FWIW, the reports are saying these accounts were compromised due to credential stuffing attacks. While, Intuit can do something about credential stuffing by being proactive and hooking into haveibeenpwned etc. but they were not "breached" in an intrusion sense.
I'm surprised they don't do multifactor setup as part of the onboarding process. They offer full blown TOTP[1] but even if it's just SMS based it'd do a lot to mitigate these credential stuffing attacks.
I think you are letting TurboTax off too lightly. Many banks and the UK tax office make their login credentials unique by having a username with random characters, or requiring an account number on login.
That is not the solution. Usernames are not passwords. If they were, why have them at all? Generate a random unique password for your user and don’t have a username at all. As the parent mentioned using haveibeenpwnd or similar service is a much more user friendly and secure approach.
> That is not the solution. Usernames are not passwords. If they were, why have them at all?
Claiming that usernames cannot be a source of entropy/security needs foundation.
Back when the whole concept of authentication was new (UNIX) that was true because usernames were quite literally public information, you could see them via a directory listing. With early email (SMTP) that remained true but worse via public directories listings across-computer.
However in this context there's nothing inherent about a username that allows us to ignore its security characteristics. Unless the argument is "over the shoulder" leakage? Which I'd argue itself doesn't have a strong foundation.
Both obscure usernames and obscure passwords can contribute to the overall strength of a system. A system that allows the user to set their own password may gain particularly from pre-selected randomized usernames, as users have proved untrustworthy in the past when picking passwords (e.g. reuse, patterns, common words, etc).
As an aside, scrapping usernames and only having a password isn't inherently problematic, except two users with the same password may clash, and a password recovery scheme may be more difficult to develop. That's essentially what authentication tokens are.
> Generate a random unique password for your user and don’t have a username at all.
Because having an unknown username with an unknown password increases the difficulty of compromise via improved entropy.
I agree there is nothing technically bad about using usernames as more entropy (it is bad from a user experience standpoint), but why have two strings at all? Just have one longer, truely random string.
> Because having an unknown username with an unknown password increases the difficulty of compromise via improved entropy.
Not necessary. It depends on the characteristics of each. If the username is truely random, sure, but then you are back in the same boat as using one random string.
Right; why have them at all? Why not log in with a UUID or something randomly generated. Use a 'password store' tool, and forget about the pointless username.
Further, do some automatic challenge-response thing between the server and yourself so you are authenticated to the server, and the server is authenticated to you. Which the current username/password scheme doesn't do at all.
Our current default state (username/password where both are human-rememberable) is failing us massively. Its arbitrary, historical and currently pointless.
With a single random password most people will write down their password, so anyone who can read what was written down gains full access. With a random username and a user-chosen password most people will write down their username but not their password. Clearly this approach is more secure.
I don't see how relying on haveibeenpwnd can be considered secure. Many people use the same password for different sites. If your site's login credentials are just email+password you are relying on the security and honesty of all other sites that use the email+password combination.
> With a single random password most people will write down their password, so anyone who can read what was written down gains full access. With a random username and a user-chosen password most people will write down their username but not their password. Clearly this approach is more secure.
I don't believe this is grounded in evidence. You are basically saying that given two hard to remember strings, most people will write down one hard to remember string and not the other hard to remember string. Why?
> I don't see how relying on haveibeenpwnd can be considered secure. Many people use the same password for different sites. If your site's login credentials are just email+password you are relying on the security and honesty of all other sites that use the email+password combination.
I think you are missing the point of the haveibeenpwnd service. The point is to block people from using ANY password that is listed in the haveibeenpwnd database, thus denying attackers from using that dictionary of known passwords.
A string is not that hard to remember when it is a password you thought up and have been using for 10 years. OK I cannot offer proof that most people would not write down their password, but surely some would not - and for those people having a separate User ID/password combination represents improved security. But anyway this is beside the point, which is that adding random characters to user credentials improves security - whether those credentials are 1 or 2 strings - and would have prevented this TurboTax attack.
Yes, using the haveibeenpwnd service offers some level of protection. But it still allows an attacker to breach a random website like funnycatpictures.com and find the email/password combinations that are not on haveibeenpwnd. Boom, that attacker has access to all those users' tax information.
Why was this recently uploaded to vermont.gov? Wouldn't it be Intuit's responsibility to inform its own users?
Confused whether this is just precautionary and given out to governments each tax season, or if something has occurred. The "Insert Date" makes it appear like the former.
Edit: According to another comment linking to "scmagazine," this is not precautionary!
This is exactly why I always used to pay extra for the TurboTax desktop edition (I say "used to" because I ended up ditching TurboTax entirely a couple years ago, but that's another story). It's worth it to me to pay a little extra to reduce the number of entities that have this kind of data stored, and it appears that bet has paid off in this case.
The desktop editions are supposed to run locally, and save data locally [1].
But, one quirk many may not be aware of, even with 'desktop' versions, is if one e-files, the data follows this path:
Desktop -> Intuit (or other software) servers -> IRS
So to avoid a copy of one's tax data being stored on the servers of the software prep. company, one has to print and file via. paper forms.
[1] I realize this does not mean it is not silently uploading the data in the background somewhere to their servers anyway, but the 'web' version is guaranteed to be storing the data on their servers. But I do hope with the number of users using these packages that if this were to happen, someone would notice and sound the alarm.
I have used it for 5 odd years, but it's really starting to annoy me now. I'm seriously considering trying to find a professional that can handle everything for, say $500/year.
I started using Free File Fillable Forms. It's a refreshingly simple site run by the IRS that lets you fill out all the standard tax return forms in your browser and file them directly. It helps with a few small things, like doing basic math for you e.g. when a particular row is supposed to contain the sum of several other rows, but that's pretty much it. At the end of the filing season, they delete all accounts and data contained on the site, so I mean technically somebody could still hack them I suppose, but at least the attack window is much smaller than in the case of something like TurboTax where they store all your data forever.
The first time around, it's a little bit of a pain to figure out what forms you need to attach and such, but it's really not that hard if you read the instructions for the forms and just follow the directions. If you're doing something complex like running a business and dealing with depreciable property or calculating AMT, it gets a little hairy, but even then I've generally been able to figure things out by just reading through the free publications that the IRS puts up on the web. I also like the sense of deeper understanding that I get from seeing how everything is being calculated, instead of just answering a bunch of questions and then having an algorithm spit out a number for my refund.
Personally, I am a bit pissed that the IRS, a government organization with the sole purpose of collecting taxes, has no method for me to submit my tax return to them via the internet.
Wow, I had no idea, thanks for the info. The IRS website doesn't provide any obvious indication that FFFF is run by a third party, but I guess I shouldn't be surprised that they contracted it out like that.
Maybe it's time to just switch back to downloading the PDF forms, filling them in on my local computer, printing them out, and just mailing them in. Ugh.
Because I'm paranoid, I usually use Turbotax then do a sanity check by filling the paperwork out by hand. My return is probably slightly more complicated than the average one since 90% of people don't even itemize, but I can still do everything in an afternoon. Unless you have a particularly gnarly tax situation (own a business, exercising stock options, etc) it may be doable to take care of it yourself and save $500. Even if that $500 is a write-off :)
90%+ don't itemize because, we tried it, some of us for a couple years, and realize that we've been spending 10s or even 100s of hours of time keeping records, feeding them in to the tax software and then get told...
Taking the standard deduction (all your work, charitable donations, and other itemizable items still don't cross this threshold).
It's really annoying that taxes are even the way they are, it's all just a huge, convoluted mess. For something like 95%+ of the US the government already knows your earnings (W2/etc), banking (INT-whatever), and any brokerage/etc stuff. The only reason the IRS doesn't send a pre-filled out form that says "this is what we believe is owed to whom, - please pay / cash the check, or fill out taxes manually to report where you think we missed data" is PRECISELY because HR Block and Intuit (Turbo Tax) lobby for complicated taxes and no government automation.
Things generally not known by the government: deductions & credits you are eligible to take, any changes to your marital status, changes to your address. Often your government cannot find you, has no idea if you're still single/married/widow, and doesn't have the data for credit eligibility. Besides, you're also assuming perfectly accurate reporting of all data elements on income reporting documents by all payers and employers. We don't even have that now.
It is a nice idea but in practice it would just overcomplicate things. Changing up the Internal Revenue Code is a better way forward.
In practice there are many countries that don't require citizens to file tax returns, and somehow it all works just fine. Optimize for the most common path - standard deductions etc. Anybody who needs something more complicated will have to do some extra work, but why should everybody be forced to do this when it's rote for most?
Yeah, it'll definitely depend on your personal situation. When I itemized last year I think I only need to grab 3 documents (W-2 which of course I already had, 1098 with my mortgage interest + property tax, and a charity receipt). If you're itemizing for medical bills or if you donate to many different charities I can see how the paperwork adds up.
Maybe you already know this, but the "prefilled form form the IRS" is similar to how a lot of countries do their taxes. From what I've heard the US uses tax writeoffs to influence people's behavior more than other countries do, so I wonder if that approach would lead to fewer people taking certain deductions.
Yeah, so this is part of why I like to fill out the forms myself now. I paid a one-time upfront time cost in learning about all the different rules around deductions and whatnot, but now I can pretty confidently know in advance whether I'll be able to itemize in a given year and what records to keep for the particular deductions I'll be taking. If you need to be able answer all of TurboTax's questions to let it figure things out, it's actually more work because you have to keep records on everything since you don't know in advance what's going to be applicable.
I think "gnarly" would be an exaggeration, but it all adds up to being just complicated enough to be a bit of a pain. I have:
I have:
* A job with a W-2
* 2x brokerage accounts with 1099-INT + 1099-DIVs
* An HSA with a 1099-SA / 5489-SA forms
* A housing coop with a 1098 mortgage interest form, and property taxes to deduct
* A mortgage with a 1098 mortgage interest form
Some pain points:
* TurboTax wants to know if I paid Alternative Minimum Tax in the past, but doesn't seem to check its own records (I have only ever used TurboTax), or give me an easy way to check that (i.e., go look at line / box #xx on your previous 1040s). My memory is that I did end up doing AMT one year, and I think that somehow influences future years?
* I ended up doing estimated tax payments one year (TurboTax gave me the forms and details for this), but then the next year I didn't understand that I needed to deduct those payments (or rather, I had imagined TurboTax would know / ask me about that, but it didn't in any clear fashion). I got a letter from the IRS about the discrepancy, I had to send them the estimated tax payment data, they sent me an adjusted form, it was all fine in the end but it took some extra time + hassle to work through.
* The brokerage accounts lead to capitals gains and losses which can need carrying over across years, and the dividend income seems to be enough to cause the estimated taxes in some years but not others.
* TurboTax is just way more annoying than it needs to be with its upselling, animations, sometimes vaugely worded questions, and apparent reluctance to use last year's records.
* Overall, my assets / income aren't massive or anything, but it wouldn't suprise me if someone being paid $500 / year or thereabouts could pay for themselves in saved time + mistakes or optimization suggestions.
This is one of the reasons I will never use a tax preparation product online. Nor will I file online through the IRS's "secure" system. Even the downloadables are open to shenanigans behind the scenes, so it's not the best option either.
At some point, it's possible that one or more IRS databases themselves will be breached. This may (?) cause a re-evaluation of the risks the US government is subjecting its citizens to by collecting and storing such large volumes of financial data.
Just make everyone's tax returns public. That's what Norway, Sweden and Finland do. Society hasn't collapsed when people know how much money their neighbor makes.
In the US, lottery winners are advised to remain private because of the significant increase in crime targeting public lottery winners; it's certainly not society collapsing when rich people get robbed, but I'm wondering if criminals in the Scandinavian countries use the tax returns for picking targets?
I imagine it happens. I remember a kidnapping of a wealthy young inheritor in Finland ten years ago... But that crime got so much attention because it was so unique.
Anyway, isn’t it much easier for criminals to pick a target by simply going into a wealthy neighborhood? The American rich are much more segregated than their Scandinavian counterparts. That’s a more obvious target on their back than having tax data available on request.
The ultrawealthy are certainly more segregated, but for upper-middle-class it's not unusual to see a factor of 10x difference in household income in the same neighborhood (e.g. $25-30k per year for a single parent or retiree vs $250-$300k per year total for two married professionals).
[edit]
For some data, you can look at primary school districts (which are almost always geographically assigned in the US, and are usually much smaller than secondary school districts). They tend to have statistics on percentage of students that qualify for government subsidized meal programs, which is a good proxy for poverty. I'm well above this line, but have lived in districts where the numbers were as high as 91% and as low as 5%.
I don’t get the motivation behind keeping tax returns secret. It’s like your phone number: I wouldn’t post it to Reddit, but if someone can find it somewhere it’s no big deal to me. I don’t understand the threat model, besides the edge cases others mentioned like lottery winners.
The document says that the accounts may have been accessed using id/password combinations obtained from other sources. But doesn't TurboTax have two-factor authentication?
If so, how is this possible?
If not, what would an extremely important service like TurboTax not have two factor authentication?
Because it decreases conversion, and because people only use it one month of the year, and because people will desperately call up about needing to log in to file but they changed their phone number yada yada.
Even if one account is compromised, they have to send that notification. So I wouldn't be so worried about it.
Some credentials stuffing attack gained access to a few accounts protected by a password like 123456. TurboTax has 2FA support.
I have a ticket open with them for a couple of weeks now due to them not supporting MFA with my bank. My bank requires the token code after the password and TurboTax tries to replay the password and token code twice. I feel like a financial institution shouldn’t be tripped up by enterprise secretary that they assuredly have in house too.
[edit]: Here is a source with more info - https://www.scmagazine.com/home/security-news/intuit-the-com...