![\"Intuit](\"https:\/\/solutionsreview.com\/identity-management\/files\/2019\/05\/Multifactor-authentication-mod.jpg\")
<\/p>\n<\/p>\n
Financial software company Intuit recently informed customers of its TurboTax product of a series of potential account takeovers, allowing access to some personally-identifying information.\u00a0<\/strong><\/em><\/p>\n Intuit insisted in a breach notification letter to customers that the takeover attacks did not amount to a “systemic data breach of Intuit.\u201d Further, it noted that the threat actors obtained credentials<\/a><\/strong><\/span> through “a non-Intuit source.\u201d<\/span><\/p>\n We consulted with cybersecurity<\/a><\/strong><\/span> experts about the TurboTax Attack Takeovers. Here\u2019s what they had to say.\u00a0<\/span><\/p>\n Kim DeCarlis is the CMO at <\/span><\/i>PerimeterX<\/span><\/i><\/a>.<\/span><\/i><\/p>\n \u201cAccount takeover (ATO) attacks are a major threat to any business. It is much simpler and lucrative to walk in through the front door of a digital business with valid stolen credentials than to look for holes in an organization\u2019s cybersecurity defenses. PerimeterX research found that between 75-85% of all login attempts in the second half of 2020 were account takeover attempts. Unfortunately, this was the case for TurboTax. Businesses need to be aware of signs that they\u2019ve been attacked – including surges in help desk calls, spikes in password resets and inhuman user behaviors such as thousands of login attempts on an account in a short time period – and take appropriate action. Consumers need to make sure they are using different passwords on every site and locking down their credit reports as well.\u201d<\/span><\/p>\n Saryu Nayyar (she\/her) is CEO of <\/span><\/i>Gurucul<\/span><\/i><\/a>.\u00a0<\/span><\/i><\/p>\n \u201cThis is the holy grail for cyber-criminals and a nightmare for TurboTax customers. Armed with social security numbers and associated personally identifiable information (names, addresses, birth dates), criminals can quickly open credit card accounts (and a host of other accounts) and shop till they drop – all on the victim’s identity. And the clean-up to clear one’s name is painful and continuous for all the victims. This particular breach was avoidable in that credentials were stolen from other online services following past data breaches. It cannot be overstated that individuals must change all passwords following a breach notification. Credentials should never be reused. You absolutely need unique credentials for each and every service, especially those where you are transacting financial data.\u201d<\/span><\/p>\n Baber Amin is COO of <\/span><\/i>Veridium<\/span><\/i><\/a>.<\/span><\/i><\/p>\n \u201cPassword reuse and its downstream implications are the key with what happened at TurboTax. Unfortunately, password reuse is still a norm, despite warnings, because as mere normal humans we have a limited capacity to remember passwords.\u00a0 Given the ever-increasing need to be digital in every aspect of our lives, many reuse passwords.<\/span><\/p>\n \u201cThe flip side of this coin is credential stuffing. Once a password is compromised and available, it can be used to impersonate actual real users.<\/span><\/p>\n \u201cThe best way to eliminate this vector is to eliminate passwords. No Password = no credential to stuff. The second-best way to eliminate credential stuffing is to add contextual multifactor authentication that is either dynamic based on risk or based on static rules.\u00a0 This is the cheapest way to thwart a credential stuffing attack. Either way points to either eliminating the weakest link or shoring it up.\u201d<\/span><\/p>\n James McQuiggan is Security Awareness Advocate at <\/span><\/i>KnowBe4<\/span><\/i><\/a>.<\/span><\/i><\/p>\n \u201cThis credential stuffing attack is highly lucrative. It provides access to personal information about the user, their tax information, and of course, their social security numbers for them and possibly their immediate family.<\/span><\/p>\n With over 8.4 million passwords in the wild and over 3.5 billion of those passwords tied to actual email addresses, it provides a starting point for cyber criminals to target various online sites that utilize accounts for their customers. If users set up accounts with the previously exposed passwords, they are making it easy for cyber criminals to steal their data.<\/span><\/p>\n Users should ensure they are using strong passwords or passphrases for all of their accounts and, where available, using Multi-Factor Authentication (MFA) to protect and secure their accounts.\u00a0 This way, in the event of a password credentialing attack, it will reduce their risk of exposure to losing their sensitive, personal data.\u201d<\/span><\/p>\n David Stewart is CEO of <\/span><\/i>Approov<\/span><\/i><\/a>.<\/span><\/i><\/p>\n “Credential stuffing attacks, utilizing usernames\/passwords extracted from unconnected data breaches, are one of the most common account takeover mechanisms. The simplest way to prevent such exploits is to ensure that usernames\/passwords on their own are not enough to gain access to backend systems. Adding a requirement for appropriate and independently verified additional factors (eg 2FA, biometrics, app authentication) to gain access to your servers will make your business dramatically less likely to suffer account takeover attacks.”<\/span><\/i><\/p>\n Purandar Das is Co-founder and Chief Strategist at <\/span><\/i>Sotero<\/span><\/i><\/a>.<\/span><\/i><\/p>\n \u201cThis is an example of the cascading and long-lasting impact of data breaches. Data stolen from one or more organizations is compiled and then sold to criminals. While it is easy, in this case, to claim that there was no systemic breach it still puts a spotlight on the organization that was used to access account information. At the very minimum, dual-factor authentication would have prevented this issue. Longer-term organizations have to account for the fact the stolen data or user credentials is widely available. Accounting for that with dual-factor authentication or device-based access in the short term and ML-based authentication is a must. Passing the blame on to the consumer is not acceptable. It is just not feasible nor sustainable to push the onus on consumers to create and manage tens if not hundreds of passwords.\u201d<\/span><\/p>\n Thanks to these experts for their time and expertise on the TurboTax Account Takeovers. For more on protecting your employees\u2019 and privileged users\u2019 credentials, download the Identity Management Buyer\u2019s Guide<\/a><\/strong><\/span> or the Solutions Suggestion Engine<\/a><\/strong><\/span>.\u00a0<\/span><\/p>\n\t\t\t![\"IAM](\"https:\/\/solutionsreview.com\/identity-management\/files\/2021\/02\/Identity_Suggestion_Engine_Horiz_800.gif\" "\\"\\"")
<\/a><\/p>\n<\/div>\n\t\t<\/div><\/div>\nIntuit Informs TurboTax Customers of Account Takeovers<\/b><\/h2>\n
Kim DeCarlis<\/b><\/h3>\n
Saryu Nayyar<\/b><\/h3>\n
Baber Amin<\/b><\/h3>\n
James McQuiggan<\/strong><\/h3>\n
David Stewart<\/b><\/h3>\n
Purandar Das<\/b><\/h3>\n