
TurboTax halts all state e-filing amid data breach probe - anigbrowl
http://blogs.wsj.com/totalreturn/2015/02/06/turbotax-halts-e-filing-of-state-tax-returns/
======
clogston
Lots of speculation in this thread. Here's my hypothesis.

Federal tax return fraud is huge. It's a growing problem that the IRS is
struggling to cope with and it's been going on for years. State tax return
fraud has been largely non-existent... so non-existent in fact that USA Today
reported the state of Minnesota got suspicious when there were _2_ reported
cases of fraud[0].

So what's going on and why is TurboTax being called out by these states? First
off, know that when a tax return is e-filed either to the fed (who also
handles most state e-filing) or directly to the state, every software provider
transmits an identifier along with it. So if you get a bunch of bogus tax
returns submitted it's trivial to see where they're all originating from.
Second, the rise in federal tax return fraud has grown steadily in relation to
the number of software providers offering a _free_ option... the reason we
haven't seen state fraud as rampant is because it has always cost money to
prepare your state return with software. But what's new this year besides a
dramatic increase in state tax return fraud? TurboTax's Absolute Zero
campaign. That's right, a whole lot more people can file their states taxes
for free using TurboTax's software. That may seem great at first blush if you
qualify, but an unintended consequence of that is it's now a completely free
roll for a fraudster to file a state tax return IN ADDITION to a federal one.

[0]
[http://www.usatoday.com/story/money/personalfinance/2015/02/...](http://www.usatoday.com/story/money/personalfinance/2015/02/06/turbotax-
state-filings-halted/22979519/)

~~~
nsxwolf
Why would free filing increase fraud? It's always been free to file if you do
it yourself.

Can't it be that there's just more at stake with the Federal return in terms
of total dollars, and far more tax deductions available?

~~~
gaadd33
If it cost $10 per filing that would be a huge up front cost for someone,
especially if it turns out many of their fake returns are invalidated en mass.
It's pretty hard to file several thousand fake returns with plausible data
(esp if you have last years or several years ago data) by hand, if you are
putting up that much work you might as well just prepare people's taxes in a
legitimate way.

------
valar_m
The title of the article is misleading. "Data breach" implies a release of
sensitive data, which is not what appears to have happened.

 _Intuit said its TurboTax unit took action Thursday after seeing attempts to
use stolen personal information to file fraudulent returns for tax refunds._

 _The tax-software company said that after a preliminary examination with
Palantir Technologies, which provides security and antifraud services, it
believes there wasn’t a breach of Intuit systems and that “the information
used to file fraudulent returns was obtained from other sources outside the
tax preparation process.”_

~~~
sp332
_“Fraudsters obtained information that’s generally only found on income-tax
returns.” In some cases, the fraudulent 2014 returns closely resemble 2013
returns, with only minor alterations—implying that the scammer had access to
the taxpayers’ 2013 returns._

There was a data breach.

~~~
ChristianBundy
_The tax-software company said that after a preliminary examination with
Palantir Technologies, which provides security and antifraud services, it
believes there wasn’t a breach of Intuit systems and that "the information
used to file fraudulent returns was obtained from other sources outside the
tax preparation process."_

Did you read the article?

~~~
sp332
There is a single, solitary sentence in this article that implies there might
not be a data breach: _Perhaps someone got a name and guessed a password,” she
said._ The rest of the article is full of evidence that there was a data
breach.

Edit: including the part you quoted, _information used to file fraudulent
returns was obtained from other sources outside the tax preparation process._

~~~
ams6110
Someone getting a name and guessing a password would be a data breach. What
else can you call it?

------
bdcs
As far as I know, TaxACT[0] is the only tax software whose parent company
doesn't actively lobby against tax filing simplification. I haven't used them
nor do I have any stake in them, but I figure it is good for people to know of
this TurboTax alternative.

[0] [http://www.taxact.com/](http://www.taxact.com/)

~~~
jmcphers
Has anyone actually used TaxACT recently and can compare the experience with
TurboTax?

I've used TurboTax almost every year for the last decade, except one in which
I used TaxACT because it was a lot cheaper (my taxes are moderately complex
enough to send me into the more expensive TurboTax price brackets).

At the time the software felt shoddy compared to TurboTax in almost every way;
it was certainly better than form-filling myself but it didn't inspire
confidence.

~~~
Encosia
If your taxes are complicated enough to pay for a high tier of TurboTax, you
may be better off finding a good CPA.

I'm an independent consultant, use QuickBooks throughout each year, and have
used TurboTax for quite a while out of inertia from having my data already in
a friendly format in QB. I finally decided to give an actual CPA a try last
year. Among other things, she has already saved me an order of magnitude more
than her fee just by amending my old TurboTax returns. Not to mention the
value of the time that she has saved me.

I would never go back to TurboTax (or TaxACT or similar) unless I was a
straight W-2 salaried employee (and only maybe then).

------
ad_hominem
There was some discussion relating to this on /r/personalfinance earlier
today:
[http://www.reddit.com/r/personalfinance/comments/2uzfel/minn...](http://www.reddit.com/r/personalfinance/comments/2uzfel/minnesota_no_longer_accepting_tax_returns_from/)

~~~
bbatsell
Wow. According to several posters in that thread, Intuit was allowing guest
users to pull up data from prior years' tax returns (and subsequently file
this year with correct data) by providing only an SSN and not any other form
of authentication. If true, that's basically a criminal level of negligence.

~~~
omgitstom
That means you could brute force your way into getting someone else's tax
return... scary

~~~
thrownaway2424
This has always been possible. I knew a guy who bulk downloaded returns from
hr block because they required only last name, zip, and partial ssn. He picked
a zip where everyone is named Stein and was born at the same hospital (which
gets its own ssn shard) and went to town. Naturally they had no rate limiting.

~~~
gaadd33
How do you find a zipcode where everyone has the same last name? I'm guessing
a very small town several hours from a single hospital?

~~~
thrownaway2424
Wrong it's one of the most populous zips in the nation and I'm being flippant
about the name but when you are brute forcing things an unusual probability is
all you need.

~~~
gaadd33
Oh seems like it would have been just as easy to grab census data for the past
50 years and run through last names by decreasing frequency.

Here I thought you had found a unique zipcode.

------
ChuckMcM
If you're wondering what folks are going to do with that treasure trove of
Anthem data, I've got two ideas:

1) File fraudulent tax returns

2) Fill bogus prescriptions

~~~
r00fus
So who's ultimately going to pay for fighting this fraud? Lemme guess:
probably not Anthem.

~~~
l33tfr4gg3r
As with most data breaches involving theft of personal information, especially
the type that have the potential to exploit a single point of failure
(otherwise known as your SSN) the affected company needs to offer credit
protection and credit monitoring for a period of time. I sure hope Anthem has
good re-insurance. By one account
([http://www.forbes.com/sites/brucejapsen/2015/02/06/anthem-
di...](http://www.forbes.com/sites/brucejapsen/2015/02/06/anthem-didnt-
encrypt-personal-data-and-privacy-laws-dont-require-it/)) it seems they were
storing SSNs in the clear, which is probably akin to begging for something
like this to happen in this day and age.

~~~
hurin
It seems like every 2 or 3 months there is data-breach in the news and a bunch
of plain-text info is stolen. And ever-time I am inclined to imagine the
companies storing in plain-text would think "oh we should change something
about this"

But then it happens again 2 or 3 months later anyways ...

~~~
yeukhon
Before we go to encryption, let's talk about all the SSN you put on paper you
file for bank, government, employment. That's right. They are all in clear.
Whatever you sent to your employer over email (rather than fax) are still in
clear.

A lot of these attacks are trojan already breached the network and insider
attacker. The latter is often due to infection (e.g. USB, browsing problematic
website). Encrypting file, encrypting SSN field is not a full solution but is
definitely a really good solution.

~~~
tjl
What surprises me most is that the US doesn't seem to have the same law as
here in Canada. Here, pretty much only the bank, government, or your employer
can ask for your social as that's the law. Plus, they don't send it in the
clear on-line. You'll get receipts either from a secure Web site or physically
mailed to your address.

------
omgitstom
Out of curiosity, if someone e-files fraudulently for you, are you held liable
by the IRS if you are audited?

~~~
stinkytaco
I don't have much insight into the legal end of this, but I will say I've had
(or at least been involved with) "run-ins" with the IRS twice, both times were
legitimate misunderstandings on our part. We were in the wrong, but no actual
malice was intended. Both times the IRS was quite flexible in getting the
problem sorted out. It's just personal experience, but that experience was not
of the IRS as a monolithic government body that bulldozes people. They wanted
their money and were willing to work with me to get it.

~~~
mml
Nitpick: they wanted _your_ money. It's not "theirs" by any stretch.

~~~
nkozyra
If we're nitpicking, it's the result of a transaction. Granted it's a
transaction you're not opting out of, but it's still an exchange of service
for payment.

By any other measure in a transaction that money ceases to be _yours_ and
becomes _theirs_. We can argue the merits of income tax or taxation in
general, but in our (and many similar) systems, it's not _your_ money if you
wish to live in the country and thus partake in this transaction.

------
8ig8
From the TurboTax blog:

[http://blog.turbotax.intuit.com/2015/02/06/intuit-working-
wi...](http://blog.turbotax.intuit.com/2015/02/06/intuit-working-with-state-
governments-to-solve-emerging-tax-fraud-problem/)

(Shouldn't this be the proper link for the HN post?)

------
DrJosiah
With the language being used to describe what's going on, combined with the
numbers that Alabama is estimating, it smells a lot like malware-infected PCs
combined with the desktop edition of Turbotax (which offers free e-file if you
buy the software).

That would explain: * why it seems to be only hitting Turbotax users * the
availability of 2013 data (Turbotax users usually buy every year) * the
availability of logins to these sites

While I wouldn't go so far as to say that this _is_ the source of the
data/problem, malware + desktop app + efile through Turbotax online fits the
public information really well.

------
orionblastar
Yeah this happens more than just with Turbo Tax.

It used to be a scam that prisoners did by requesting 1040 forms and having
some help on the outside to make bank accounts to direct deposit the money for
refunds into it. They would get fake W2 forms and make them from fictitious
companies and enter a large withholding tax on them. File the 1040EZ form with
the standard deduction and file a state form too for extra money. Everything
was done via postal mail before Turbo Tax and others provided e-filing.

A friend of our family had someone file taxes as her, and we think the SSN got
stolen from the church we go to by ex-employees because they need it for
donation tracking. She hadn't filed taxes in a while and Turbo Tax would not
help and she was seeking an accountant to find out someone else already filed
taxes as her.

I buy the desktop Turbo Tax edition and I try to file early before anyone else
can file as me. I am disabled and don't make a lot, but there have been many
data breaches that include SSNs over the past decade or so. When I had a
student loan, someone stole a laptop with a harddrive on it that had SSNs and
other info on it from the company that managed my student loan.

Actually if people are getting SSNs from outside of Turbo Tax they can e-file
with the other tax filing software as well.

------
peterwwillis
How to file fraudulent tax returns:

    
    
      Step 1. Take someone's W2.
      Step 2. File.
    

Why would they stop all state filing because of this?

~~~
stinkytaco
Just to be clear, this is a major problem:

[http://www.irs.gov/uac/Newsroom/IRS-Combats-Identity-
Theft-a...](http://www.irs.gov/uac/Newsroom/IRS-Combats-Identity-Theft-and-
Refund-Fraud-on-Many-Fronts-2014)

It's called SIRF (Stolen Identity Refund Fraud) and it likely costs billions a
year at the federal level (I could not find data on states).

The difference seems to be that Turbo Tax was just the vector because it could
be automated. Not a lot of payoff in doing it by hand.

~~~
slantedview
I'd be interested to know how hard it is to trace the destination of
fraudulent tax refunds.

~~~
clogston
It's trivial for the IRS. They either cut a check (and mail it to an address)
or direct deposit it in to an account. Most fraudsters opt for the check
option... so much so in fact that one of the new fraud prevention mechanism
the IRS introduced this year was to cap the total number of refund checks to
any specific address at 10(!).

------
rmc
I'm not USAian, so I'm not familiar with the US system. But why would
criminals want to fill in someone elses tax details?!

~~~
sokoloff
To claim a refund based on incorrect/falsified statements of income,
deductions, and withholdings.

Claim that SSN 123-45-6789 worked a job where they made $19K in income, had
$4K in taxes withheld, and owed a total tax of $0, so please mail the $4K
refund check to 12A Main Street, Fraudville, MA 02341.

The tax authorities are often compelled to process the refund in a certain
time window that precludes cross-checking all the information and certainly
precludes waiting to see if the actual taxpayer will file an actual (non-
fraudulent) return.

------
iscrewyou
So, what is the best way to find out if you are the victim?

Call IRS? (Assuming you haven't filed it yet) Check TurboTax? (Essentially
filing yours and wait for it to be rejected?)

Maybe TurboTax should have a tool that checks against their system(based on
SSN and some credit history questions, etc) to see if you(the fraudster in
this case) has filed your taxes or not.

~~~
clogston
Unfortunately there isn't an existing easy way to find out if your SSN has
been used to file a tax return. When you file your taxes via efile[0], the IRS
system will reject the tax return if a tax return with the same SSN has
already been filed for that processing year.

If this happens to you you're forced to file by mail.

[0] Doesn't matter who you use to do your taxes. Even an accountant that has
access to e-file.

~~~
tjl
In Canada, you can't get the e-file code if you've moved in the tax year so
you have to mail in your tax return.

------
sp332
If Intuit wasn't breached, that means the problem could affect everyone in
those states, not just TurboTax users.

~~~
davis_m
Fraudulent tax refunds are a huge issues that the IRS has not kept up with.
The IRS itself estimates it paid $5.2 billion to identity theives[1].
Protecting taxpayers without creating too much of a hurdle to tax paying is a
very hard problem to solve.

[1] [http://time.com/money/3419136/identity-theft-social-
security...](http://time.com/money/3419136/identity-theft-social-security-
number-tax-return/)

~~~
spiralpolitik
It's an easy problem to solve but the solutions (Estonia style national
identity cards or a flat PAYE tax on all forms of income) are not politically
viable in the US.

~~~
pjc50
Why is PAYE unviable? It wouldn't have to be flat.

~~~
spiralpolitik
Because there is an entire industry of which Intuit is part of that profits
off the complexity of current tax system. Simplify the system and profits go
down.

HR Block was caught lobbying against simplification of the tax system for this
very reason.

------
Potando
If people can anonymously get money from refunds, doesn't that mean they're
also using a fake ID to open their bank account, meaning the bank is being
negligent and now "knowing its customer"? Or does the IRS pay people with
cash?? Something's missing here.

------
mark-r
Maybe somebody's figured out an automated way to harvest the data from
infected individual PCs? Then they use that information to file new returns.

~~~
ryanlol
Not sure if you're being sarcastic, but there have been bots doing this for
well over 10 years now.

~~~
mark-r
No, not being sarcastic - this is the first I've heard of it. And if it's been
going on already, what turned it into a bigger problem all of a sudden?

~~~
ryanlol
Just trends in the cybercrime world, and the increased publicity.

------
nodesocket
Why doesn't the IRS issue pin codes to every registered social security number
or entity? They don't even have to mail the pins. A simple web portal, where
you log in, enter your SSN or EIN and it sends the pin via SMS or e-mail. Pins
reset every year.

~~~
munin
what about the people who don't have internet access?

edit: I'm also pretty sure the IRS and e-tax filers already do this for (edit:
electronically filed) Federal returns, there it makes sense because if you're
e-filing already, you can deal with a website for a PIN.

if you file without a PIN, they request more identifying information from you
later, via mail.

~~~
leesalminen
You can also call 211 (United Way) in your area to see if you qualify for My
Free Taxes.

[http://www.myfreetaxes.com/](http://www.myfreetaxes.com/)

