Petronella Blog Archive

Visit our New Blog

Preventing TurboTax Fraud

Blog Post

The fraud perpetrated against Intuit's popular TurboTax software has been documented, but could more have been done to prevent it in the first place?

With 29 million users, TurboTax is the leader in tax return software, and yet it could be argued that they have failed to take the lead in customer security.  Though they have taken some steps, there's a lot more that could be done.  Let's take a look at some things that, though they wouldn't necessarily wiped out the problems, they could certainly help.

Account Change Notices

This one seems like a no-brainer, but no notice was given if account details had been changed.  Many websites will now automatically email a user if anything has been changed.  This usually includes a link to log into your account or report the change to a website admin.  To their credit, Intuit has announced that this feature will be added soon.

Email Validation

Email validation is the simple process of sending an email to the email address given when signing up for an account to make sure it is a legitimate address.  Two whistleblowers who outed Intuit's problems reported that the lack of email verification led to issues such as customers requested an email reset and being shown multiple accounts their address was tied to.  Intuit says they've fixed that particular issue and plan to add validation and/or security questions soon.

Phone Validation

Just as TurboTax hasn't required a valid email address, they also haven't required a valid phone number.  This technique, which Google, Facebook and other websites use, would send a code to a phone number, usually via text, which the user would then input to complete their registration process.  In particular, getting around this system would increase costs for hackers, making the fraud less appealing.

Personal Information

A common security measure on banking and other financial websites is one that asks questions based on information found on credit reports, such as past addresses and information about family members.  Information like this can be a little harder for hackers to mine.  Intuit has said they plan to implement this as well.  While it's too late for existing customers to do this when signing up for their accounts, Intuit is implementing this method when customers go through any kind of account recovery process.

Intuit is taking some good steps towards making TurboTax less susceptible to fraud, but there is still room for improvement, and since many of these methods are pretty common now it is fair to level some criticism at them for not implementing them sooner.  As the leader in tax return software, it is hoped that Intuit will do all they can to make tax returns as safe as possible for their customers and that the rest of the industry will follow that lead.