UPDATE: This story has been updated with commentary from Intuit.
Intuit last Thursday suspended its Turbo Tax e-filing service after a dramatic increase in suspicious filings and criminal attempts to leverage stolen identities in order to claim tax refunds. Intuit has since restored Turbo Tax and says it has no evidence suggesting that the fraudulent returns resulted from a breach of Intuit systems.
Turbo Tax is a popular online federal and state tax filing platform. Broadly speaking, the filing deadline for federal and most state-taxes is on or shortly after April 15. Many U.S. citizens begin receiving their tax-filing forms in January and February, which means that Intuit suspended Turbo Tax in the height of filing season.
Thursday’s suspension only affected users who had recently filed their state tax returns or those who attempted to file state returns during the downtime. Intuit did not stop transmitting federal returns.
On Friday, Intuit published a press release explaining that it was working with state agencies and the security firm Palantir to address growing concerns about tax fraud. In what Intuit described as a “precautionary step,” the company temporarily suspended its transmission of state tax returns.
Intuit claims that Palantir’s investigation of incidents revealed that the information used to file fraudulent returns was acquired from sources outside the tax preparations process.
Intuit suspended its Turbo Tax e-filing service last week amidst an uptick in fraudulent returns via @ThreatpostTweet
“We understand the role we play in this important industry issue and continuously monitor our systems in search of suspicious activity,” said Brad Smith, Intuit president and chief executive officer. “We’ve identified specific patterns of behavior where fraud is more likely to occur. We’re working with the states to share that information and remedy the situation quickly. We will continue to engage them on an ongoing basis in an effort to stop fraud before it gets started.”
By Friday evening, Intuit had resumed transmitting state returns.
It’s not currently clear what led to the uptick in fraudulent tax returns, though there is no shortage of possibilities. First and foremost, there is the worst-case scenario that hackers compromised Intuit’s Turbo Tax service, though Intuit claims this is not the case. It’s entirely possible that the victim’s of this year’s fraud filed on malware infected computers last year and had their filing data monitored by a keylogger and ultimately stolen. Simpler yet, it’s possible that these tax-fraud victims were also the victim’s of password stealing malware that enabled the attackers to simply log into their Turbo Tax accounts. It’s also worth noting that vast stores of sensitive information have been stolen in various data breaches over the last year. Criminals could have used information from prior data breaches — not limited to Social Security numbers and shared credentials — to fraudulently file state returns on behalf of their victims.
What remains unclear at that moment is how the reported uptick in tax fraud has affected other e-filing services. USA Today is reporting that Turbo Tax’s primary competitor, H&R Block, has not seen an uptick in fraud and has no plans to suspend its service.
To combat further fraud, the company has implemented a multi-step authentication process that should help prevent fraudulent log-ins via weak or otherwise compromised passwords. They’ve also set up a dedicated toll free number to assist customers who believe they may have become the victims of tax fraud.
An Intuit spokesperson told Threatpost that tax fraud is an industry wide problem while offering the assurance “the privacy and security of [their] customers’ data is the top priority.”