Reports of TurboTax Breach Greatly Exaggerated
Reports of TurboTax Breach Greatly Exaggerated
According to Intuit, owner of TurboTax, reports of a data breach have been exaggerated.
Numerous news outlets recently reported that an unknown number of TurboTax accounts had been compromised as a result of a wave of credential stuffing attacks. Such attacks make use of credentials stolen from other websites and re-used on the TurboTax website.
"Intuit's systems were not compromised," spokesman Rick Heineman said.
He explained that Intuit notified one Massachusetts customer that their account had been locked following the discovery of what appeared to be an attempt at unauthorized access.
"We then shared a copy of that notification with local law enforcement," he told TechNewsWorld.
When Intuit fraud prevention teams detect an attempted or successful login to an Intuit account using credentials harvested from third-party sources, Heineman noted, we immediately disable access to the account, notify the customer, require the account owner to undergo identity verification, and request that their credentials be changed to re-access the account.
"Intuit employs sophisticated real-time fraud prevention processes — including at the login and in-product levels — to flag any perceived anomalous behavior," he explained.
He added that the company has implemented a number of organizational, technical, and administrative controls across its products and services to safeguard customer information. These capabilities include multi-factor authentication, encryption, and robust logging, monitoring, and blocking.
Profitable Strategy
According to Bleeping Computer, Intuit notified TurboTax customers on Saturday that some of their personal and financial information had been accessed by attackers in what appears to be a series of account takeover attacks.
On Monday, TechRadar published a similar report. Intuit, a financial software company, notified users of its TurboTax platform that attackers gained access to some of their personal and financial information in what appears to be a series of account takeover attacks.
A credential stuffing attack on a site like TurboTax could be extremely lucrative, according to James McQuiggan, a security awareness advocate at Clearwater, Fla.-based KnowBe4, a cybersecurity training provider.
"It grants access to the user's personal information, tax information, and, of course, their social security numbers and possibly those of their immediate family," he told TechNewsWorld.
"With over 8.4 million passwords in circulation and over 3.5 billion of those passwords associated with actual email addresses, it provides a jumping-off point for cyber criminals to target various online businesses that rely on customer accounts," he continued.
"When users create accounts using previously exposed passwords, they make it simple for cyber criminals to steal their data," he explained.
"Conducting credential stuffing attacks is simple, low-risk, and can result in a high return on investment," added Leo Pate, an application security consultant with nVisium, an application security provider based in Herndon, Va.
"From a criminal standpoint, many platforms lack robust security controls such as multi-factor authentication, or users simply do not use them when they are available, resulting in a higher rate of successful compromise," he told TechNewsWorld.
Use Unique Passwords
Despite warnings against password reuse, consumers continue to do so. "Old habits are difficult to break," McQuiggan observed.
"For instance," he continued, "individuals dislike creating unique passwords for each account. They prefer to use one that is easy to remember or to add a variation to it, such as a different phone number or website name."
"Consumers today utilize a plethora of online services. Keeping a unique, strong password for each service in one's head is nearly impossible due to the disparate complexity and length requirements for each service, as well as the sheer volume of services consumed "added Ben Eichorst, principal engineer at Yubico, a manufacturer of USB and wireless authentication solutions based in Palo Alto, Calif.
He told TechNewsWorld that recent research indicates that 51% of IT security respondents have encountered a phishing attack, while another 13% have encountered credential theft. Despite this, only 53% of IT security respondents report that their organizations have altered the way passwords or protected corporate accounts are managed.
"Intriguingly," he continued, "individuals reuse passwords for an average of 16 work accounts, while IT security respondents reuse passwords for an average of 12 work accounts."
Protecting Users and the Business
Alexa Slinger, an identity management expert with OneLogin, a San Francisco-based provider of cloud-based identity and access management solutions, noted that as the number of data breaches increases, the number of stolen credentials increases as well.
"Despite widespread media coverage of data breaches, users continue to reuse passwords, endangering organizations," she told TechNewsWorld. "Organisations should strengthen their security measures in order to protect their users and their business."
These measures could include the following:
• Restricting the number of authentication requests allowed per session to slow credential stuffing bot attacks.
• Suggesting or requiring the implementation of multi-factor authentication, which requires the bad actor to have a secondary method of identification in addition to the stolen credential.
• Use a compromised credential check to alert users and prevent them from logging in with compromised credentials.
Consumers have recently begun receiving alerts when one of their passwords is discovered in a cache of stolen data. "Users who have adopted the practice of storing and generating passwords via a secure password manager may receive notifications of known breaches," Eichorst said.
"One of the primary benefits of a password manager is that it notifies you when one of your online accounts is compromised," added Chris Hazelton, director of security solutions at Lookout, a San Francisco-based provider of mobile phishing solutions.
"It may also automate the password change process, allowing you to respond more rapidly following a breach," he told TechNewsWorld.
Eichorst continued by stating that individual businesses with an online presence are enhancing their password checking processes to prevent the use of known leaked passwords.
However, this is not yet a widespread practice. "While notification is more common, those notifications provide only guidance and do not prevent users from continuing to use compromised passwords," noted David Stewart, CEO of Approov, a company based in Edinburgh, UK that performs binary-level dynamic analysis of software.
"Consideration should be given to whether users should be denied access to services until a compromised password is updated," he told TechNewsWorld. "While this is extremely rare at the moment, it appears to be a reasonable course of action."
Consumers concerned about their passwords being compromised can also take a proactive stance by conducting a password check on the HaveIBeenPwned website, which tracks email addresses and phone numbers exposed in data breaches over the last fifteen years.
Courses and Certification
Information Security and Cyber Law Course and Certificate
Internet/Cyber Security Course and Certificate
Mobile Security Course and Certificate
