TurboTax ATO Attack Foretells Serious Wave of Financial Fraud

Credential stuffing against one of the world’s largest online finance applications yields a treasure trove of data.

Another serious account takeover (ATO) attack hit the news on June 15 when cybercriminals went after customers of Intuit, one of the world’s largest online finance and accounting software companies. Numerous users of the TurboTax tax preparation software received notices that their accounts might have been taken over by fraudsters. Intuit is the parent company of TurboTax, QuickBooks, Mint, and CreditKarma. TurboTax is the leading online tax filing software, serving millions of customers. Across all its properties, Intuit serves over 100 million customers worldwide as of May 2021.

I am an Intuit customer. Fortunately, I have not been notified that my account was impacted. But I am still nervous because this attack ups the ante on previous attacks. The cybercriminals obtained not just personally identifiable information (PII) like name, address, date of birth, and social security information, but also information about income and investments. TurboTax filers input all their financial information as part of their annual filing process. Intuit also integrates its Quicken family of products as well as its Mint expense tracking with TurboTax. And since it offers an integrated authentication service and encourages the same password for all services, TurboTax users who also use Mint or QuickBooks could face ATOs on those properties as well, further exacerbating the problem. Mint, for example, tracks not only credit card spending and bank account balances but also retirement accounts, brokerage accounts and even mortgage balances.

In other words, Intuit holds a treasure trove of financial information that could be used for future attacks in multiple ways, including ATO attacks across other web and mobile apps. Cybercriminals could use all these pieces of a financial mosaic to create a synthetic identity for future fraud. To do this, criminals could use combinations of authentic and false identity data to apply for fraudulent accounts with creditors or other banks. Another possible use of the stolen data is to focus a second round of ATOs on the brokerage or bank accounts where Intuit users have high balances. Because the TurboTax ATO incident was driven by reused passwords, the chances are high that the same victims reused passwords on investment or banking accounts.

The attackers purchased the passwords and usernames — also called credential pairs — on the dark web. Fed by the rising tide of cybercrime, there are billions of credential pairs of varying quality available. The credential pairs make their way to the dark web as a way for criminals to monetize previous data breaches and skimming attacks. These attacks include Magecart exploits, where a malicious skimmer is added to the code or Javascript libraries of a commerce platform without being detected by security teams. Magecart gangs have targeted tens of thousands of online commerce applications, large and small, and have successfully compromised leading brands such as British Airways and Macy’s. Other flavors of this digital skimming include formjacking, when a specific form on a web application is overlaid or modified to send data to criminals, harvesting PII.

Due to the massive inventory, ATO gangs can buy credential pairs on the dark web almost as easily as marketers can purchase business lists and contacts for email campaigns. The easy availability of credential pairs — in particular, validated pairs — is one of the main reasons why the volume of ongoing account takeover attacks continues to increase quickly. For example, PerimeterX saw ATO attempts peak at 85% of logins during September 2020. ATOs against financial service firms have spiked noticeably in the past year. Both the U.S. Federal Bureau of Investigation and the Securities Exchange Commission have warned against rising ATO fraud and advised financial services firms to take more robust measures to protect their customers.

This imperative introduces a challenge for banks and brokerages. Their customers chafe against extra security measures, such as multi-factor authentication (MFA). Mandating MFA leads to increased support calls and customer complaints. But as the Intuit hack and the SEC and FBI warnings demonstrate, attackers are coming after higher-value targets. Financial services companies — and e-commerce companies in general — must balance a great online experience and security to protect customers effectively. To achieve this, online operators can elect to add the friction of MFA or other secondary checks for high-value transactions only, such as large transfers or withdrawals.

Most banks and brokerages have started doing this, and that should help reduce the risk, even if it angers some customers. Financial services firms have a few other options to ensure that their customers are not reusing passwords. These companies can subscribe to services that offer lists of compromised credentials and reject those that are reused or compromised. But, the lists can be out of date and may not be accurate, leading to coverage gaps. Financial services companies can even take the decisive step of enforcing randomly generated passwords on their site. Consumers do not like randomly generated passwords that cannot be easily remembered unless they are stored in a password wallet. The average consumer now has dozens of accounts; making each one unique creates nearly impossible-to-manage complexity.

So what should consumers do now? Consumers need to make sure they are using different passwords on every site. The best way to do this is to use a standalone password wallet, or one that is associated with a web browser. Some wallets include services that notify users when an account has been compromised and streamlines password changes. In addition, customers should consider freezing their credit reports with all three credit bureaus. This prevents anyone from opening a new account using a stolen or synthetic identity. Freezes can be temporarily lifted when a customer needs to provide credit report access for legitimate queries. Even if it injects friction, customers should opt for MFA to layer in additional security; SMS-based MFA is relatively painless, supplying a validation code that the customer can enter to pass an online login or authentication checkpoint.

For their part, businesses must watch more closely for signs that they are under an ATO assault. These signs can include surges in help desk calls, spikes in password resets and abnormal user behaviors such as thousands of login attempts on an account in a short time period. Once a security or web application team recognizes signs of an attack, they must act quickly. First, they should make sure that standard defenses like Web Application Firewalls (WAFs) are tuned to block obvious automated ATO attacks.

To counter more sophisticated attacks, security and ops teams should investigate modern defenses that leverage machine learning (ML). This new generation of tools combines intelligent fingerprinting, behavioral signals, and predictive analysis to detect fraud attacks on your web and mobile applications and API endpoints. The beauty of these solutions is that they may allow financial services companies and other e-commerce operators to rely less on blunt security instruments like MFA and build a practice of proactively identifying and blocking the vast majority of fraud attempts before they even hit the login page.

The future of automated fraud prevention and remediation is unleashing the power of ML to sift through billions and billions of application interactions to see patterns and evidence at scales and speeds beyond the capabilities of human eyes and brains. Building that future where real human customers can be quickly identified and verified based on thousands of observable data points will ensure that the vast majority of online transactions are smoother, faster, and less complicated. That same capability will allow security teams to zero in on likely bad actors with increasing accuracy and apply the most stringent checks to a smaller pool of suspicious visitors. In this future, applications will deliver the best of both worlds — a stellar experience and better security, with no compromise.

For more information about how to stay protected in the financial services sector, visit the PerimeterX financial services page.