Intuit, the makers of TurboTax, recently introduced several changes to beef up the security of customer accounts following a spike in tax refund fraud at the state and federal level. Unfortunately, those changes don’t go far enough. Here’s a look at some of the missteps that precipitated this mess, and what the company can do differently going forward.
As The Wall Street Journal noted in a story this week, competitors H&R Block and TaxAct say they haven’t seen a similar surge in fraud this year. Perhaps the bad guys are just picking on the industry leader. But with 29 million customers last year — far more than H&R Block or TaxAct (which each had about seven million) — TurboTax should also be leading the industry in security.
Keep in mind that none of the security steps described below are going to stop fraud alone. But taken together, they do or would provide more robust security for TurboTax accounts, and significantly raise the costs for criminals engaged in this type of fraud.
NO EMAIL VALIDATION
Intuit fails to take basic steps to validate key account information, such as email addresses and mobile numbers, and these failures have limited the company’s ability to enact stricter account security measures. In fact, TurboTax still does not require new users to verify their email address, a basic security precaution that even random Internet forums which don’t collect nearly as much sensitive data require of all new users.
Last month, KrebsOnSecurity featured an in-depth story that stemmed from information provided by two former Intuit security employees who accused the company of making millions of dollars knowingly processing tax refund requests filed by cybercriminals. Those individuals shared a great deal about Intuit’s internal discussions on how best to handle a spike in account takeovers and fraudsters using stolen personal information to file tax refund requests on unwitting consumers.
Both whistleblowers said the lack of email verification routinely led to bizarre scenarios in which customers would complain of seeing other peoples’ tax data in their accounts. These were customers who’d forgotten their passwords and entered their email address at the site to receive a password reset link, only to find their email address tied to multiple identities that belonged to other victims of stolen identity refund fraud.
In mid-February, Intuit announced that it would begin the process of prompting all users to validate their accounts, either by validating their email address, answering a set of knowledge-based authentication questions, or entering a code sent to their mobile phone.
In an interview today, Intuit’s leadership sidestepped questions about why the company still does not validate email addresses. But TurboTax Chief Information Security Officer Indu Kodukula did say TurboTax will no longer display multiple profiles tied to a single email address when users attempt to reset their passwords by supplying an email address.
“We had an option where when you entered an email address, we’d show you a list of user IDs that were associated with that address,” Kodukula said. “We’ve removed that option, so now if you try to do password recovery, you have to go back to the email associated with you.”
NO PHONE VALIDATION
As previously stated, TurboTax doesn’t require users to enter a valid mobile phone number, so multi-factor authentication will not be available for many new and existing customers. More importantly, in failing to require customers to supply mobile numbers, Intuit is passing up a major tool to combat fraud and account takeovers.
Verifying customers by sending a one-time code to their mobile that they then have to enter into the Web site before their account is created can dramatically drive up the costs for fraudsters. I’ve written several stories on academic research that looked at the market for bulk-created online accounts sought after by spammers, such as free Webmail and Twitter accounts. That research showed that bulk-created accounts at services which required phone verification were far more expensive than accounts at providers that lacked this requirement.
True, fraudsters can outsource this account validation process to freelancers, but there is no denying that it increases the cost of creating new accounts because scammers must have a unique mobile number for every account they create. TurboTax should require all users to supply a working mobile phone number.
NO NOTICE OF ACCOUNT CHANGES
Until very recently, if hackers broke into your TurboTax account and made important changes, you might never know about it until you went to file your return and received a notification that someone had already filed them for you. This allowed fraudsters who had hijacked an account to wait until the legitimate user had filled out their personal data, and then change the bank account to which the refund would be credited.
On Feb. 26, 2015, Intuit said it would begin notifying customers via email if any user profile data is altered, including the account password, email address, security question, login name, phone number, name or address.
NO ‘KNOW YOUR CUSTOMER’ VALIDATION
According to the interviews with Intuit’s former security employees, much of the tax refund fraud being perpetrated through TurboTax stems from a basic weakness: The company does not require new customers to do anything to prove their identity before signing up for a TurboTax account. During the account sign-up, you’re whoever you want to be. There is no identity proofing, such as a requirement to answer so-called “out-of-wallet” or “knowledge-based authentication” questions.
Out-of-wallet questions are hardly an insurmountable hurdle for fraudsters. Indeed, some of the major providers of these challenges have been targeted by underground identity theft services. But these questions do complicate things for fraudsters. Intuit should take a cue from credit score and credit file montitoring service creditkarma.com, which asks a series of these questions before allowing users to create an account. And, unlike turbotax.com — which will happily let multiple users create accounts with the same Social Security number and other information — creditkarma.com blocks this activity.
Kodukula said Intuit is considering requiring out of wallet questions at account signup. This is good news, because as I noted in last month’s story, Intuit’s anti-fraud efforts have been tempered by a focus on zero tolerance for “false positives” — the problem of incorrectly flagging a legitimate customer refund request as suspicious. Given that focus, Intuit should do everything it can to prevent fraudsters from signing up with its service in the first place.
LAX ACCOUNT RECOVERY TOOLS
In an interview with KrebsOnSecurity last month, Kodukula said a recent spike in tax refund fraud at the state level was due in part to an increase in account takeovers. Kodukula said a big part of that increase stemmed the tendency for people to re-use passwords across multiple sites. “This technique works because a fair percentage of users re-use passwords at multiple sites,” I wrote in that article. “When a breach at one site exposes the email addresses and passwords of its users, fraudsters will invariably try the stolen account credentials at other sites, knowing that a small percentage of them will work.”
But according to the whistleblowers, Intuit has historically made it quite easy for fraudsters to hijack accounts by abusing TurboTax’s procedures for helping customers recover access to accounts when they forgot their account password and the email address used to register the account. Users who forget both of these things are prompted to supply their name, address, date of birth, Social Security number and ZIP code, information that is not terribly difficult to obtain cheaply from multiple ID theft services in the cybercrime underground.
In fact, the whistleblowers related a story about how they sought to raise awareness of the problem internally at Intuit by using TurboTax’s account recovery tools to hijack the TurboTax account of the company’s CEO Brad Smith.
Kokudula said that pursuant to changes made in the last two weeks, users who try to recover their passwords will now need to successfully answer a series of out-of-wallet questions to to complete that process.
UNLINKED STATE RETURNS
As I wrote last month, a big reason why the spike in tax refund fraud disproportionately affected TurboTax is that until very recently, TurboTax was the only major do-it-yourself online tax prep company that allowed so-called “unlinked” state tax filings.
States allow unlinked returns because most taxpayers owe taxes at the federal level but are due refunds from their state. Thus, unlinked returns allow taxpayers who owe money to the IRS to pay some or all of that off with state refund money.
Unlinked returns typically have made up a very small chunk of Intuit’s overall returns, Intuit’s Kodukula explained. However, so far in this year’s tax filing season, Intuit has seen between three and 37-fold increases in unlinked, state-only returns. Convinced that most of those requests are fraudulent, the company now blocks users from filing unlinked returns via TurboTax. According to The Wall Street Journal, neither TaxAct nor H&R Block allowed users to file unlinked returns.