• Solutions Review Sites
    • About Us
    • Application Development
    • Backup & Recovery
    • Business Intelligence
    • BPM
    • Content Management
    • CRM
    • Data Integration
    • Data Management
    • Data Storage
    • Endpoint Security
    • Enterprise Cloud Strategy
    • ERP
    • Identity Management
    • Marketing Automation
    • Mobility Management
    • Network Monitoring
    • SIEM
    • Talent Management
    • Wireless Network
  • **NEW** Get MACHINE-MATCHED to IAM Solutions

Best Identity Access Management (IAM) Software, Tools, Vendors, Solutions, & Services

Link to Identity and Access Management Buyers Guide

Menu

  • News
  • Best Practices
  • Best Selling Books
  • Solutions Directories
    • Identity and Access Management
    • Privileged Access Management
    • Identity Governance & Administration
    • Biometric Authentication
  • Buyer’s Guides
    • Identity & Access Management
    • Privileged Access Management
    • Identity Governance & Administration
    • Biometric Authentication
  • Vendor Map
  • Resources
  • Contact Us

Intuit Informs TurboTax Customers of Account Takeovers

Posted on June 15, 2021 by Ben Canner in Best Practices, Featured

Intuit Informs TurboTax Customers of Account Takeovers

Financial software company Intuit recently informed customers of its TurboTax product of a series of potential account takeovers, allowing access to some personally-identifying information. 

Intuit insisted in a breach notification letter to customers that the takeover attacks did not amount to a “systemic data breach of Intuit.” Further, it noted that the threat actors obtained credentials through “a non-Intuit source.”

We consulted with cybersecurity experts about the TurboTax Attack Takeovers. Here’s what they had to say. 

IAM Solution Suggestion Engine

Intuit Informs TurboTax Customers of Account Takeovers

Kim DeCarlis

Kim DeCarlis is the CMO at PerimeterX.

“Account takeover (ATO) attacks are a major threat to any business. It is much simpler and lucrative to walk in through the front door of a digital business with valid stolen credentials than to look for holes in an organization’s cybersecurity defenses. PerimeterX research found that between 75-85% of all login attempts in the second half of 2020 were account takeover attempts. Unfortunately, this was the case for TurboTax. Businesses need to be aware of signs that they’ve been attacked – including surges in help desk calls, spikes in password resets and inhuman user behaviors such as thousands of login attempts on an account in a short time period – and take appropriate action. Consumers need to make sure they are using different passwords on every site and locking down their credit reports as well.”

Saryu Nayyar

Saryu Nayyar (she/her) is CEO of Gurucul. 

“This is the holy grail for cyber-criminals and a nightmare for TurboTax customers. Armed with social security numbers and associated personally identifiable information (names, addresses, birth dates), criminals can quickly open credit card accounts (and a host of other accounts) and shop till they drop – all on the victim’s identity. And the clean-up to clear one’s name is painful and continuous for all the victims. This particular breach was avoidable in that credentials were stolen from other online services following past data breaches. It cannot be overstated that individuals must change all passwords following a breach notification. Credentials should never be reused. You absolutely need unique credentials for each and every service, especially those where you are transacting financial data.”

Baber Amin

Baber Amin is COO of Veridium.

“Password reuse and its downstream implications are the key with what happened at TurboTax. Unfortunately, password reuse is still a norm, despite warnings, because as mere normal humans we have a limited capacity to remember passwords.  Given the ever-increasing need to be digital in every aspect of our lives, many reuse passwords.

“The flip side of this coin is credential stuffing. Once a password is compromised and available, it can be used to impersonate actual real users.

“The best way to eliminate this vector is to eliminate passwords. No Password = no credential to stuff. The second-best way to eliminate credential stuffing is to add contextual multifactor authentication that is either dynamic based on risk or based on static rules.  This is the cheapest way to thwart a credential stuffing attack. Either way points to either eliminating the weakest link or shoring it up.”

James McQuiggan

James McQuiggan is Security Awareness Advocate at KnowBe4.

“This credential stuffing attack is highly lucrative. It provides access to personal information about the user, their tax information, and of course, their social security numbers for them and possibly their immediate family.

With over 8.4 million passwords in the wild and over 3.5 billion of those passwords tied to actual email addresses, it provides a starting point for cyber criminals to target various online sites that utilize accounts for their customers. If users set up accounts with the previously exposed passwords, they are making it easy for cyber criminals to steal their data.

Users should ensure they are using strong passwords or passphrases for all of their accounts and, where available, using Multi-Factor Authentication (MFA) to protect and secure their accounts.  This way, in the event of a password credentialing attack, it will reduce their risk of exposure to losing their sensitive, personal data.”

David Stewart

David Stewart is CEO of Approov.

“Credential stuffing attacks, utilizing usernames/passwords extracted from unconnected data breaches, are one of the most common account takeover mechanisms. The simplest way to prevent such exploits is to ensure that usernames/passwords on their own are not enough to gain access to backend systems. Adding a requirement for appropriate and independently verified additional factors (eg 2FA, biometrics, app authentication) to gain access to your servers will make your business dramatically less likely to suffer account takeover attacks.”

Purandar Das

Purandar Das is Co-founder and Chief Strategist at Sotero.

“This is an example of the cascading and long-lasting impact of data breaches. Data stolen from one or more organizations is compiled and then sold to criminals. While it is easy, in this case, to claim that there was no systemic breach it still puts a spotlight on the organization that was used to access account information. At the very minimum, dual-factor authentication would have prevented this issue. Longer-term organizations have to account for the fact the stolen data or user credentials is widely available. Accounting for that with dual-factor authentication or device-based access in the short term and ML-based authentication is a must. Passing the blame on to the consumer is not acceptable. It is just not feasible nor sustainable to push the onus on consumers to create and manage tens if not hundreds of passwords.”

Thanks to these experts for their time and expertise on the TurboTax Account Takeovers. For more on protecting your employees’ and privileged users’ credentials, download the Identity Management Buyer’s Guide or the Solutions Suggestion Engine. 

IAM Solution Suggestion Engine

  • Author
  • Recent Posts
Ben Canner
Ben Canner
Ben Canner is an enterprise technology writer and analyst covering Identity Management, SIEM, Endpoint Protection, and Cybersecurity writ large. He holds a Bachelor of Arts Degree in English from Clark University in Worcester, MA. He previously worked as a corporate blogger and ghost writer. You can reach him via Twitter and LinkedIn.
Ben Canner
Latest posts by Ben Canner (see all)
  • The Best Identity Governance Tools and Vendors in 2023 - December 31, 2022
  • The Best Privileged Access Management Providers for 2023 - November 1, 2022
  • The 10 Best Free and Open-Source Identity Management Tools - October 15, 2022

Share this:

  • LinkedIn
  • Twitter
  • Facebook
  • Email

Related

Tagged
  • Access Management
  • Account Takeover
  • Account Takeovers
  • Authentication
  • Cybersecurity
  • IAM
  • Identity
  • Identity and Access Management
  • Intuit
  • TurboTax

Post navigation

Previous Previous post: Polls Reveal IT Decision-Makers’ Identity Management Concerns
Next Next post: IDSA Releases 2021 Trends in Securing Digital Identities

Featured Video

IAM Solution Suggestion Engine


Download link to Identity Access Management Buyer's Guide

ManageEngine Ad
Optimal IdM Ad

Vendor Map Report Identity ManagementDownload link to Identity Access Management Vendor Map

Top Posts & Pages

  • The 10 Best Free and Open-Source Identity Management Tools
    The 10 Best Free and Open-Source Identity Management Tools
  • Best Identity Management Solutions Vendors, Companies, Software, Tools | Solutions Review
    Best Identity Management Solutions Vendors, Companies, Software, Tools | Solutions Review
  • The 16 Best Identity Governance Tools for 2020
    The 16 Best Identity Governance Tools for 2020
  • Top 9 Authentication Books for Professionals
    Top 9 Authentication Books for Professionals
  • Removing the Security Roadblocks to App Modernization
    Removing the Security Roadblocks to App Modernization
  • Identity Management and Information Security News for the Week of January 20; Kintent, Immuta, Rubrik, and More
    Identity Management and Information Security News for the Week of January 20; Kintent, Immuta, Rubrik, and More
  • Cyber-Attack Dwell Time: How Low Can You Go (Before It Really Helps)?
    Cyber-Attack Dwell Time: How Low Can You Go (Before It Really Helps)?

Featured Video

Download link to SIEM Buyer's Guide

Identity & Access Management Solutions
Solutions Review brings all of the technology news, opinion, best practices and industry events together in one place. Every day our editors scan the Web looking for the most relevant content about Identity & Access Management and posts it here.

Related Solutions Review Sites

  • SIEM | Information Security
  • Endpoint Protection
  • Backup and Recovery
  • Mobile Device Management
  • twitter
  • facebook
  • linkedin
  • youtube
  • email
My Tweets

Free IAM Buyer’s Guide

Download link to Identity Access Management Buyer's Guide
© 2012-2022 Solutions Review. All rights reserved.
Solutions Review - Identity and Access Management | Privacy Policy | Do Not Sell My Info
Top
 

Loading Comments...