firms could be forced return to the U.S. Treasury any profits they make from processing fraudulent tax refunds.

The Growing Tax Fraud MenaceValentine was a tax attorney before being appointed the chair of Utah’s tax commission, so he’s familiar with the challenges facing both the tax preparation industry as well as the tax agencies.

“I came out of the private sector and spent nearly 40 years suing the state tax commission and the IRS,” Valentine said. “Now I am that.”

Utah is actively engaged in an IRS task force made up of state, federal and industry tax experts trying to quash refund fraud. Like Alabama’s deputy tax commissioner Joe Garrett — who had a $7,700 fraudulent refund filed in his name — several of Utah’s senior tax administration officials also were victimized by ID thieves this year.

“We’ve had some of our senior people who had tax returns filed on their behalf,” Valentine said. “Of course, they had not filed them yet and we knew that they were more than a little suspicious.”

Among the steps the task force is considering is whether to mail all taxpayers an Identity Protection Personal Identification Number (IP PIN) that is tied to each taxpayer and must be included in each tax return. The IRS issues the IP PINs to taxpayers who have suffered tax return fraud. Additionally, consumers willing to swear they have been victims of identity theft can apply for a filing PIN, however the IRS is picky about granting those requests.

Even if the IRS were to switch to issuing IP PINs to all taxpayers, the agency would still run up against the thorny problem of how to verify consumers’ identity (no doubt, that challenge would be exacerbated by millions of taxpayers phoning the IRS after losing or misplacing their assigned PINs). A major focus of the working groups attention is finding better ways to authenticate people beyond merely requesting static identifiers (Social Security numbers, dates of birth) and other data that is frequently exposed in data breaches and is readily for sale on underground markets.

“They’re going to have to switch to a 2-factor authentication system, where they really strengthen the front-end of that authentication,” Valentine said of the tax preparation firms like TurboTax, which briefly shut down all state tax filing this year after a massive spike in phony refund requests put through its systems via hijacked and fraudulently created TurboTax accounts.

Valentine also made the decision to halt all Utah tax refunds around that same time.

“When we installed our [anti-fraud] analytics program, we thought we were getting a lot of false positives, so we did a bunch of back checking,” he said “While we were doing that, I made a decision to stop all refunds. For a period of two weeks Utah gave no refunds while we worked through the analytics to make sure we’d identified the nature and extent of the fraud. It turned out to be much more extensive than we’ve ever seen.”

In fact, ten times as much as any year prior, according to Valentine.

“We’ve always seen fraud where a tax practitioner will file a whole bunch of fraudulent returns, or we’ll see ID theft targeting a large employer. But this fraud wave was a little tougher, because it went across spectrum of employers, across the entire demographic of taxpayers, high low and middle income. Also, the fraud wasn’t regionalized — it was across the whole state — and [the fraudsters] didn’t seem to be selective as to who they hit. They got people of notoriety and people nobody knew. In the end, it appeared that the common factor among all of them was how you filed in 2013,” because the phony 2014 returns all included nearly identical information as the victim’s 2013 returns.

“What we saw in Utah was a population of the same information in the 2013 return into the 2014 return, with the exception of bank routing and bank account number,” Valentine said. “That’s a different fraud that we’d just never seen before.”

TurboTax’s lax security around authentication for new and existing accounts played a well-documented role in the type of fraud described by Valentine this year. But ID thieves also got help directly from the IRS this year. Late last month, the agency suspended the “get transcript” function that previously allowed taxpayers to order a copy of their previous year’s W2 information, among other data; turns out, crooks had used the service to pull tax data on more than 100,000 citizens, stealing tens of millions from the U.S. Treasury in the process. Continue reading →


2
Jun 15

States Seek Better Mousetrap to Stop Tax Refund Fraud

With the 2014 tax filing season in the rearview mirror, state tax authorities are struggling to incorporate new approaches to identifying and stopping fraudulent tax refund requests, a $6 billion-a-year problem that’s hit many states particularly hard this year. But some states say they are encountering resistance to those efforts on nearly every front, from Uncle Sam to online tax vendors and from the myriad of financial firms that profit handsomely from processing phony tax refunds.

Cash Cow: Check out this primer on which companies are profiting from tax refund fraud.

Cash Cow: Click on the image above for a primer on how many companies are profiting from tax refund fraud.

Last week, the Internal Revenue Service (IRS) disclosed that thieves had stolen up to $50 million in phony refunds by pulling tax data on more than 100,000 Americans directly from the agency’s own Web site. The thieves were able to do this for the same reason that fraudsters are able to get away with filing and getting paid for bogus refunds: The IRS, the states and the tax preparation firms all try to authenticate filers based on static identifiers about the filer — such as birthdays and Social Security numbers, as well as answers to a handful of easily-guessed or researched “knowledge based-authentication” questions.

I spoke at length with several state tax commissioners about the size and scope of the tax refund fraud problem, and what the IRS and the states are doing to move beyond reliance on static identifiers to authenticate taxpayers. One of the state experts I spoke with was Julie Magee, commissioner of Alabama’s Department of Revenue.

Magee described her work on a new task force organized by the IRS aimed at finding solutions for reducing the tax refund fraud problem across the board. Magee is one of several folks working on a fraud and authentication working group within the IRS’s task force, which is trying to come to a consensus about ways to do a better job authenticating taxpayers and to improve security around online tax preparation services such as TurboTax.

Earlier this year, TurboTax briefly suspended the online filing of state tax returns after dozens of state revenue departments complained about a massive spike in fraudulent refund requests — many of which were tied back to hijacked or fraudulently-created TurboTax accounts.

One of those victimized in that scourge was Joe W. Garrett, — Magee’s deputy commissioner — who had a $7,700 fraudulent return filed in his name after thieves created a duplicate TurboTax account with his personal information.

Magee said her working group — one of three on the IRS’s task force — is populated by stakeholders with competing agendas.

“You have companies like Intuit that don’t want the government getting into the online tax preparation business, and then there are the bricks-and-mortar operations like Liberty and H&R Block that don’t want to see their businesses cannibalized by the do-it-yourself online firms like TurboTax,” Magee said. “And then we have the banking industry, which is making a fortune off of this whole problem. Right now, the only entities that are really losing out are states and the US Treasury.” (For a look at which companies stand to profit from fraudulent refunds, see this sidebar).

In February, KrebsOnSecurity published exclusive interviews with two former TurboTax security professionals who accused TurboTax of making millions of dollars knowingly processing state and federal tax refunds filed by identity thieves. Magee said Intuit — the company that owns TurboTax — came to the first two working group meetings with a plan to provide states with an anti-fraud screening mechanism similar to Apple Pay‘s “green/yellow/red path” program, which seeks to offer participating banks some idea of the relative likelihood that a given new customer is in fact a fraudster signing up in the name of an ID theft victim.

“The first two meetings, Intuit acted like they were leading the charge on this, and they were really amenable to everything,” Magee said. “They had come up with an idea that was very much like the red- yellow-green kind of thing, and they were asking us what data elements they should be looking at and sharing.” greenyellowred

According to the Alabama tax commissioner, that’s when the American Coalition for Taxpayer Rights (ACTR), a trade group representing the tax preparation firms, stepped in. “The lobbyist group put the kibosh on that idea. They basically said it’s not their right to be the police – that it should be the IRS or the states — but that they would be more than willing to send us the indicators and that we could use our own system to do the scoring,” Magee said. “The states aren’t hung up on getting some red, yellow, green type system. I think we’re more interested in making sure data elements we can use to make a score are passed on to us.”

Magee said ACTR also protested that tax prep firms like Intuit couldn’t legally share certain information about their customers with the states and the IRS. Representatives with ACTR did not respond to requests for comment. Intuit declined to be interviewed for this story.

“They threw up a red flag and basically said, ‘We can’t you pass that information because it’s protected by IRS code sections regarding taxpayer confidentiality issues,'” Magee recalled. “Thankfully, the IRS brought in their attorneys and the commissioner a few weeks ago and they said, ‘That’s bunk, you can most certainly send that information to us and to the states. So we won that battle.” Continue reading →


2
Jun 15

Phony Tax Refunds: A Cash Cow for Everyone

When identity thieves filed a phony $7,700 tax refund request in the name of Joe Garrett, Alabama’s deputy tax commissioner, they didn’t get all of the money they requested. A portion of the cash went to more than a half dozen U.S. companies that each grab a slice of the fraudulent refund, including banks, payment processing firms, tax preparation companies and e-commerce giants.

treas7700

When tax scammers file a fraudulent refund request, they usually take advantage of a process called a refund transfer. That allows the third party firm that helped prepare and process the return for filing (e.g. TurboTax) to get paid for their services by deducting the amount of their fee from the refund. Effectively, this lets identity thieves avoid paying a dime to TurboTax or other providers for processing the return.

In Garrett’s case, as with no doubt countless other fraudulent returns filed this year, the thieves requested that the return be deposited into a prepaid debit card account, which they could then use as a regular debit card to pay for goods and services, and/or use at ATMs to withdraw the ill-gotten gains in cash.

What’s more, the crooks asked the government to deposit $2,000 of the $7,700 they applied for in his name to an Amazon gift card ($2,000 is the maximum allowed under the Amazon gift card program). This is just another way for thieves to hedge their bets in case the debit card to which the majority of the stolen funds gets canceled.

“There are so many people making money off of electronic transfer of funds, it’s ridiculous,” said Julie Magee, Garrett’s boss and commissioner of Alabama’s Department of Revenue. “Five different financial institutions touched the fraudulent refund they filed in Joe’s name before it went to the thieves.” Continue reading →


26
May 15

IRS: Crooks Stole Data on 100K Taxpayers Via ‘Get Transcript’ Feature

In March 2015, KrebsOnSecurity broke the news that identity thieves engaged in filing fraudulent tax refund requests with the Internal Revenue Service (IRS) were using the IRS’s own Web site to obtain taxpayer data needed to complete the phony requests. Today, IRS Commissioner John Koskinen acknowledged that crooks used this feature to pull sensitive data on more than 100,000 taxpayers this year.

Screenshot 2015-03-29 14.22.55That March story — Sign Up at IRS.gov Before Crooks Do It For You — tracked the nightmarish story of Michael Kasper, one of millions of Americans victimized by tax refund fraud each year. When Kasper tried to get a transcript of the fraudulent return using the “Get Transcript” function on IRS.gov, he learned that someone had already registered through the IRS’s site using his Social Security number and an unknown email address.

Koskinen was quoted today in an Associated Press story saying the IRS was alerted to the thieves when technicians noticed an increase in the number of taxpayers seeking transcripts. The story noted that the IRS said they targeted the system from February to mid-May, and that the service has been temporarily shut down. Prior to that shutdown, the IRS estimates that thieves used the data to steal up to $50 million in fraudulent refunds.

“In all, about 200,000 attempts were made from questionable email domains, with more than 100,000 of those attempts successfully clearing authentication hurdles,” the IRS said in a statement. “During this filing season, taxpayers successfully and safely downloaded a total of approximately 23 million transcripts.” Continue reading →


30
Mar 15

Sign Up at irs.gov Before Crooks Do It For You

If you’re an American and haven’t yet created an account at irs.gov, you may want to take care of that before tax fraudsters create an account in your name and steal your personal and tax data in the process.

Screenshot 2015-03-29 14.22.55Recently, KrebsOnSecurity heard from Michael Kasper, a 35-year-old reader who tried to obtain a copy of his most recent tax transcript with the Internal Revenue Service (IRS). Kasper said he sought the transcript after trying to file his taxes through the desktop version of TurboTax, and being informed by TurboTax that the IRS had rejected the request because his return had already been filed.

Kasper said he phoned the IRS’s identity theft hotline (800-908-4490) and was told a direct deposit was being made that very same day for his tax refund — a request made with his Social Security number and address but to be deposited into a bank account that he didn’t recognize.

“Since I was alerting them that this transaction was fraudulent, their privacy rules prevented them from telling me any more information, such as the routing number and account number of that deposit,” Kasper said. “They basically admitted this was to protect the privacy of the criminal, not because they were going to investigate right away. In fact, they were very clear that the matter would not be investigated further until a fraud affidavit and accompanying documentation were processed by mail.”

In the following weeks, Kasper contacted the IRS, who told him they had no new information on his case. When he tried to get a transcript of the fraudulent return using the “Get Transcript” function on IRS.gov, he learned that someone had already registered through the IRS’s site using his Social Security number and an unknown email address.

“When I called the IRS to fix this, and spent another hour on hold, they explained they could not tell me what the email address was due to privacy regulations,” Kasper recalled. “They also said they could not change the email address, all they could do was ban access to eServices for my account, which they did. It was something at least.”

FORM 4506

Undeterred, Kasper researched further and discovered that he could still obtain a copy of the fraudulent return by filling out the IRS Form 4506 (PDF) and paying a $50 processing fee. Several days later, the IRS mailed Kasper a photocopy of the fraudulent return filed in his name — complete with the bank routing and account number that received the $8,936 phony refund filed in his name.

“That’s right, $50 just for the right to see my own return,” Kasper said. “And once again the right hand does not know what the left hand is doing, because it cost me just $50 to get them to ignore their own privacy rules. The most interesting thing about this strange rule is that the IRS also refuses to look at the account data itself until it is fully investigated. Banks are required by law to report suspicious refund deposits, but the IRS does not even bother to contact banks to let them know a refund deposit was reported fraudulent, at least in the case of individual taxpayers who call, confirm their identity and report it, just like I did.”

Kasper said the transcript indicates the fraudsters filed his refund request using the IRS web site’s own free e-file website for those with incomes over $60,000. It also showed the routing number for First National Bank of Pennsylvania and the checking account number of the individual who got the deposit plus the date that they filed: January 31, 2015.

The transcript suggests that the fraudsters who claimed his refund had done so by copying all of the data from his previous year’s W2, and by increasing the previous year’s amounts slightly. Kasper said he can’t prove it, but he believes the scammers obtained that W2 data directly from the IRS itself, after creating an account at the IRS portal in his name (but using a different email address) and requesting his transcript.

“The person who submitted it somehow accessed my tax return from the previous year 2013 in order to list my employer and salary from that year, 2013, then use it on the 2014 return, instead,” Kasper said. “In addition, they also submitted a corrected W-2 that increased the withholding amount by exactly $6,000 to increase their total refund due to $8,936.”

MONEY MULING

On Wednesday, March 18, 2015, Kasper contacted First National Bank of Pennsylvania whose routing number was listed in the phony tax refund request, and reached their head of account security. That person confirmed a direct deposit by the IRS for $8,936.00 was made on February 9, 2015 into an individual checking account specifying Kasper’s full name and SSN in the metadata with the deposit.

“She told me that she could also see transactions were made at one or more branches in the city of Williamsport, PA to disburse or withdraw those funds and that several purchases were made by debit card in the city of Williamsport as well, so that at this point a substantial portion of the funds were gone,” Kasper said. “She further told me that no one from the IRS had contacted her bank to raise any questions about this account, despite my fraud report filed February 9, 2015.”

The head of account security at the bank stated that she would be glad to cooperate with the Williamsport Police if they provided the required legal request to allow her to release the name, address, and account details. The bank officer offered Kasper her office phone number and cell phone to share with the cops. The First National employee also mentioned that the suspect lived in the city of Williamsport, PA, and that this individual seemed to still be using the account.

Kasper said the local police in his New York hometown hadn’t bothered to respond to his request for assistance, but that the lieutenant at the Williamsport police department who heard his story took pity on him and asked him to write an email about the incident to his captain, which Kasper said he sent later that morning.

Just two hours later, he received a call from an investigator who had been assigned to the case. The detective then interviewed the individual who held the account the same day and told Kasper that the bank’s fraud department was investigating and had asked the person to return the cash.

“My tax refund fraud case had gone from stuck in the mud to an open case, almost overnight,” Kasper sad. “Or at least it seemed to be that simple. It turned out to be much more complex.”

For starters, the woman who owned the bank account that received his phony refund — a student at a local Pennsylvania university — said she got the transfer after responding to a Craigslist ad for a moneymaking opportunity.

Kasper said the detective learned that money was deposited into her account, and that she sent the money out to locations in Nigeria via Western Union wire transfer, keeping some as a profit, and apparently never suspecting that she might be doing something illegal.

“She has so far provided a significant amount of information, and I’m inclined to believe her story,” Kasper said. “Who would be crazy enough to deposit a fraudulent tax refund in their own checking account, as opposed to an untraceable debit card they could get at a convenience store. At the same time, wouldn’t somebody who could pull this off also have an explanation like this ready?”

The woman in question, whose name is being withheld from this story, declined multiple requests to speak with KrebsOnSecurity, threatening to file harassment claims if I didn’t stop trying to contact her. Nevertheless, she appears to have been an unwitting — if not unwilling — money mule in a scam that seeks to recruit the unwary for moneymaking schemes. Continue reading →


25
Mar 15

Tax Fraud Advice, Straight from the Scammers

Some of the most frank and useful information about how to fight fraud comes directly from the mouths of the crooks themselves. Online cybercrime forums play a critical role here, allowing thieves to compare notes about how to evade new security roadblocks and steer clear of fraud tripwires. And few topics so reliably generate discussion on crime forums around this time of year as tax return fraud, as we’ll see in the conversations highlighted in this post.

File 'em Before the Bad Guys Can

File ’em Before the Bad Guys Can

As several stories these past few months have noted, those involved in tax refund fraud shifted more of their activities away from the Internal Revenue Service and toward state tax filings. This shift is broadly reflected in discussions on several fraud forums from 2014, in which members lament the apparent introduction of new fraud “filters” by the IRS that reportedly made perpetrating this crime at the federal level more challenging for some scammers.

One outspoken and unrepentant tax fraudster — a ne’er-do-well using the screen name “Peleus” — reported that he had far more luck filing phony returns at the state level last year. Peleus posted the following experience to a popular fraud forum in February 2014:

“Just wanted to share a bit of my results to see if everyone is doing so bad or it just me…Federal this year has been a pain in the ass. I have about 35 applications made for federal with only 2 paid refunds…I started early in January (15-20) on TT [TurboTax] and HR [H&R Block] and made about 35 applications on Federal and State..My stats are as follows:

Federal: 35 applications (less than 10% approval rate) – average per return $2500

State: 35 apps – 15 approved (average per return $1600). State works just as great as last year, their approval rate is nearly 50% and processing time no more than 10 – 12 days.

I know that the IRS has new check filters this year but federals suck big time this year, i only got 2 refunds approved from 35 applications …all my federals are between $2300 – $2600 which is the average refund amount in the US so i wouldn’t raise any flags…I also put a small yearly salary like 25-30k….All this precautions and my results still suck big time compared to last year when i had like 30%- 35% approval rate …what the fuck changed this year? Do they check the EIN from last year’s return so you need his real employer information?”

A seasoned tax return fraudster discusses strategy.

A seasoned tax return fraudster discusses strategy.

Several seasoned members of this fraud forum responded that the IRS had indeed become more strict in validating whether the W2 information supplied by the filer had the proper Employer Identification Number (EIN), a unique tax ID number assigned to each company. The fraudsters then proceeded to discuss various ways to mine social networking sites like LinkedIn for victims’ employer information.

GET YER EINs HERE

A sidebar is probably in order here. EINs are not exactly state secrets. Public companies publish their EINs on the first page of their annual 10-K filings with the Securities and Exchange Commission. Still, EINs for millions of small companies here in the United States are not so easy to find, and many small business owners probably treat this information as confidential.

Nevertheless, a number of organizations specialize in selling access to EINs. One of the biggest is Dun & Bradstreet, which, as I detailed in a 2013 exposé, Data Broker Giants Hacked by ID Theft Service, was compromised for six months by a service selling Social Security numbers and other data to identity thieves like Peleus.

Last year, I heard from a source close to the investigation into the Dun & Bradstreet breach who said the thieves responsible made off with more than six million EINs. In December 2014, I asked Dun &Bradstreet about the veracity of this claim, and received a blanket statement that did not address the six million figure, but stressed that EINs are not personally identifiable information and are available to the public. Continue reading →


19
Mar 15

Convicted Tax Fraudster & Fugitive Caught

Lance Ealy, an Ohio man who fled home confinement last year just prior to his conviction on charges of filing phony tax refund requests on more than 150 Americans, was apprehended in a pre-dawn raid by federal marshals in Atlanta on Wednesday.

Lance Ealy, in self-portrait he uploaded to twitter before absconding.

Lance Ealy, in self-portrait he uploaded to twitter before absconding.

Ealy, 28, of Dayton, Ohio, was the subject of no fewer than three previous posts on this blog. Ealy reached out to me in February 2014, after being arrested by the U.S. Secret Service for using his email account to purchase Social Security numbers and other personal information from an online identity theft service run by a guy named Hieu Minh Ngo.

Ngo is a Vietnamese national who, for several years, ran an online identity theft service called Superget.info. Shortly after my 2011 initial story about his service, Ngo tauntingly renamed his site to findget.me. The Secret Service took him up on that challenge, and succeeded in luring him out of Vietnam into Guam, where he was arrested and brought to New Hampshire for trial. He pleaded guilty last year to running the ID theft service, and the government has been working on rounding up his customers ever since.

Mr. Ealy was one of several individuals found guilty of identity theft charges after buying from Ngo’s service, which relied in part on data obtained through a company owned by big-three credit bureau Experian.

After being indicted on 46 counts of fraudulent activity, Ealy fired his attorney and chose to represent himself in court. In mid-November 2014 — just days before the jury in his trial was to issue its guilty verdict — Ealy slipped his ankle monitor and skipped town, but not before posting a taunting selfie to his Twitter account.

In the four months since his disappearance, investigators caught glimpses of Ealy jumping online as he made his way south to Atlanta. Incredibly, Ealy took time to file several lengthy pro se legal arguments (PDF) stating why the judge in the case was not impartial and that he deserved a retrial. When federal officials prosecuting his case responded (PDF) incredulously to his request, Ealy took it upon himself to file a response (PDF) to their motion for dismissal — all while on the lam.

Investigators close to the case say Ealy continued filing false tax refund requests while on the run from the law. But instead of turning to an underground identity theft service as he did previously, investigators say Ealy appears to have paid numerous inmates serving time in Ohio prisons for permission to file tax refund requests on their behalf with the Internal Revenue Service (IRS) — topping up the inmates’ commissary funds to the tune of $100 per filing while pocketing the rest of the fraudulent refunds.

According to whio.com, Ealy remains in the Northern District of Georgia until he can be extradited.


5
Mar 15

Intuit Failed at ‘Know Your Customer’ Basics

Intuit, the makers of TurboTax, recently introduced several changes to beef up the security of customer accounts following a spike in tax refund fraud at the state and federal level. Unfortunately, those changes don’t go far enough. Here’s a look at some of the missteps that precipitated this mess, and what the company can do differently going forward.

dyot copy2

As The Wall Street Journal noted in a story this week, competitors H&R Block and TaxAct say they haven’t seen a similar surge in fraud this year. Perhaps the bad guys are just picking on the industry leader. But with 29 million customers last year — far more than H&R Block or TaxAct (which each had about seven million) — TurboTax should also be leading the industry in security.

Keep in mind that none of the security steps described below are going to stop fraud alone. But taken together, they do or would provide more robust security for TurboTax accounts, and significantly raise the costs for criminals engaged in this type of fraud.

NO EMAIL VALIDATION

Intuit fails to take basic steps to validate key account information, such as email addresses and mobile numbers, and these failures have limited the company’s ability to enact stricter account security measures. In fact, TurboTax still does not require new users to verify their email address, a basic security precaution that even random Internet forums which don’t collect nearly as much sensitive data require of all new users.

Last month, KrebsOnSecurity featured an in-depth story that stemmed from information provided by two former Intuit security employees who accused the company of making millions of dollars knowingly processing tax refund requests filed by cybercriminals. Those individuals shared a great deal about Intuit’s internal discussions on how best to handle a spike in account takeovers and fraudsters using stolen personal information to file tax refund requests on unwitting consumers.

Both whistleblowers said the lack of email verification routinely led to bizarre scenarios in which customers would complain of seeing other peoples’ tax data in their accounts. These were customers who’d forgotten their passwords and entered their email address at the site to receive a password reset link, only to find their email address tied to multiple identities that belonged to other victims of stolen identity refund fraud.

In mid-February, Intuit announced that it would begin the process of prompting all users to validate their accounts, either by validating their email address, answering a set of knowledge-based authentication questions, or entering a code sent to their mobile phone.

In an interview today, Intuit’s leadership sidestepped questions about why the company still does not validate email addresses. But TurboTax Chief Information Security Officer Indu Kodukula did say TurboTax will no longer display multiple profiles tied to a single email address when users attempt to reset their passwords by supplying an email address.

“We had an option where when you entered an email address, we’d show you a list of user IDs that were associated with that address,” Kodukula said. “We’ve removed that option, so now if you try to do password recovery, you have to go back to the email associated with you.” Continue reading →


22
Feb 15

TurboTax’s Anti-Fraud Efforts Under Scrutiny

Two former security employees at Intuit — the makers of the popular tax preparation software and service TurboTax — allege that the company has made millions of dollars knowingly processing state and federal tax refunds filed by cybercriminals. Intuit says it leads the industry in voluntarily reporting suspicious returns, and that ultimately it is up to the Internal Revenue Service to develop industry-wide requirements for tax preparation firms to follow in their fight against the multi-billion dollar problem of tax refund fraud.

Last week, KrebsOnSecurity published an exclusive interview with Indu Kodukula, Intuit’s chief information security officer. Kodukula explained that customer password re-use was a major cause of a spike this tax season in fraudulent state tax refund requests. The increase in phony state refund requests prompted several state revenue departments to complain to their state attorneys general. In response, TurboTax temporarily halted all state filings while it investigated claims of a possible breach. The company resumed state filing shortly after that pause, saying it could find no evidence that customers’ TurboTax credentials had been stolen from its network.

Kodukula noted that although the incidence of hijacked, existing TurboTax accounts was rapidly growing, the majority of refund scams the company has to deal with stem from “stolen identity refund fraud” or SIRF. In SIRF, the thieves gather pieces of data about taxpayers from outside means — through phishing attacks or identity theft services in the underground, for example — then create accounts at TurboTax in the victims’ names and file fraudulent tax refund claims with the IRS.

Kodukula cast Intuit as an industry leader in helping the IRS identify and ultimately deny suspicious tax returns. But that portrayal only tells part of the story, according to two former Intuit employees who until recently each held crucial security positions helping the company identify and fight tax fraud. Both individuals described a company that has intentionally dialed back efforts to crack down on SIRF so as not to lose market share when fraudsters began shifting their business to Intuit’s competitors.

Robert Lee, a security business partner at Intuit’s consumer tax group until his departure from the company in July 2014, said he and his team at Intuit developed sophisticated fraud models to help Intuit quickly identify and close accounts that were being used by crooks to commit massive amounts of SIRF fraud.

But Lee said he was mystified when Intuit repeatedly refused to adopt some basic policies that would make it more costly and complicated for fraudsters to abuse the company’s service for tax refund fraud, such as blocking the re-use of the same Social Security number across a certain number of TurboTax accounts, or preventing the same account from filing more than a small number of tax returns.

“If I sign up for an account and file tax refund requests on 100 people who are not me, it’s obviously fraud,” Lee said in an interview with KrebsOnSecurity. “We found literally millions of accounts that were 100 percent used only for fraud. But management explicitly forbade us from either flagging the accounts as fraudulent, or turning off those accounts.

The allegations surface just days after Senate Finance Committee Chairman Orrin Hatch (R., Utah) said his panel will be holding hearings on reports about a spike in fraudulent filings through TurboTax and elsewhere. The House Ways and Means Committee is reportedly looking into the matter and has held bipartisan staff-level discussions with the IRS and Intuit.

The Federal Trade Commission (FTC) said it received 332,646 identity theft complaints in the calendar year 2014, and that almost one-third of them — the largest portion — were tax-related identity theft complaints. Tax identity theft has been the largest ID theft category for the last five years.

According to a recent report (PDF) from the U.S. Government Accountability Office (GAO), the IRS estimated it prevented $24.2 billion in fraudulent identity theft refunds in 2013.  Unfortunately, the IRS also paid $5.8 billion that year for refund requests later determined to be fraud. The GAO noted that because of the difficulties in knowing the amount of undetected fraud, the actual amount could far exceed those estimates.

SQUEEZING THE BALLOON

Lee said the scammers who hijack existing TurboTax accounts most often will use stolen credit cards to pay the $25-$50 TurboTax fee for processing and sending the refund request to the IRS.

But he said the crooks perpetrating SIRF typically force the IRS — and, by extension, U.S. taxpayers — to cover the fee for their bogus filings. That’s because most SIRF filings take advantage of what’s known in the online tax preparation business as a ‘refund transfer’, which deducts TurboTax’s filing fee from the total amount of the fraudulent refund request. If the IRS then approves the fraudulent return, TurboTax gets paid.

“The reason fraudsters love this system is because they don’t even have to use stolen credit cards to do it,” Lee said. “What’s really going on here is that the fraud business is actually profitable for Intuit.”

Lee confirmed Kodukula’s narrative that Intuit is an industry leader in sending the IRS regular reports about tax returns that appear suspicious. But he said the company eventually scaled back those reports after noticing that the overall fraud the IRS was reporting wasn’t decreasing as a result of Intuit’s reporting: Fraudsters were simply taking their business to Intuit’s competitors.

“We noticed the IRS started taking action, and because of this, we started to see not only our fraud numbers but also our revenue go down before the peak of tax season a couple of years ago,” Lee recalled. “When we stopped or delayed sending those fraud numbers, we saw the fraud and our revenue go back up.

Lee said that early on, the reports on returns that Intuit’s fraud teams flagged as bogus were sent immediately to the IRS.

“Then, there was a time period where we didn’t deliver that information at all,” he said. “And then at one point there was a two-week delay added between the time the information was ready and the time it was submitted to the IRS. There was no technical reason for that delay, but I can only speculate what the real justification for that was.”

KrebsOnSecurity obtained a copy of a recording made of an internal Intuit conference call on Oct. 14, 2014, in which Michael Lyons, TurboTax’s deputy general counsel, describes the risks of the company being overly aggressive — relative to its competitors — in flagging suspicious tax returns for the IRS.

“As you can imagine, the bad guys being smart and savvy, they saw this and noticed it, they just went somewhere else,” Lyons said in the recording. “The amount of fraudulent activity didn’t change. The landscape didn’t change. It was like squeezing a balloon. They recognized that TurboTax returns were getting stopped at the door. So they said, ‘We’ll just go over to H&R Block, to TaxSlayer or TaxAct, or whatever.’ And all of a sudden we saw what we call ‘multi-filer activity’ had completely dropped off a cliff but the amount that the IRS reported coming through digital channels and through their self reported fraud network was not changing at all. The bad guys had just gone from us to others.”

That recording was shared by Shane MacDougall, formerly a principal security engineer at Intuit. MacDougall resigned from the company last week and filed an official whistleblower complaint with the U.S. Securities and Exchange Commission, alleging that the company routinely placed profits ahead of ethics. MacDougall submitted the recording in his filing with the SEC.

“Complainant repeatedly raised issues with managers, directors, and even [a senior vice president] of the company to try to rectify ongoing fraud, but was repeatedly rebuffed and told Intuit couldn’t do anything that would ‘hurt the numbers’,” MacDougall wrote in his SEC filing. “Complainant repeatedly offered solutions to help stop the fraud, but was ignored.”

NO RULES OF THE ROAD

For its part, Intuit maintains that it is well out in front of its competitors in voluntarily reporting to the IRS refund requests that the company has flagged as suspicious. The company also stresses that it has done so even though the IRS still has not promulgated rules that require TurboTax and its competitors to report suspicious returns  — or even how to report such activity. Intuit executives say they went to the IRS three years ago to request specific authority to share that information. The IRS did not respond to requests for comment.

Intuit officials declined to address Lyons’ recorded comments specifically, although they did confirm that a company attorney led an employee WebEx meeting on the date the recording was made. But David Williams, Intuit’s chief tax officer, said what’s missing from the recorded conversation excerpted above is that Intuit has been at the forefront of asking the IRS to propose industry standards that every industry player can follow — requests that have so far gone unheeded.

“We have led the industry in making suspicious activity reports, and I’d venture to say that virtually all of the returns that Mr. Lee is quoted as referring to appear in our suspicious activity reports and are stopped by the IRS,” Williams said. “Whatever else Mr. Lee may have seen, I’m not buying the premise that somehow there was a profit motive in it for us.”

Robert Lanesey, Inuit’s chief communications officer, said Intuit doesn’t make a penny on tax filings that are ultimately rejected by the IRS.

“Revenue that comes from reports included in our suspicious activity reports to the IRS has dropped precipitously as we have changed and improved our reporting mechanisms,” Lanesey said. “When it comes to market share, it doesn’t count toward our market share unless it’s a successful return. We’ve gotten better and we’ve gotten more accurate, but it’s not about money.”

Williams added that it is not up to Intuit to block returns from being filed, and that it is the IRS’s sole determination whether to process a given refund request.

“We will flag them as suspicious, but we do not get to determine if a return is fraud,” Williams said. “It’s the IRS’s responsibility and ultimately they make that decision. What I will tell you is that of the ones we report as suspicious, the IRS rejects a very high percentage, somewhere in the 80-90 percent range.”

Earlier this month, Intuit CEO Brad Smith sent a letter to the commissioner of the IRS,  noting that while Intuit sends reports to the IRS when it sees patterns of suspicious behavior, the government has been limited in the types of information it can share with parties, including tax-preparation firms.

“The IRS could be the convener to bring the States together to help drive common standards adoption,” Smith wrote, offering the assistance of Intuit staff members “to work directly with the IRS and the States in whatever ways may be of assistance…as the fight against fraud goes forward.”

ZERO FALSE POSITIVES

Lee and MacDougall both said Intuit’s official approach to fighting fraud is guided by a policy of zero tolerance for so-called “false positives” — the problem of incorrectly flagging a legitimate customer refund request as suspicious, and possibly incurring the double whammy of a delay in the customer’s refund and an inquiry by the IRS. This is supported by audio recordings of conference calls between Intuit’s senior executives that were shared with KrebsOnSecurity.

“We protect the sanctity of the customer experience and hold it as inviolate,” Intuit’s General
Counsel Michael Lyons can be heard saying on a recorded October 2014 internal conference call. “We do everything we can to organize the best screening program we can, but we avoid false positives at all costs. Because getting a legitimate taxpayer ensnared in the ‘you’re a bad guy’ area with the IRS is hell. Once your return gets flagged as suspicious, rejected and the IRS starts investigating, you’re not in a good place. More than 50 percent of people out there are living paycheck to paycheck, and when this is the biggest paycheck of the year for them, they can’t afford to get erroneously flagged as fraud and have to prove to the IRS who they are so that they can get that legitimate refund that they were expecting months ago.”

On the same conference call, MacDougall can be heard asking Lyons why the company wouldn’t want to use security as a way to set the company apart from its competitors in the online tax preparation industry.

Continue reading →