And even more woes for Intuit and Turbotax

[audreyh1]

I posted this the thread about Turbotax security.

It turns out, that the reason there was a mushroom of state fraudulent eFiles with Turbotax, is because that is the only software that will let you file so-called unlinked tax returns (unlinked to a Fed filing). And overwhelming number of new fraudulent state eFiles was using unlinked returns.

I think TT has disallowed that feature now.

 

[prudent_one]

Really haven't been surprised at how this fraud has mushroomed. You have many part-time people working at tax prep companies. They do not need to have mad skills - the tax prep company's software walks them through everything. So you have someone who is morally challenged working there, gathering data along the way. Next year, you have a ton of valid SSNs, names and addresses already in hand, you know which ones will need to receive W-2s before filing and then you gather some buddies, and go to town submitting fake tax forms as soon as filing season opens. You'd have a pretty good shot at getting the fake return processed before the legit taxpayer would receive their W-2s and can file.

I'd love to know what the correlation is between people who have been victimized by this, and how many of them used chain-store or VITA tax preparers previously.

 

[audreyh1]

People also bribe clerks at doctor and dentists office.

 

[Sunset]

Besides the rush to send out money, which the IRS should not do since it allows fraud.

The IRS has also mailed hundreds of checks to the same address, I mean really how about a limit of say 5 checks per address should cover nearly all cases.

And how about some consistency checking on returns, if my employer and refund method changes and my investment reporting drastically changes or I sprout new children suddenly and am over 40 perhaps they IRS should put my return into the slow lane and question the authenticity.

They have all this information, it's just a matter of writing some software to solve it.

 

[Alan]

Really? Or perhaps in many developed countries they've already figured people's taxes from wages more closely and refunds are rare?

But I suspect it's more that other countries require banks to offer no minimum checking to all citizens.

That could be an interesting discussion.

In the UK the default position for under or over payment of taxes is to adjust the withholding for the following year. Large differences are unusual because the tax code is very simple for the vast majority of tax payers.

 

[MooreBonds]

There are a lot of tax payers who don't have bank accounts. They have to be accommodated somehow.

So how do these same taxpayers get paid? In order to get a refund, they must have had income of some sort. How is that income getting to them?

 

[Alan]

So how do these same taxpayers get paid? In order to get a refund, they must have had income of some sort. How is that income getting to them?

Our local grocery store in Baton Rouge used to have signs up saying that folks could cash their work checks at customer service, so that is one way.

 

[audreyh1]

So how do these same taxpayers get paid? In order to get a refund, they must have had income of some sort. How is that income getting to them?

These days they get paid by pre-paid debit cards. That has become common. It used to be cash.

Ironically the very same vehicle being abused for tax refunds.

 

[audreyh1]

Our local grocery store in Baton Rouge used to have signs up saying that folks could cash their work checks at customer service, so that is one way.

That too. It's also an option for a tax refund check. But if people are trying to prevent fraud by disallowing mailed out checks, then yet another avenue closed. It's tricky.

Normally IDs are checked when cashing a check, so that is better than the refunds on debit cards.

But frankly, I'd be worried about someone stealing my check out of the mail.

 

[rbmrtn]

How about using the USPS. Anyone withoutout a checking account goes to local USPS with proof of ID to pickup the check.

Another thing that seems simple is to stop using SS#s. The IRS already has ITINs ( Individual Taxpayer Identification Number), but only uses them for those than don't have a SS#.

General ITIN Information

 

[grasshopper]

Meanwhile back at the ranch, we can be penalized for shorting our tax payments, so we can pay a little instead of getting a refund. Thats the way I do it safe harbor no more.

 

[Brat]

One option would be to require some data from the previous tax return as an element of an identifier. Change the element requested randomly. That wouldn't help first time filers but there must be some piece of data the IRS has that wouldn't be easily knowable by scammers.

 

[Spanky]

How about using the USPS. Anyone withoutout a checking account goes to local USPS with proof of ID to pickup the check.

Another thing that seems simple is to stop using SS#s. The IRS already has ITINs ( Individual Taxpayer Identification Number), but only uses them for those than don't have a SS#.

General ITIN Information

How about requiring activation before the debit card can be used? The activation code is sent via text messaging or email. Obviously, some people have no access to cell phone or internet.

 

[Peter]

One option would be to require some data from the previous tax return as an element of an identifier. Change the element requested randomly. That wouldn't help first time filers but there must be some piece of data the IRS has that wouldn't be easily knowable by scammers.

I seem to remember that TurboTax does this for Federal e-file. I had to enter the previous year's AGI at some point in the process.

 

[FinanceGeek]

I seem to remember that TurboTax does this for Federal e-file. I had to enter the previous year's AGI at some point in the process.

I just e-filed with HRB and had to provide last year's AGI. And, IRS says that AGI / PIN validation is required for all e-filers:

Get Your Electronic Filing PIN

I don't get how this fraud is occurring...guess I don't have a well developed criminal mind...

 

[audreyh1]

It seems in some cases fraudsters have gotten hold of 2013 returns. I don't know how they do this other than getting into a user's account. But users accounts have been compromised by phishing, according to Krebs on Security.

I don't think Turbotax has any of my return data since I never used their on-line software. But I don't know that for sure. I don't know if they grab anything during the eFile. They shouldn't - that should go directly to eFile.com, but you never know!!!

I think you need either the 2013 AGI or the PIN. There is a work around if you don't have that info, but I think it involves a call to the IRS. That's not clear:

Don't have a copy of Last Year's Return? No problem. Click here to obtain an Electronic Filing PIN from the IRS or you may call 866-704-7388. Note: If you are filing a joint return, you will need to obtain a separate PIN for both the taxpayer and the spouse.

The IRS has already closed quite a few identity theft holes from last year, which is why the fraudsters have moved onto state returns.

 

[target2019]

It seems in some cases fraudsters have gotten hold of 2013 returns. I don't know how they do this other than getting into a user's account. But users accounts have been compromised by phishing, according to Krebs on Security.

Haven't seen anything about that in the news. Do you mind sharing a link?

 

[target2019]

Intuit (INTU) was up close to 7% for last week, after CEO earnings call...

One transcript can be found at sekingalpha.com. Here's an interesting exchange. In the opening remarks the CEO addressed the fraud and product problems. There were a few followup questions and answers, including the one below. The transcript has some obvious spelling and grammar errors, but you can correct as needed.

Gil Luria - Wedbush Securities
Got it. And then on the – in the fraud situations did you find that those customers that were affected by fraud that somebody else filed under their information that the attrition there was higher than the rest of population was that a significant factor?

Brad Smith - President and Chief Executive Officer
It wasn’t and I tell you why first of all I want to make sure that I will clear in the opening comments that the headline here is our customers know they can trust Intuit. There is nothing we take more sacred in the privacy and security of their data and two things are fact today one is we’re up and running and processing returns in the federal and all the states and the second is there is no breach of Intuit systems. And that is not only the result of our own analysis but outside third-parties have coming in and run all their diagnostics with us.

And we’ve reached that conclusion I think with the customers the thing that they appreciate if they’ve actually been the victim of having their ID stolen from one of these other high-profile sources that we’re all reading about in the newspaper. And in fact last week in Stanford University I tend to the Cybersecurity Summit with President Obama and others.

Over 100 million identities have been stolen in the last 12 months that’s people walking around with somebody else’s Social Security Number and they were attacking the U.S. tax system and trying to file these returns, and so customers understand that this is broader and what we’re doing is we’re helping them navigate the process we’re getting them access the agents who can help them get their filing done for them. And so it’s not causing an attrition issue because they recognize this is in a particular product issue this is a systemwide problem and they were appreciating the help. So we have not seeing an increase in attrition due to that particular issue

It sounds to me as if the CEO has successfully deflected any criticism, and the security problems are "systemwide."

Elsewhere in the transcript the CEO addressed the product problems, and said less than 3% of users were affected. As to why they (TT) did this, the CEO explained:

Our goal was simplification. So customers were clear, which product was right for their particular tax needs. For over 20 million online customers last year, the implementation went smoothly. So this year, we thought to complete the alignment by making similar changes to our desktop offerings. Our goal was to streamline product development and bring any new innovation from our online product back to our desktop customers as well. And for those who might eventually choose to migrate to the cloud, they would enjoy a consistent and familiar product experience. Good intensions but misinformed.

Can't say for sure whether or not I'll continue to use the home and business edition, but I'll definitely run my results through the competition (TaxAct and HRBlock) to test the experience before next tax season.

 

[rbmrtn]

Haven't seen anything about that in the news. Do you mind sharing a link?

Some of the states reported that some of the info needed to file the false returns looked to be lifted from 2013 returns. Not a lot of info but seems they have more than just a SS#

FBI is investigating fraudulent tax returns filed through TurboTax - The Washington Post

TurboTax Halts State E-Filing Amid Data-Breach Probe - Total Return - WSJ

 

[target2019]

Some of the states reported that some of the info needed to file the false returns looked to be lifted from 2013 returns. Not a lot of info but seems they have more than just a SS#

FBI is investigating fraudulent tax returns filed through TurboTax - The Washington Post

TurboTax Halts State E-Filing Amid Data-Breach Probe - Total Return - WSJ

Thanks for the links. Hopefully we will find out that the bad people are caught and punished, and our personal information is safe with all of the entities who have promised to do so.

 

[Alan]

I'm still waiting for the 1099-B and DIV from the ETF's in DW's Vanguard brokerage account, should be available before the end of the month. Normally I would not be concerned in the least, but now I've got the added possibility of coming to file my Federal or State return and finding out that a filing has already been made

 

[audreyh1]

Haven't seen anything about that in the news. Do you mind sharing a link?

Kodukula explained that traditionally most of the bogus refund requests were the result of what the company calls “stolen identity refund fraud” or SIRF. In SIRF scams, the thieves gather pieces of data about taxpayers from outside means — through phishing attacks or identity theft services in the underground, for example — then create accounts at TurboTax in the victims’ names and file fraudulent tax refund claims with the IRS.

But Kodukula said that over the past 18 months, Intuit has watched fraudsters shift from SIRF to account takeovers, wherein scammers compromise TurboTax credentials by exploiting human nature: The tendency for people to re-use passwords across multiple sites. This technique works because a fair percentage of users re-use passwords at multiple sites. When a breach at one site exposes the email addresses and passwords of its users, fraudsters will invariably try the stolen account credentials at other sites, knowing that a small percentage of them will work.

from The Rise in State Tax Refund Fraud — Krebs on Security

Also - more on that in the link I posted below.

 

[audreyh1]

I'm still waiting for the 1099-B and DIV from the ETF's in DW's Vanguard brokerage account, should be available before the end of the month. Normally I would not be concerned in the least, but now I've got the added possibility of coming to file my Federal or State return and finding out that a filing has already been made

We have usually waited until the end of March. But now I'm thinking that we'll go ahead, because our last 1099 was available on Feb 14. And if they revise it, we'll wait a bit to see if there are any additional revisions, and then file an amended return.

We've gone through several years with no revisions, and there haven't been any major changes to how brokerages report things since 2012, so hopefully there won't be any revisions this time.

 

[audreyh1]

More: TurboTax’s Anti-Fraud Efforts Under Scrutiny — Krebs on Security

Robert Lee, a security business partner at Intuit’s consumer tax group until his departure from the company in July 2014, said he and his team at Intuit developed sophisticated fraud models to help Intuit quickly identify and close accounts that were being used by crooks to commit massive amounts of SIRF fraud.

But Lee said he was mystified when Intuit repeatedly refused to adopt some basic policies that would make it more costly and complicated for fraudsters to abuse the company’s service for tax refund fraud, such as blocking the re-use of the same Social Security number across a certain number of TurboTax accounts, or preventing the same account from filing more than a small number of tax returns.

We found literally millions of accounts that were 100 percent used only for fraud. But management explicitly forbade us from either flagging the accounts as fraudulent, or turning off those accounts.
“If I sign up for an account and file tax refund requests on 100 people who are not me, it’s obviously fraud,” Lee said in an interview with KrebsOnSecurity. “We found literally millions of accounts that were 100 percent used only for fraud. But management explicitly forbade us from either flagging the accounts as fraudulent, or turning off those accounts.”

 

[MichaelB]

More: TurboTax’s Anti-Fraud Efforts Under Scrutiny — Krebs on Security

Wow. If that can be documented and supported TT is in for a rough time.