TurboTax resumes e-filing following torrent of fraudulent tax returns
Naked Security Naked Security

TurboTax resumes e-filing following torrent of fraudulent tax returns

TurboTax, a popular tax app, recommenced on Saturday after having taken security measures that include multifactor authentication.

TurboTax, still from Intuit YouTube videoIntuit, the makers of the popular TurboTax app, stopped the e-filing of all state tax returns in the US on Thursday due to a surge in fraudulent filings but then recommenced on Saturday after having taken security measures to help clean up the mess.

The filing freeze came after several states refused to accept the returns after seeing a deluge of phony filings.

Utah, the first state to reach out to Intuit, issued a statement on Thursday, saying that the state tax commission had discovered 28 fraud attempts that “originate from data compromised through a third-party commercial tax preparation software process,” as well as 8,000 returns flagged as potentially fraudulent.

According to Utah’s state tax commission, as of Thursday, 18 other states had identified similar problems.

Intuit said in a press release on Friday that an ongoing investigation hasn’t yet turned up evidence that its own systems had leaked the stolen information that’s being input into the bad returns.

Rather, preliminary findings are indicating that the identity details were squeezed from external sources.

That could be any number of sources.

Intuit said on Thursday that it was working with state agencies to address growing concern over state tax fraud, which, together with improper payments, takes a $5 billion bite out of revenue every year, according to the Internal Revenue Service: an estimate that’s growing along with the rise of cyberfraud.

As of 3 pm PST on Saturday, TurboTax was back filing state returns.

To do that, it plugged in several security measures, one of which was multifactor authentication.

Multifactor or two-factor authentication (2FA) is a good stumbling block for identity thieves.

Most online 2FA systems work by asking for your username and password, which may stay the same for weeks, months or years, and then asking you for a passcode that changes every time you login.

Your passcode might come from a dedicated security token that displays a sequence of numbers that changes every minute, or you might receive a text message on your mobile phone with the passcode in it.

To read more about the hows and whys of 2FA, check out Chet Wisniewski’s recent post: The power of two – All you need to know about two-factor authentication.

Not all US states require tax returns to be filed. Intuit says that filing of federal returns wasn’t affected.

The state of Minnesota was one of the states that had stopped accepting TurboTax state returns.

A spokesperson for the Department of Revenue there said that the agency had resumed accepting e-filings from TurboTax on Saturday, following Intuit’s announcement that it had taken steps to combat the fraud.

The state’s recommendation for worried taxpayers was don’t worry about it: we’ll call you if we spot a problem, spokesperson Janelle Tummel said:

If you already filed your return using TurboTax, you do not need to do anything. We will review your return and contact you if we identify issues.

To assist customers who believe they’re victims of tax fraud, Intuit has set up a dedicated toll-free number, 800-944-8596, with direct access to specially trained identity protection agents who can provide support and filing assistance.