For many taxpayers, the annual refund check from the IRS is one of the year's biggest paydays. But thousands of taxpayers will get a nasty shock this year when the IRS tells them their refund has already been collected by someone else. In the best-case scenario, it will take these unlucky taxpayers months to convince the IRS to send them the refund they're entitled to.
This is not a new problem — I wrote about it last year, in fact. In the 2013 filing season, according to the Government Accountability Office, the IRS blocked $24.2 billion in fraudulent refund requests, while the agency paid out at least $5.8 billion (and possibly a lot more) in refunds that later proved fraudulent.
This year the refund-theft discussion has focused specifically on TurboTax, the nation's most popular tax-prep software. Two former employees of Intuit, the company behind the program, have charged that their bosses turned a blind eye to rampant use of TurboTax for refund theft.
Intuit denies it's done anything wrong. The company says stolen tax refunds are an industry-wide problem, and that Intuit has done more than any of its rivals to help the IRS combat the problem.
Here are the two big things you need to know about the story:
- Intuit probably deserves a lot of the bad press it's getting for its lax security procedures, but Congress deserves more blame for failing to address the refund-theft problem despite years of warnings.
- If you take sensible precautions — like choosing a strong password and enabling two-factor authentication — your tax refund should be just as safe filing with TurboTax as with other software.
How crooks steal refunds with TurboTax
There are two basic ways criminals can use TurboTax to steal tax refunds. One takes advantage of the fact that our tax system doesn't have any reliable way of verifying people's identities.
When it comes to tax returns, the IRS takes a "send money first, ask questions later" approach. The IRS might not discover that a return was fraudulent for weeks or even months — long after the refund check is out the door.
Fraudsters can use TurboTax to exploit this flaw. They just need to get their hands on basic identifying information, such as a victim's Social Security number, address, and date of birth. And thanks to a string of major data breaches, this kind of information is available to a lot of criminals.
Another way to steal tax refunds is by obtaining a victim's TurboTax username and password. In most cases, this is possible because people use the same passwords on multiple sites. Criminals find lists of usernames and passwords elsewhere on the internet, and then try those same credentials with TurboTax. If it works, they can hijack the user's account — using identifying information entered in previous years to submit a new, fraudulent return and direct the refund to an account controlled by the thief.
Intuit could have done more to stop refund theft
A key point here is that neither of these attacks is Intuit's fault — at least directly. If a criminal has a user's Social Security number and other identifying information, he can submit a fraudulent return using any number of tax-filing methods, including TurboTax competitors such as H&R Block and TaxAct. Similarly, TurboTax is far from the only website criminals have tried to break into by guessing users' passwords.
But it is fair to fault TurboTax if — as two whistleblowing employees have alleged — TurboTax refused to take obvious precautions against these kinds of attacks.
"We found literally millions of accounts that were 100 percent used only for fraud," former Intuit programmer Robert Lee told journalist Brian Krebs. "But management explicitly forbade us from either flagging the accounts as fraudulent or turning off those accounts."
Intuit also dragged its feet on adding features that would make it harder to take over the accounts of legitimate customers. For instance, two-factor authentication is a technology that improves security by requiring the user to enter a numeric code sent to his or her cellphone in addition to a password. A lot of websites have offered this feature for years, but Intuit just made it widely available earlier this year.
"When you give your most sensitive data and that of your family to a company, that company should offer you more security than you can get at Facebook or 'World of Warcraft,'" Lee told Krebs.
Why only Congress can fix the problem
Intuit says it has voluntarily taken measures to combat fraud. The company says it's reluctant to do more because this is a problem the tax-preparation industry as a whole needs to solve. If Intuit is the only company to crack down on refund theft, the company fears the crooks will simply switch to other filing methods.
This argument might be self-serving, but it's also true. Private services can take steps to discourage fraud at the margins, but only Congress can overhaul the rules and make fraud harder system-wide.
One way the IRS could crack down on fraudulent returns would be to check that the wage information on a return matches the information submitted by employers on W-2 forms. The problem is that the IRS doesn't get this information in time to verify it before sending out refund checks.
Current law doesn't require an employer to submit this information to the IRS until two months after it's provided to employees. And small employers aren't required to submit the data electronically. Meanwhile, the law requires the IRS to send taxpayers their refunds promptly. So often, by the time the IRS discovers someone submitted a return with fraudulent W-2 data, the refund has already gone out the door.
Nina Olson, the IRS's official public advocate, has been calling for this system to be overhauled for years. But the IRS on its own can't require employers to file earlier, nor can it require all employers to file electronically. Only Congress can do that.
A more ambitious approach would be to establish a standard system for taxpayers to identify themselves. For example, when consumers request a copy of their credit report from the government-sponsored AnnualCreditReport.com, the site asks them a series of questions about the names of old employers, streets they used to live on, and so forth, to verify their identity. A similar approach could work for the IRS.
The IRS could ask taxpayers to supply a mobile phone number or email address. That would allow the agency to send taxpayers automated notices when a return is received the next year, allowing the taxpayer to notify the agency if a return is fraudulent.
There are a lot of options. The problem is that the body that's ultimately responsible for shaping the tax system — Congress — hasn't taken the problem seriously for many years.
How to use TurboTax safely
It's important to note that the recent allegations against TurboTax do not necessarily mean your tax refund is in greater danger if you sign up for TurboTax. If a fraudster gets your Social Security number and other data and uses it to impersonate you, it's going to be a huge headache no matter what tax prep software you use. Crooks using H&R Block can steal refunds from legitimate TurboTax customers, and vice versa. Avoiding TurboTax doesn't make you any safer from this kind of attack.
What about having your username and password stolen? That's a risk with any online service, but there are a couple of things you can do to minimize the danger.
One is to enable two-factor authentication. As I mentioned before, TurboTax dragged its feet on offering this security feature. But it finally started doing so this year. This feature will ensure the bad guys can't access your account even if they figure out your password.
Second, choose a good, long password for TurboTax that isn't used on any other website. If you're worried about forgetting your password, don't be afraid to just write it down and save it with your tax documents. Anyone who steals your previous year's tax return will be able to impersonate you with or without your TurboTax password.
In March I asked Intuit to comment on the refund theft controversy. Here's what the company said:
As the challenge from cybercriminals evolves, we need to continually strengthen our efforts by helping the IRS detect fraud, while also protecting legitimate taxpayers from unnecessary burden and delay to their filings and refunds. And that is what we are doing. There are many different opinions about which security measures are most appropriate for a given threat level. We believe we offered appropriate features to address the threat level at the time and continue to evolve our security measures in response to the changing environment.
WATCH: 'Tax Day doesn't have to suck'