Grant Gross | Washingtonexaminer.com »
Recent reports of a leak of customer data at TurboTax serve as warnings for users of online services.
The warning is that people should not use the same password across multiple websites, especially with services like TurboTax that contain sensitive information, including Social Security numbers and financial records.
In mid-June, multiple news outlets reported a data breach at TurboTax, the tax preparation software vendor. The reports came after parent company Intuit notified one customer and the state of Massachusetts that hackers had tried to access the account of the single TurboTax user. TurboTax reported a similar event in early 2019.
The attempt to access the TurboTax account appears to have happened when the TurboTax customer used the same password for the tax preparation software that he or she used at another site that was previously compromised. TurboTax locked the account after noticing strange behavior and notified the customer with instructions on how to restore access, a company spokesman said.
“There was no data breach,” the spokesman added.
Still, cybersecurity experts said the incident illustrates the importance of not reusing passwords.
TurboTax’s customer data and similar services are the “holy grail” for hackers, said Saryu Nayyar, CEO of security analytics vendor Gurucul.
“Armed with Social Security numbers and associated personally identifiable information, criminals can quickly open credit card accounts and a host of other accounts and shop till they drop all on the victim’s identity,” she said. “And the cleanup to clear one’s name is painful and continuous.”
In addition, Social Security numbers can be used to collect benefits and tax refunds, buy products, collect insurance payments, and open credit accounts, noted David Clark, partner at the Clark Law Office in Michigan.
Clark recommended that when people are notified of a compromise of Social Security numbers and other personal financial data, they should file reports with the police, the IRS, the Federal Trade Commission, and the Social Security Administration for possible identity theft.
To prevent such incidents, passwords should never be reused, especially with accounts containing financial data, and customers should change passwords after every breach notification, Nayyar said.
Customers are tempted to reuse passwords because it’s difficult to remember them all without a password manager, experts noted.
“It is almost impossible to create and manage unique passwords for each of the services that a consumer uses,” said Purandar Das, co-founder at Sotero, an encryption-based security vendor. “It is physically and mentally hard to manage a phalanx of passwords. This leads to password fatigue.”
Password managers are a good solution, added Steven Weisman, a college professor focused on white-collar crimes and the author of the Scamicide blog. Password managers allow people to use one master password, giving them the option to have more complex passwords for the websites they visit.
Weisman also urged websites to require multifactor authentication so that a password compromise on its own won’t allow hackers to access customer data.
Multifactor authentication means that “in order to access your account, another confirmation is necessary, most commonly with a number sent to your cellphone to use to access your account in addition to your password,” he noted.
Das agreed that multifactor authentication is an important step forward.
“Passing the blame on to the consumer is not acceptable,” he said. “It is just not feasible nor sustainable to push the onus on consumers to create and manage tens if not hundreds of passwords.”
TurboTax’s spokesman noted that the service does deploy multifactor authentication, encryption, and “robust” logging and monitoring capabilities.
Parent company Intuit “undertakes robust, real-time fraud prevention processes, including at login and in-product, to flag any perceived anomalous behavior,” he said.