
Intuit Notice of Unauthorized Access to Tax Returns [pdf] - robteix
https://ago.vermont.gov/wp-content/uploads/2019/02/2019-02-22-Intuit-Notice-of-Data-Breach-to-Consumers.pdf
======
Bhilai
FWIW, the reports are saying these accounts were compromised due to credential
stuffing attacks. While, Intuit can do something about credential stuffing by
being proactive and hooking into haveibeenpwned etc. but they were not
"breached" in an intrusion sense.

[edit]: Here is a source with more info -
[https://www.scmagazine.com/home/security-news/intuit-the-
com...](https://www.scmagazine.com/home/security-news/intuit-the-company-
behind-tax-preparation-software-turbotax-alerted-users-their-accounts-may-
have-been-accessed-by-an-unauthorized-party/)

~~~
MarkMc
I think you are letting TurboTax off too lightly. Many banks and the UK tax
office make their login credentials unique by having a username with random
characters, or requiring an account number on login.

~~~
nathantotten
That is not the solution. Usernames are not passwords. If they were, why have
them at all? Generate a random unique password for your user and don’t have a
username at all. As the parent mentioned using haveibeenpwnd or similar
service is a much more user friendly and secure approach.

~~~
Someone1234
> That is not the solution. Usernames are not passwords. If they were, why
> have them at all?

Claiming that usernames cannot be a source of entropy/security needs
foundation.

Back when the whole concept of authentication was new (UNIX) that was true
because usernames were quite literally public information, you could see them
via a directory listing. With early email (SMTP) that remained true but worse
via public directories listings across-computer.

However in this context there's nothing inherent about a username that allows
us to ignore its security characteristics. Unless the argument is "over the
shoulder" leakage? Which I'd argue itself doesn't have a strong foundation.

Both obscure usernames and obscure passwords can contribute to the overall
strength of a system. A system that allows the user to set their own password
may gain particularly from pre-selected randomized usernames, as users have
proved untrustworthy in the past when picking passwords (e.g. reuse, patterns,
common words, etc).

As an aside, scrapping usernames and only having a password isn't inherently
problematic, except two users with the same password may clash, and a password
recovery scheme may be more difficult to develop. That's essentially what
authentication tokens are.

> Generate a random unique password for your user and don’t have a username at
> all.

Because having an unknown username with an unknown password increases the
difficulty of compromise via improved entropy.

~~~
nathantotten
I agree there is nothing technically bad about using usernames as more entropy
(it is bad from a user experience standpoint), but why have two strings at
all? Just have one longer, truely random string.

> Because having an unknown username with an unknown password increases the
> difficulty of compromise via improved entropy.

Not necessary. It depends on the characteristics of each. If the username is
truely random, sure, but then you are back in the same boat as using one
random string.

------
alehul
Why was this recently uploaded to vermont.gov? Wouldn't it be Intuit's
responsibility to inform its own users?

Confused whether this is just precautionary and given out to governments each
tax season, or if something has occurred. The "Insert Date" makes it appear
like the former.

Edit: According to another comment linking to "scmagazine," this is not
precautionary!

------
NickM
This is exactly why I always used to pay extra for the TurboTax desktop
edition (I say "used to" because I ended up ditching TurboTax entirely a
couple years ago, but that's another story). It's worth it to me to pay a
little extra to reduce the number of entities that have this kind of data
stored, and it appears that bet has paid off in this case.

~~~
tacostakohashi
What did you replace it with?

I have used it for 5 odd years, but it's really starting to annoy me now. I'm
seriously considering trying to find a professional that can handle everything
for, say $500/year.

~~~
Rebelgecko
Because I'm paranoid, I usually use Turbotax then do a sanity check by filling
the paperwork out by hand. My return is probably slightly more complicated
than the average one since 90% of people don't even itemize, but I can still
do everything in an afternoon. Unless you have a particularly gnarly tax
situation (own a business, exercising stock options, etc) it may be doable to
take care of it yourself and save $500. Even if that $500 is a write-off :)

~~~
mjevans
90%+ don't itemize because, we tried it, some of us for a couple years, and
realize that we've been spending 10s or even 100s of hours of time keeping
records, feeding them in to the tax software and then get told...

Taking the standard deduction (all your work, charitable donations, and other
itemizable items still don't cross this threshold).

It's really annoying that taxes are even the way they are, it's all just a
huge, convoluted mess. For something like 95%+ of the US the government
already knows your earnings (W2/etc), banking (INT-whatever), and any
brokerage/etc stuff. The only reason the IRS doesn't send a pre-filled out
form that says "this is what we believe is owed to whom, - please pay / cash
the check, or fill out taxes manually to report where you think we missed
data" is PRECISELY because HR Block and Intuit (Turbo Tax) lobby for
complicated taxes and no government automation.

~~~
smkellat
Things generally not known by the government: deductions & credits you are
eligible to take, any changes to your marital status, _changes to your
address_. Often your government cannot find you, has no idea if you're still
single/married/widow, and doesn't have the data for credit eligibility.
Besides, you're also assuming perfectly accurate reporting of _all_ data
elements on income reporting documents by all payers and employers. We don't
even have that now.

It is a nice idea but in practice it would just overcomplicate things.
Changing up the Internal Revenue Code is a better way forward.

~~~
int_19h
In practice there are many countries that don't require citizens to file tax
returns, and somehow it all works just fine. Optimize for the most common path
- standard deductions etc. Anybody who needs something more complicated will
have to do some extra work, but why should _everybody_ be forced to do this
when it's rote for most?

------
apo
This is one of the reasons I will never use a tax preparation product online.
Nor will I file online through the IRS's "secure" system. Even the
downloadables are open to shenanigans behind the scenes, so it's not the best
option either.

At some point, it's possible that one or more IRS databases themselves will be
breached. This may (?) cause a re-evaluation of the risks the US government is
subjecting its citizens to by collecting and storing such large volumes of
financial data.

~~~
pavlov
Just make everyone's tax returns public. That's what Norway, Sweden and
Finland do. Society hasn't collapsed when people know how much money their
neighbor makes.

~~~
aidenn0
In the US, lottery winners are advised to remain private because of the
significant increase in crime targeting public lottery winners; it's certainly
not society collapsing when rich people get robbed, but I'm wondering if
criminals in the Scandinavian countries use the tax returns for picking
targets?

~~~
pavlov
I imagine it happens. I remember a kidnapping of a wealthy young inheritor in
Finland ten years ago... But that crime got so much attention because it was
so unique.

Anyway, isn’t it much easier for criminals to pick a target by simply going
into a wealthy neighborhood? The American rich are much more segregated than
their Scandinavian counterparts. That’s a more obvious target on their back
than having tax data available on request.

~~~
aidenn0
The ultrawealthy are certainly more segregated, but for upper-middle-class
it's not unusual to see a factor of 10x difference in household income in the
same neighborhood (e.g. $25-30k per year for a single parent or retiree vs
$250-$300k per year total for two married professionals).

[edit]

For some data, you can look at primary school districts (which are almost
always geographically assigned in the US, and are usually much smaller than
secondary school districts). They tend to have statistics on percentage of
students that qualify for government subsidized meal programs, which is a good
proxy for poverty. I'm well above this line, but have lived in districts where
the numbers were as high as 91% and as low as 5%.

------
wonjohnchoi
The document says that the accounts may have been accessed using id/password
combinations obtained from other sources. But doesn't TurboTax have two-factor
authentication? If so, how is this possible? If not, what would an extremely
important service like TurboTax not have two factor authentication?

~~~
lozenge
Because it decreases conversion, and because people only use it one month of
the year, and because people will desperately call up about needing to log in
to file but they changed their phone number yada yada.

------
ccnafr
Even if one account is compromised, they have to send that notification. So I
wouldn't be so worried about it. Some credentials stuffing attack gained
access to a few accounts protected by a password like 123456. TurboTax has 2FA
support.

------
argd678
I have a ticket open with them for a couple of weeks now due to them not
supporting MFA with my bank. My bank requires the token code after the
password and TurboTax tries to replay the password and token code twice. I
feel like a financial institution shouldn’t be tripped up by enterprise
secretary that they assuredly have in house too.

~~~
jiveturkey
This is a defect with your bank, not TurboTax. Your bank should be doing
oauth, not user/pass.

[https://community.intuit.com/questions/1752343](https://community.intuit.com/questions/1752343)

~~~
argd678
Not really if TT is saying they support it.

------
newman314
Side note: TurboTax's updater still requires TLS 1.0. _facepalm_

