TurboTax, Not So Turbo After All
Posted by Pedro Martinez
I’ve started receiving emails from Intuit’s TurboTax service. This was very strange, especially because I have not used their service this year. The email was addressed to RAMON MARTINEZ. Obviously we both share the same last name, but RAMON is nowhere near PEDRO when it comes to spelling. Regardless, I’m now receiving all his tax information online, and could potentially change his Intuit’s account password and make some damage. So much for online security.
The first email arrived on May 6th. I’ve immediately tried to contact Intuit by replying to the first two emails, but both of them bounced back to me since they are unmanaged account. That is typical for online notifications. I’ve received a few more emails the following day, mostly confirming transactions and providing some other account related information. Finally I’m contacted Intuit’s sales team via online chat, where someone outside of the U.S. by the name of Jasmine greeted me. The person could not help me because they manage technical support from the U.S., according to her. I was then transferred to a rep in the U.S.; she introduced herself as Marie. I went on explaining to her about the security breech, but after giving her a few details, she told me she couldn’t help either.
This is totally wrong and it shouldn’t have happened. Online security must be the first priority for financial institution, period.
First, when opening the account, an email should be sent to the user’s email address. This email should include an email confirmation for account validation. The account should only go active after the validation process is complete. Second, the same validation process should apply to any major account detail changes. This will create another layer of security. Finally, all departments in Intuit should be trained on how to handle claims such as mine in an effort to cut possible security breech or simply for PR purposes.
I should have never received those emails. This is a flaw in Intuit’s system or process.
Now, that I went through this experience, I’m changing all my passwords with my Intuit services and think twice before using their services or buying their products; that includes Mint.com.
Warning: Declaration of Social_Walker_Comment::start_lvl(&$output, $depth, $args) should be compatible with Walker_Comment::start_lvl(&$output, $depth = 0, $args = Array) in /nfs/c05/h06/mnt/73545/domains/ptmartinez.com/html/wp-content/plugins/social/lib/social/walker/comment.php on line 0
Warning: Declaration of Social_Walker_Comment::end_lvl(&$output, $depth, $args) should be compatible with Walker_Comment::end_lvl(&$output, $depth = 0, $args = Array) in /nfs/c05/h06/mnt/73545/domains/ptmartinez.com/html/wp-content/plugins/social/lib/social/walker/comment.php on line 0
[…] This post was mentioned on Twitter by Pedro Martinez. Pedro Martinez said: New Blog Post: "TurboTax, Not So Turbo After All" http://bit.ly/brtLsM #tech #security […]
Pedro… Thanks for sharing this and allowing us to respond. Contrary to what you suggest, this is not a security breech. This situation happened because one of our customers inadvertently misspelled his email address (not once, but twice since we require confirmation of their email address). We never communicate sensitive personal financial information in any of our email notifications (for security reasons). The notification above tells you when the return was received, the expected acceptance date and the expected date of refund. That’s it. Additionally, this information along with the customer’s email address will not give you access to their TurboTax Online account. All TurboTax Online accounts are protected by a unique user ID and password.
I apologize that your efforts to bring this to our attention through normal channels were unsuccessful. I will follow up by contacting the affected customer and having he/she provide us with their correct email address.
Bob Meighan
VP, TurboTax
Bob,
I’m glad this post caught the attention of Intuit; that was the intent as I understand the power of social media, and SEO. I’ve received a few other emails as you probably could track by looking at Ramon’s account activity log. These in the hands of another CISSP and CISA professional as myself, could have simply given enough material to spoof a few emails and get additional information from RAMON; so your statement that is is not a security breech it is a matter of opinion… in my opinion. The customer could have misspelled the the account 5 times, even 20 times. Regardless how many times it was done, a simple email verification process (industry standard, best practice at least) could have prevented such “non-security-breech.”
I command you for the proactive approach to address the concern here, following up with my report and responding to this post.
Best regards,
-Pedro