“It will make or break the company,” says Andrew Lange, an equity analyst for Morningstar, a fund research firm. “It’s that important that they protect this information.”
Intuit, the maker of TurboTax, says that a chunk of the tax fraud it saw earlier this year was due to fraudsters taking over accounts that belonged to existing customers by guessing their username and password or testing out credentials they may have attained through a separate breach. The company says its own systems were not compromised.
In response, Intuit introduced some new security measures last month to make it harder for people to use its software for fraud. For one, customers now have to enter a code that gets sent to their e-mail address or phone number when they try to log in from a different computer. And taxpayers can no longer submit state-only returns, requiring them to get past the IRS’s fraud filters if they want to steal a refund.
Some critics, including two former Intuit employees, say tax preparation companies should do more to protect the sensitive information stored in tax returns that thieves can then use to steal refunds or to commit other forms of identity theft. “You have a private company that is so widely depended on by so many Americans to hold very sensitive information,” says Brian Krebs, author of the online security blog Krebs on Security. “In some ways more sensitive than what your bank would hold about you.”
Intuit says it is constantly evaluating ways that it can improve its security and that it may roll out more protections in addition to the changes it’s made so far. “The threat environment continues to evolve and we are moving quickly to do the same,” Intuit spokeswoman Julie Miller said. “We recognize that we can and must do more.”
We spoke to security experts about some other steps that TurboTax and companies like it can take to keep customers’ information secure and to make it harder for thieves to use their software to commit fraud.
Make people prove their identities.
The way tax-related identity theft usually works is a thief uses personal information obtained through a breach or purchased on the black market to file a phony tax return and collect a refund. If tax software companies took steps to verify the identity of people using that Social Security number, it would become harder for thieves to file fake refunds.
For instance, some credit-monitoring Web sites will ask people questions tied to their Social Security numbers before they can open an account, Krebs said. Tax software providers can also prevent the same Social Security number from being used in more than one account, which would make it harder for fraudsters to steal refunds from existing customers. Miller said Intuit is thinking about incorporating similar questions to help verify taxpayers’ identities. The company is also considering e-mail and phone number validation, which would require people to confirm their contact information when they create an account, making it easier to verify their identity later on, Miller said.
“There are no standards in the tax preparation industry or no consistent approach to security measures across industry,” Miller said. “As the leader we have an obligation to step up and lead here and to help drive adoption of a set of standards.”
Toughen the “forgot my password” feature.
In addition to asking people to give their names, Social Security number and zip codes when they forget their passwords, Intuit is now requiring people who want to recover a password to answer questions about information pulled from their credit history, such as to point out a license number that was previously linked to their names.
But some companies are making it more difficult for thieves to overcome these password recall tools by giving customers a chance to write their own security questions, says Hemu Nigam, founder of SSP Blue, a security consultancy. That lets customers get creative and ask about things only they would know, he says.
Alert customers about other breaches that affect them.
TurboTax insists that it has not been breached, but some of the tax fraud it saw earlier this year was due to people taking over the accounts of existing customers by guessing their passwords or accessing a list of usernames and passwords leaked from another site.
Security experts say tax preparation companies like it can be proactive by letting customers know when an external breach may affect them. For instance, Facebook has previously compared lists of usernames and passwords that were leaked from other Web sites against the log-in credentials for its own users and forced customers to change their passwords if there was overlap, said Chester Wisniewski, a senior security adviser for Sophos, a security software vendor.
If tax preparation companies are proactive about other breaches in that way, Wisniewski says, they can help customers protect their most sensitive information — even from breaches that may be seemingly unrelated.