TurboTax ATO Attack Foretells Serious Wave of Financial Fraud

Credential stuffing against one of the world’s largest online finance applications yields a treasure trove of data.

Another serious account takeover (ATO) attack hit the news on June 15 when cybercriminals went after customers of Intuit, one of the world’s largest online finance and accounting software companies. Numerous users of the TurboTax tax preparation software received notices that their accounts might have been taken over by fraudsters. Intuit is the parent company of TurboTax, QuickBooks, Mint, and CreditKarma. TurboTax is the leading online tax filing software, serving millions of customers. Across all its properties, Intuit serves over 100 million customers worldwide as of May 2021.

I am an Intuit customer. Fortunately, I have not been notified that my account was impacted. But I am still nervous because this attack ups the ante on previous attacks. The cybercriminals obtained not just personally identifiable information (PII) like name, address, date of birth, and social security information, but also information about income and investments. TurboTax filers input all their financial information as part of their annual filing process. Intuit also integrates its Quicken family of products as well as its Mint expense tracking with TurboTax. And since it offers an integrated authentication service and encourages the same password for all services, TurboTax users who also use Mint or QuickBooks could face ATOs on those properties as well, further exacerbating the problem. Mint, for example, tracks not only credit card spending and bank account balances but also retirement accounts, brokerage accounts and even mortgage balances.

In other words, Intuit holds a treasure trove of financial information that could be used for future attacks in multiple ways, including ATO attacks across other web and mobile apps. Cybercriminals could use all these pieces of a financial mosaic to create a synthetic identity for future fraud. To (Read more...)