News
Blogs
Shark Bait
Knowledge Centers
Opinion
Webcasts
Video
Podcasts
IT Careers
White Papers
Computerworld Reports
Zones
Case Study Library
RSS Feeds
Events
Industry
This Week in Print
Print Subscriptions


Ads by TechWords

See your link here


Ian Lamont's picture
Ian Lamont

The Digital Media Machine

More posts | Read bio

April 12, 2007 - 10:30 A.M.

Putting too much trust in TurboTax

9 comments

I have been a user of the TurboTax Web-based service for about four years now. I have found it to be quite convenient and easy to use. But working at Computerworld, and regularly reading articles about retailers, government agencies, and universities losing or leaking personal data of ordinary citizens, I have always had a niggling worry at the back of my mind: How well does Intuit (the parent company of TurboTax) protect my data, and the data of millions of other customers? We have a great deal of faith that this private company is treating some of our most important personal data -- social security numbers, birthdates, salaries, charitable giving, and addresses -- with the utmost care.

Yet when I calculated my taxes last week using TurboTax for the Web, I hesitated when I was given the option of having our federal and state refunds deposited directly to our bank accounts. Part of the reason is I like to have paper records of every interaction with the federal government, but the other reason is I did not feel comfortable giving Intuit yet another piece of critical personal information -- bank account numbers and routing information. This is despite the TurboTax prompt that said "Rest assured, your data will be kept safe".

I was right to be reluctant. It turns out that our data was not kept safe. A woman in Nebraska reports that she was able to access the tax records of other people having the same last name, and see social security numbers and bank information:

In her laptop, Jennifer discovered a key to the backdoor of some tax returns filed online through Turbo Tax.

A Turbo Tax customer herself, Jennifer attempted to access some past filings, and the route she took online opened returns for several others with the same last name, but different first initials.

For security reasons we're not revealing the common last name or how Jennifer inadvertently gained access to three other Turbo Tax accounts.

She was able to access tax returns for three turbo tax customers she never met in different parts of the country.

There on her screen, everything needed for electronic filing from bank account to routing digits and of course social security numbers.

The Intuit spin masters have attempted to portray this as an isolated incident, but I don't believe it for a moment. The fact of the matter is the company has no idea how many of its customers may have had their information revealed to other customers -- or thieves. And if a customer was able to uncover this flaw, how many other as-yet unreported flaws are still affecting the TurboTax software? The Slashdot thread has been withering in its criticism of TurboTax, blaming everything from the IRS' E-File program to incompetent developers, but at least one person claims that he noted poor TurboTax security practices earlier in the year and tried to report them to the company.

Additionally, TurboTax is not the only other "trusted" organization that has exposed sensitive records on the Web. Honeywell International, the U.S. Navy, the Better Business Bureau, and AOL have all been caught posting sensitive information on websites they control. Many more cases are listed here.

So, what do I and other TurboTax customers do next? While I was prudent to not reveal my bank information to TurboTax, they still have many other keys to the castle which could conceivably be used for identity theft. It's clear from Intuit's public statements that they really don't know how many people were affected, and chewing out a customer service rep wouldn't do much good. Instead, I'll have to go to the big credit agencies -- Experian, TransUnion, and Equifax -- and see if there are any signs of identity theft. The credit agencies, in my view, are part of the ID theft problem in this country, and have the gall to charge consumers for "protection" services to prevent strangers from abusing their own personal information. However, in my state they are required to give free credit reports every year to residents who request them -- and that's what I'll be doing now.

What People Are Saying

Add new comment

Trust-index for Turbo Tax

Submitted by antuan on December 18, 2008 - 7:05 A.M.

Check out the trust index of Turbo Tax at www.trust-index.com

Trust-index

You can add any item you want to be rated by people all over the world. Express your trust, and check out what others think about.

Reply | Report this comment

Well this is all very

Submitted by Anonymous on April 16, 2008 - 3:16 P.M.

Well this is all very interesting as I used Turbo Tax on-line for the first time, at the very time you all posted your comment above (April 2007) to do my 2006 taxes... And now as I just approached the deadline yesterday (April 15, 2008) to do my 2007 income taxes the same way on-line through Turbo Tax, I come to find someone had stolen my identity and filed my taxes for me back in January of this year. To top it off at the twelfth hour yesterday, I was dealing with the WORST Turbo tax customer service, on the phone for three hours straight (the majority of the time on hold), and then they finally told me to go mail my taxes, after it was already past five o'clock to make a local mailbox. I had to drive 60 miles, and I told the rep a million times if we wasted all this time to get no where and they tell me to go mail my taxes when it is already too late, that I would be even more upset. The guy assured me it wouldn't happen, that the outcome they were seeking was solely in my favor, and they'd be able to get my taxes electronically to the IRS. It was all BS, they were just trying to find ways to not look responsible for the situation. Worst experience. What I have ahead of me know is even more daunting. I'd never use Turbo Tax again, and even more so because of the way their rep, Marshall Anderson, very rudely handled the situation. Someone has all my personal info because of their security issue. And their security department was supposed to contact me first thing this morning and never did...

Reply | Report this comment

Tax Preparation Suggestion

Submitted by Jessica_Doll on March 28, 2008 - 9:11 P.M.

I am terribly sorry to hear about those of you who have had to endure identity theft. Please do not let this experience poison your view of e-commerce applications. I'm a software developer myself, so I know how much work goes into building security for these systems.

As for tax preparation, I really love OnePriceTaxes. They are the cheapest site that I have found ($9.95 for federal & state) and their customer service is fantastic. Any questions I had about my tax return were answered within 1 business day. I'd highly recommend giving them a try.

http://www.onepricetaxes.com

Reply | Report this comment

How reliable is such

Submitted by mark_johny on May 11, 2007 - 5:15 P.M.

How reliable is such resource regarding saftey of our important business information. Even if the company is 100% reliable, there are risks of their systems being hacked or something else which the online servers always risk. So I prefer a stand alone application that will run in my computer or in my network
-mark
accountant
USA Wholesalers and Dropshippers

Reply | Report this comment

I am a victim of identity

Submitted by Anonymous on May 2, 2007 - 3:30 P.M.

I am a victim of identity theft from using turbotax online. I can prove it and I'm going to open up a lawsuit against Intuit and the individual who is using my identity. The individual who stole my identity has the same last name as me and is opening credit in my name using all of my personal information. I'm a victim of the backdoor glich.

Reply | Report this comment

I disagree with the TaxAct

Submitted by FYI on April 14, 2007 - 7:34 P.M.

I disagree with the TaxAct recommendation. I have tried it and it does not catch all of the mistakes like Turbo Tax does. Just buy the Turbo Tax and do it at home on your own computer and send it in.

Everybody wants it NOW and that is part of the problem. Stop exposing your info on any web sites.

If I purchase on-line, I use the Discover card secure numbers. If the number is stolen, it can not be used- they are only good for one use.

People need to stop and use their heads when on-line. I am amazed at how many don't keep an updated anti-virus, firewall, both hardware and software, and a spyware protection these days.

Just my 2cents' worth.
FYI

Reply | Report this comment

Try TaxAct, it's free and

Submitted by Anonymous on April 13, 2007 - 11:42 A.M.

Try TaxAct, it's free and you can print out a paper return if you want.

Reply | Report this comment

A lot of people will space

Submitted by Shy Anne on April 13, 2007 - 10:17 A.M.

A lot of people will space out their free annual credit reports from the three agencies: get one every four months instead of all three at once. That way people who aren't "high-risk" (know they've had an exposure or previously been ID theft victims) can maximize their free coverage.

(I'm an ID theft victim; I shell out for the full-time coverage. It's very useful when you're trying to clean up the mess left by an ID thief, to be able to access your updated credit reports whenever you need to.)

Reply | Report this comment

I have to take issue with

Submitted by Menno Aartsen on April 12, 2007 - 7:03 P.M.

I have to take issue with the contention that getting a free credit report once a year is enough to safeguard one from identity theft - that would give a miscreant months and months to set up false accounts. It is bad advice. I spend $9.95 a month on a credit protection service sold by a major bank. It gives me an immediate email when there is a change in my credit status with any of the agencies, and its counselors actually have lots of unpublished tricks and telephone numbers that can help one keep the credit agencies in check. It is 2007 - be proactive, nipping it in the bud can prevent double agony and thousands of dollars in expenses.

Reply | Report this comment

Related Posts

Spammer jailed, 'cos spam ain't free speech (and 207 stiffs)
Obama Drupal-ing around; whitehouse.gov goes open source
Spammer trick of the month: Delayed DNS
Eugene Kaspersky wants no net anonymity

Today's Top Stories

Droid launch draws tech-savvy crowd
AMD graphics chip shortage hits PC vendors
Yahoo follows Google onto China's porn offense list
Intel readies 2.3GHz, 3.5GHz WiMax support with Kilmer Peak
First iPhone worm spreads Rick Astley wallpaper
Mozilla fixes Firefox crash bug
About Us Advertise Contacts Editorial Calendar Help Desk Jobs at IDG Privacy Policy Reprints Site Map
CIO Computerworld CSO DEMO GamePro Games.net IDC IDG IDG Connect IDG Knowledge Hub IDG TechNetwork IDG Ventures
IDG.net InfoWorld ITwhitepapers ITworld JavaWorld LinuxWorld Macworld Network World PC World The Industry Standard
Copyright © 1994 - 2009 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of
Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.