How Congress enables fraudulent TurboTax e-filing for stealing tax returns

Crooks are stealing tax refunds, and Washington is as much to blame as Intuit.

Credit: Shutterstock

This is certainly not Intuit's year, although it's hard to feel sorry for a company whose wounds are self-inflicted. First came the uproar over charging for what had previously been free features. Now the issue of crooks stealing the refunds rightfully owed to other people is coming to a head.

The problem has been known for a while, but it exploded 2,300% last year. Several states stopped taking e-filings from TurboTax due to hoaxers stealing the refunds. And it's not chump change, either. The Government Accountability Office (GAO) reports that in the 2013 filing season, the IRS blocked $24.2 billion in fraudulent refund requests and paid out another $5.8 billion in refunds that later proved fraudulent.

See also: Intuit gets greedy, nearly doubles price of TurboTax has an incredible story documenting all of this. It said the blame lies both with Intuit for turning a blind eye to the thefts and also to Congress for failing to address a theft problem despite that has been around for years. Then again, Congress is so gridlocked it doesn't really address anything, so the tax refunds are hardly an exception.

The Vox article points out that it is very easy for criminals to use TurboTax to steal refunds because our tax system doesn't have any reliable way of verifying people's identities. It sends checks and doesn't realize that a return was fraudulent for weeks or even months later.

See also: FTC: IRS impostor complaints up more than 2,300% in 2014

Crooks use TurboTax one of two ways. Either they get their hands on a person's basic identity information, such as a Social Security number, address, and date of birth, which is a lot easier these days with so many data breaches. Or they obtain a victim's TurboTax username and password. Again, breaches help because people are lazy and often use the same username and password all over the place. So it's probably not a good idea to use your Gmail username and password in TurboTax.

Competitors H&R Block Tax Software and TaxAct's TaxAct software are just as vulnerable, but given their minuscule market shares, the crooks haven't bothered. It's the same reason the Mac evaded malware for so long; the platform was too small for the bad guys to bother.

Former Intuit programmer Robert Lee told Vox he had found "literally millions of accounts that were 100 percent used only for fraud, but management explicitly forbade us from either flagging the accounts as fraudulent or turning off those accounts."

Users can protect themselves with strong passwords and two-factor authentication, but the IRS needs to do something as well, as it basically makes no attempt to verify the return, and the info it needs doesn't arrive from employers until months after the April 15 deadline. So it can't even compare a 1099 from an employer against a fraudulent filing.

Personally, I'm more inclined to go with a TurboTax-side solution, like two-factor authentication, because if you wait for the government to fix it, Godot will arrive first.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: 10 new UI features coming to Windows 10