Intuit: Anti-fraud Improvements by IRS Fuel Up To 3700 Percent Rise in Phony State Filings
Scam artists stole billions of dollars last year from the U.S. Treasury by filing phony federal tax refund requests on millions of Americans. But as Uncle Sam has made this type of fraud harder for thieves to profit from, the crooks have massively shifted their focus to conducting refund fraud at the state level. Or at least according to Intuit Inc., the makers of TurboTax: The company says it believes that shift is responsible for a whopping 3700 percent increase in fraudulent state tax refund filings this year in some states.
File ’em Before the Bad Guys Can
Earlier this month, TurboTax was forced to briefly suspend state tax refund filings while it investigated the source of the unprecedented fraud spike. To learn more about the run-up to this extraordinary step and other tax fraud trends this year, I talked with Indu Kodukula, chief information security officer at Intuit.
Kodukula explained that in years past the dominant form of tax return scams the company has dealt with stemmed from phony federal tax refund requests. But this tax season, things changed dramatically.
“The IRS has gotten much better than a few years ago from the perspective of fighting fraud,” Kodukula said. “We think what’s happening is that as a result the fraudsters are starting to target the states.”
The data released by the Treasury Inspector General for Tax Administration (TIGTA), which oversees the work of the IRS, suggests the IRS does indeed appear to have improved at flagging and ultimately denying fraudulent federal tax returns. In an interim report on the 2014 tax filing season, TIGTA said the IRS identified and confirmed 28,076 fraudulent tax returns involving identity theft. That was down significantly from a year earlier (PDF), when the IRS identified and confirmed 85,385 fraudulent tax returns involving identity theft.
THE ROLE OF UNLINKED RETURNS
Kodukula said tax fraudsters have evolved in response to increased information sharing by the IRS with state revenue departments about phony tax returns received at the federal level. He described a process that began about three years ago, when Intuit and TurboTax received express permission from the IRS to share information about suspected bogus tax refund requests.
“It has been our understanding that this information is in turn being shared with [state treasury departments], Kodukula said. “But there are 46 states in the Union where taxpayers can file what’s called an ‘unlinked return,’ meaning they can file a state return without having a file a federal return at the same time. So when the [tax fraudsters] file an unlinked return, it leaves the state at its own disposal to fight this fraud, and we think that’s what has taken the states by surprise this year.”
States allow unlinked returns because most taxpayers owe taxes at the federal level but are due refunds from their state. Thus, unlinked returns allow taxpayers who owe money to the IRS to pay some or all of that off with state refund money.
Unlinked returns typically have made up a very small chunk of Intuit’s overall returns, Kodukula said. However, so far in this year’s tax filing season, Intuit has seen between three and 37-fold increases in unlinked, state-only returns. Convinced that most of those requests are fraudulent, the company now blocks users from filing unlinked returns via TurboTax.
“It’s very hard to imagine a fundamental demographic shift that could cause that kind of pattern,” Kodukula said. “Our thought is that the vast majority of this is clearly not legitimate activity.”
ACCOUNT TAKEOVERS FUELED BY PASSWORD RE-USE
Not only have the fraudsters shifted from attacking the IRS to robbing state coffers, but the methods they use to steal taxpayer data also are evolving. Kodukula explained that traditionally most of the bogus refund requests were the result of what the company calls “stolen identity refund fraud” or SIRF. In SIRF scams, the thieves gather pieces of data about taxpayers from outside means — through phishing attacks or identity theft services in the underground, for example — then create accounts at TurboTax in the victims’ names and file fraudulent tax refund claims with the IRS.
But Kodukula said that over the past 18 months, Intuit has watched fraudsters shift from SIRF to account takeovers, wherein scammers compromise TurboTax credentials by exploiting human nature: The tendency for people to re-use passwords across multiple sites. This technique works because a fair percentage of users re-use passwords at multiple sites. When a breach at one site exposes the email addresses and passwords of its users, fraudsters will invariably try the stolen account credentials at other sites, knowing that a small percentage of them will work.
“Over the past one-and-a-half years, we started to see much more of this type type of account takeover attack, where a customer’s TurboTax credentials were compromised at another site,” Kodukula said, describing wave after wave of attempts by fraudsters to log in at TurboTax using huge lists of credentials leaked in the wake of breaches at other companies.
Currently, about 60 percent of the returns flagged as likely fraudulent by Intuit appear to come from SIRF, while the other 40 percent are the result of account takeovers, Kodukula said. But the account takeover attacks are definitely growing in frequency and intensity, he said.
“From the list validation attacks we’ve seen, we know the credentials came from somewhere else,” he added. “When you look at credentials that have never been used in our system [trying to log in] it’s a pretty good indicator that those are credentials not from our space.”
Security experts (including this author) have long called on TurboTax to implement two-step authentication for customers to help address the account takeover the problem of password re-use by consumers. Earlier this month, Intuit announced it would be implementing this very feature, although the company’s choice of approaches may fall short of what many security experts think of when they talk about real two-step or two-factor authentication.
Kodukula said TurboTax began rolling that Feb. 13, and that the company is currently evaluating customer logins — requiring additional authentication for returning customers who log in from a computer or device the company has never seen previously associated with that customer’s account. Those users will be forced to re-login using one of three additional authentication methods of the customer’s choosing: Email verification; enter a special code sent via text message; or a series of knowledge-based authentication (KBA) questions from big-three credit bureau Experian.
“We’re currently challenging about 20 percent of returning users [from the previous tax season] who are logging in, which is fairly standard,” Kodukula said. “Our current MFA approach is to provide a challenge to devices we don’t recognize and we have a 15-month history of devices. Our intent is to clear that backlog over the coming weeks so that we essentially clean out our entire portfolio of devices over the next few weeks.”
WHAT TO DO IF YOU’RE A VICTIM
If you file your state taxes this year and discover that your state return has already been filed, you should report the matter to your state revenue agency. For a list of state agencies, their hotlines and Web sites, see the second half of this page.
Intuit is encouraging all previous and current TurboTax customers to log into their accounts to see if there has been a return fraudulently filed. The company also is encouraging users to verify their bank account information and be sure that hasn’t been changed, as well as any other contact information associated with the account. Customers who detect errant changes can call TurboTax customer service at 800-944-8596. The company says it’s also offering free credit monitoring service for customers that have had account compromises.
If you become the victim of identity theft outside of the tax system or believe you may be at risk due to a lost/stolen purse or wallet, questionable credit card activity or credit report, etc., you are encouraged to contact the IRS at the Identity Protection Specialized Unit, toll-free at 1-800-908-4490 so that the IRS can take steps to further secure your account.
That process is likely to involve the use of taxpayer-specific PINs for people that have had issues with identity theft. If approved, the PIN is required on any tax return filed for that consumer before a return can be accepted. To start the process of applying for a tax return PIN from the IRS, check out the steps at this link. You will almost certainly need to file an IRS form 14039 (PDF), and provide scanned or photocopied records, such a drivers license or passport.
Also, consider placing a fraud alert or freeze on your file at the major credit bureaus. If crooks have enough of your personal information to file a fraudulent tax return in your name, those same lowlifes can use that data to commit other crimes. Placing a fraud alert on your credit file every 90 days is the cheapest (as in free) way to block creditors from granting new lines of credit in your name, and from unnecessarily dinging your credit score.
You are entitled to a free copy of your credit report from each of the three major credit bureaus annually. The only site you need to obtain this free copy is annualcreditreport.com, or by phone via 877-322-8228. Everywhere else will try to sell you a report, or offer a “free” report if you agree to sign up for some kind of subscription service — usually credit monitoring.
If you have been the victim of identity theft, or if you don’t anticipate needing to take out a loan or apply for new lines of credit anytime soon and you’d rather not deal with fraud alerts, placing a freeze on your credit file may be the smarter option.
A security freeze gives consumers the choice to “freeze” or lock access to their credit file against anyone trying to open up a new account or to get new credit in their name. As Consumers Union writes, “when a security freeze is in place at all three major credit bureaus, an identity thief cannot open a new account because the potential creditor or seller of services will not be able to check the credit file. When the consumer is applying for credit, he or she can lift the freeze temporarily using a PIN so legitimate applications for credit or services can be processed.”
Forty-nine states and the District of Columbia now have laws on the books allowing consumers to freeze their credit (Michigan is the holdout). Many of these laws allow the placement of a freeze for free if the consumer has a police report documenting an identity theft episode; for those without an ID theft scare notched on their belt, most states allow for the placement of a freeze for a $10 fee. See this site for more details on the various state freeze laws and instructions on how to obtain them.
Consumers also can reduce their exposure to identity theft by opting out of unsolicited credit card or insurance offers. Doing this, via www.optoutprescreen.com, or 888-5OPT-OUT, should block most unsolicited applications and reduce the incidence of identity theft. Doing so removes your name, address and personal identifiers from lists supplied by the Equifax, Experian, TransUnion and Innovis credit reporting agencies that are used for preapproved and pre-screened offers of credit or insurance.
Many consumers turn to credit monitoring services to protect them and their loved ones from identity thieves. Before you shell out good money for such a service, check out the primer I wrote about the uses and limitations of credit monitoring services.
Also, check to see if an organization that stores your information has potentially jeopardized in a recent data breach. Chances are they are already offering credit monitoring to you for free. For example, some 80 million+ Americans are likely to get this offer from Anthem, the health insurance giant that recently announced that it would be notifying affected members by snail mail about credit monitoring offers. Some 56 million Home Depot shoppers also are eligible thanks to their data breach in Sept. 2014.
Virtually any company listed in the past year in my Data Breaches category is offering it, but my site is hardly an exhaustive list. California’s Office of the Attorney General has a searchable list of companies that have recently reported data breaches, and nearly all of those firms are offering free monitoring services for affected consumers.
This Indu character says they noticed fraudstets using credentials from other sites 18 months ago? I recall a press release when Intuit said they were not proactively advising customers to change passwords? If they new compromised accounts were reused in TurboTax, isnt that negligence? It seems this security guy Indu has no security background? How serious can they be about security?
I don’t want to jump to conclusions here about this Indu individual, but it just seems strange he doesn’t list himself as CISO at Intuit, and he seemingly has no background in security.
Googling “intuit ciso”, I found two people who actually claim to be CISO at Intuit:
Jerry Archer, 2007-2009
Eric Martin, 2010-2013
but nobody since 2013. I wonder if Intuit doesn’t really have a CISO and this Indu guy is just some senior manager/executive stepping in while the position is vacant? Seriously though… for a company that handles people’s SSNs, you would expect that they have a seasoned CISO and a really strong security team of uber hackers… something doesn’t seem to line up.
3 years ago, Turbo tax buttons guaranteed you paid 2 times to get your state refund, even if it was included in the package.
Last year it tried again, I spent 3 hours on the phone till they sorted it out.
This year after reading this, for the first time in over 11 years I’m using HR Blocks software, its cheaper, and if I’m taking a gamble anyway.
I’m curious when the prosecution of helping criminals starts, to bad they took a good product and treated their customers so badly.
Intuit’s two factor authentication is a sham. You have the choice of getting a challenge over email or sms. If your email is compromised, the bad guys will just use email for the 2FA and delete it when they get the email.
A hacker can then subscribe to their products using a stolen credit card and then have access to your past tax returns.
Also they do not let you delete your account. They refuse to delete your account even if you ask. There is no explanation. It’s probably because they don’t want to “lose” market share. So your personal info is on their site forever.
All they offer is for you to obscure your profile. But, your tax returns are linked to your account so this does nothing. They won’t let you hide those returns from appearing in your account.
So if they never delete accounts, then fraudulent accounts will never be deleted and hackers can keep trying to file bogus returns.
Never open an online account with them.
My husband had a fraudulent return filed in his name this year, and we just found out two days ago. This is real. It’s very sad all of the money that is being stolen from America.
One of my coworker just came up with the best idea I heard all day.
How about “Poisoning the Well”?
Everyone setup a bunch of Honey Pot type databases with fake SSN, Medical, etc data.
The bad guys will sell so much bad info no one will want any of it anymore.
Thoughts?