…or should Turbo Tax adopt routine security practices to curb online tax refund fraud?
Two former security employees of Intuit, Turbo Tax’s parent company, say that they have consistently refused to adopt straightforward policies to curb fraudulent returns. Such policies would cost them millions, as criminals pay fees to file returns in order to receive bogus refunds from the IRS, as I understand it.
File your return early - before someone else does!
Moving forward, is it a) smart or b) ethical to do business with Intuit?
Past threads: Is Turbo Tax (Online) safe?
This year’s Schedule D price hike brouhaha:
I should say that Intuit has halted some of their worst policies, for example permitting users to file for state refunds without a link to a federal return. H&R Block and Tax Cut never permitted that. But they don’t take basic steps to verify certain account information. There has been a spike in fraudulent returns this year, which has affected TT more than its competitors, according to security reporter Brian Krebs. http://krebsonsecurity.com/
I see TurboTax as a service that helps you fill out IRS forms. If someone want to fraudulently fill out a form, I don’t see it as TT’s job to figure that out.
TT should make reasonable efforts to ensure that their customer data is kept secure, beyond that, it’s the IRS’ problem to deal with. The IRS can require fraud detection data points from these services.
Exactly… although I’d think that if there was some kind of very accurate “fingerprint” of a fraudulent return through Turbo Tax, they might have some ethical obligation to share that info with the IRS, even if they don’t necessarily have one to block that kind of thing themselves.
After all, they’re not the cops, and there’s always that chance that someone’s submitting a legitimate return that happens to fit the fraudulent pattern.
You’re wrong, and you’re missing the point. TurboTax is also a service that electronically files the tax forms, which arguably means that they owe a duty to the public (and to the IRS as an agent of the public) to take the same (or equivalent) steps to avoid filing fraudulent returns that an in-person tax preparer would. If they deliberately avoid taking such steps in order to collect fees, they are in the same moral position as a second-hand merchant or pawnbroker who deliberately avoids knowledge that he is receiving stolen property. If I recall correctly, the mens rea for receiving stolen property is “knew or should have known,” and I see no reason why the same standard shouldn’t apply to TurboTax.
The argument is that since they file them electronically, a) they don’t just “help you fill out IRS forms.” They could write software that just allows paper filing. But they don’t. Also b) they are acting as a tax preparer, which comes with certain fiduciary duties. Morally speaking: I’m not sure about the law. c) H&R Block and Tax Cut disagree with the notion that they, “Just help you file tax forms.” Their security practices are tighter, though possibly not tight enough. Finally and FTR d) the big security hole opened up earlier this year by TT had to do with state taxes: the IRS had nothing to do with it.
Sort of surprised at the responses here. Intuit is refusing to verify email addresses, something which is pretty routine on the internet. Sign up with most vBulletin forums, and you are expected to reply with a confirmation email. But for some reason, Intuit doesn’t want to do that, professional advice notwithstanding. This opens up an obvious attack vector for scammers. If I was an employee in charge of security, I might consider resigning: this is the sort of lax practice that might be difficult to explain to future employers.
I’m not sure about what the law is regarding the aiding and abetting of fraudulent activity. I don’t know how negligence laws apply. Personally, I try not to knowingly buy stolen property, including DVDs produced by those who have nothing to do with the original creative process. Similarly, I would not want to deal with a pawn broker who is known to look the other way. I will probably not use Turbo Tax next year: I want nothing to do with them. After their 2001 glitch led to the release of 150,000 passwords, one might have hoped that they would have tried to have higher security standards than the competition. But I guess that’s not part of their corporate culture.
The consumer protection aspect of it I get. My information should be protected. But I don’t get how filling matters. Do I not understand what the word means? Is “filling” not just “sending the information to the IRS?” Helping you fill out the forms seems more significant than the filing part, which is no different than if the final act of using TT were printing out the filled forms and mailing them. Which is how TT used to work.
Why don’t the organizations being defrauded, the IRS and States, require this information as a condition of accepting the electronic filing?
It’s not exactly rocket surgery, if TT is processing fraudulent returns because they’re not doing X, Y and Z, then require them to do X, Y, and Z before accepting returns from them. TT will get in line pretty fucking fast if their returns are going to be rejected, or placed in the “process more slowly, because they don’t have anti-fraud info” pile.
What is being suggested is that TT should do this work for free, not based on any legal requirement, and subject their legitimate customers to fraud accusations all to ensure that someone who wants to defraud the government doesn’t use their software to prepare the return.
There may be some confusion here - or at least I personally am confused - over just what the fraudsters are doing. Are they getting the information they need to file the false returns from TurboTax? Or are they just using TurboTax to file false returns, just like someone might use it to file a legitimate return?
The difference is crucial, in whether they’re actively enabling the fraud, or just failing to be vigorous enough about people using their service to commit fraud.
It’s also relevant to the point I quoted above. Are the only people whose information is being used for the fraudulent returns those who themselves used TT to file their own return (in prior years)? Or could a non-TT customer’s information be used just as well. If the former, then I can see where it would impact TT’s business. If the latter, then it doesn’t really matter (other than to the small percentage of people who act on principle over it).
There are many attack vectors. There always are. One policy framework involves the government requiring TT to do X, Y and Z. Another says they are responsible for due diligence and vulnerable to class action suits if they don’t apply standard security practices. So are TT providing a static service or are they more akin to a physician, lawyer or accountant?
As I understand it, scammers are obtaining lists of email addys and passwords from hacked websites. Those passwords probably don’t work with the email address. Because if they did, the vic would have already been hacked. But sometimes they do work with Turbo Tax online as there are lots of people who don’t use a password manager (unlike everyone at this message board of course ). Because Turbo Tax doesn’t require a confirmation email, the scammer can file a phony return before the vic even obtains his W-2. So the scammer gets the tax refund rather than the tax payer.
You can protect yourself from this specific attack vector by not doing business with Turbo Tax, as I understand it. Or using their DVD/downloaded product without electronic filing.
As for legal expectations, the IRS website states the following: [INDENT] Safeguarding of IRS e-file from fraud and abuse is the shared responsibility of the IRS and Authorized IRS e-file Providers. Providers must be diligent in recognizing and preventing fraud and abuse in IRS e-file.
…Providers appoint an individual as a Responsible Official who is responsible for ensuring the firm meets IRS e-file rules and requirements. Providers with problems involving fraud and abuse may be suspended or expelled from participation in IRS e-file, be assessed civil and preparer penalties or be subject to legal action. [/INDENT] It appears that Turbo Tax does have fiduciary responsibilities, although their scope is unclear. http://www.irs.gov/uac/Safeguarding-IRS-efile1
Generally speaking, some criminals are thieves. Other criminals are negligent. Both types are properly placed behind bars.
I asked my tax accountant about this. She said that it really isn’t their business. Their business is to help people do their taxes. If that means helping them commit fraud, that’s sad, but it really isn’t their duty to scan for fraud.
Your local taxi driver may be abetting people getting away from a robbery. It isn’t his job to make sure every passenger is not on the lam. Tax preparers are roughly the same.
My accountant used to work at H&R Block. She said that one year, a couple came in and filed fraudulent forms at several different H&R offices, using the same names and ID numbers. There, the fraud was so glaringly overt, H&R couldn’t possibly miss it, and so they did the right thing and turned the evidence over to IRS inspectors.
(If the Taxi driver saw that his fare carried a smoking gun, and was stained purple from a bank-teller’s dye marker, he might become similarly suspicious.)
Tax preparers are not “agents of the court.” They don’t have a law-enforcement role or obligation.
I see a big difference between a pen and pencil tax preparer and an electronic service. The first is necessarily limited by vagaries of human interaction. The latter is potentially unbounded as tax returns can be filled out by bots.
Basically efile Providers serve two different markets. They are tax payers and criminal fraudsters. Turbo Tax apparently has apparently actively or coincidentally pursued the criminal market: they did this by spurning the advice of their in-house security experts and maintaining a less secure standard than the competition.
Facebook, Twitter, Meetup and heck Supershuttle all demand confirmation emails. Turbo Tax takes a more flexible approach, the sort of service that the discerning fraudster demands.
As for the law, the IRS website cited above lists among their requirements the following: [INDENT] 4. Protection Against Bulk Filing of Fraudulent Income Tax Returns
This standard applies to Online Providers of individual income tax returns that own or operate a Web site through which taxpayer information is collected, transmitted, processed or stored. These Online Providers shall implement effective technologies to protect their Web site against bulk filing of fraudulent income tax returns. Taxpayer information shall not be collected, transmitted, processed or stored otherwise.
… 6.Reporting of Security Incidents
Online Providers of individual income tax returns shall report security incidents to the IRS as soon as possible but not later than the next business day after confirmation of the incident. For the purposes of this standard, an event that can result in an unauthorized disclosure, misuse, modification, or destruction of taxpayer information shall be considered a reportable security incident. See instructions for submitting incident reports.
In addition, if the Online Provider’s Web site is the proximate cause of the incident, the Online Provider shall cease collecting taxpayer information via their Web site immediately upon detection of the incident and until the underlying causes of the incident are successfully resolved. [/INDENT]
Last year I was a victim of false filing fraud. It was a major pain in the ass - but I agree the problem is with the IRS’s antiquated systems and not Turbo Tax. There is no legitimate way for Turbo Tax to verify a user’s ID.
In order to fix my problem I had to refile and fill out a form - it took the IRS about 7 months to review and determine the fraudulent claim and to provide me my refund. Afterwards, I was provided a PIN I have to use at all subsequent filings to prove I am who I say I am.
Now one wonders why the IRS doesn’t start a policy of assigning these to all taxpayers? Yes it would be expensive and time consuming - but isn’t large scale fraud moreso?
The difference is in ability. You can’t detect fraud if you aren’t also processing the returns, so handing out forms can’t be the same thing.
The only way I can see the tax preparer not being liable is if they have explicitly been made not liable, like the DMCA does for ISPs and copyright. Otherwise, it only makes sense that reasonable precautions must be undertaken, just like in everything else people do.
When I first started using TT (Maybe 2005? 2008?) I know they definitely gave out a PIN. I have mine written down with my login info. I am pretty sure when I set up an account for my dad a few years ago, he had a PIN too.
But on subsequent uses, I haven’t had to enter the PIN. Either they got rid of it or they are saving it and entering it for you. I specifically noticed that we no longer need to enter it, because I was ready to do it and never got asked!
Anyway, I agree that a PIN - that is not pre-filled - would be a very easy way to keep people who have logged in by fraudulent means from filing fraudulently. Just like how an online store saves your credit card info, but you can’t check out without the CVV2 number on your card.
I wonder if people kept forgetting the PIN and it was too much hassle/manpower to securely retrieve it for them. Instead of losing money because people couldn’t file without the PIN, they just conveniently started saving it for you. Great - now you can file and Intuit can get paid! Yay!
That’s sort of the rub, I don’t see TT as a “tax preparer”. I see them as purveyors of tax software that’s easy for a layman to use. I, personally, am the preparer of record for my taxes when I use TT.
- over just what the fraudsters are doing. Are they getting the information they need to file the false returns from TurboTax? Or are they just using TurboTax to file false returns, just like someone might use it to file a legitimate return?