If you haven't already filed your taxes, you're probably considering TurboTax, the widely used software that makes filing a return easy for our nation of babies and dimwits. Consider an alternative: according to two former high-ranking employees, the company ignored rampant refund theft because it could take a cut.

Intuit, the corporation that owns TurboTax, is an unequivocally evil firm that's spent millions of dollars lobbying the IRS to make sure filing your taxes is enough of a pain in the ass that you'll continue using TurboTax. The company also took some heat after widespread fraud and identity theft was discovered inside the system—so much heat, in fact, that TurboTax had to briefly stop processing state returns. Now, two Intuit insiders say the existence of mass fraud wasn't just an oversight, but intentional negligence from the top: TurboTax was able to rake in revenue from faked filings.

Robert Lee and Shane MacDougall, both former security executives at Intuit, spoke with KrebsOnSecurity.com about the company's dubious practices: Identity thieves have been creating fake accounts in droves to cash in on strangers' legitimate refunds. It's a simple maneuver: plug in someone else's Social Security number and other tax identification, then go through the same TurboTax steps as normal—only they bank the refund deposit, not you:

Lee said he was mystified when Intuit repeatedly refused to adopt some basic policies that would make it more costly and complicated for fraudsters to abuse the company's service for tax refund fraud, such as blocking the re-use of the same Social Security number across a certain number of TurboTax accounts, or preventing the same account from filing more than a small number of tax returns.

"If I sign up for an account and file tax refund requests on 100 people who are not me, it's obviously fraud," Lee said in an interview with KrebsOnSecurity. "We found literally millions of accounts that were 100 percent used only for fraud. But management explicitly forbade us from either flagging the accounts as fraudulent, or turning off those accounts."

It's a near perfect online scam: with hacked social security numbers and other personally identifying fragments flooding the web, fraudsters need only create a free TurboTax account to siphon away someone else's refund. And because TurboTax allows filers to pay for the price of the software with their refund before they actually receive it, there's no need to submit or falsify a credit card number—it's free money for both Intuit and crooks.

Even more disturbingly, MacDougall says he was brushed off by management when he told them their company was providing an extremely easy and effective way to steal from the very people it purports to help:

"Complainant repeatedly raised issues with managers, directors, and even [a senior vice president] of the company to try to rectify ongoing fraud, but was repeatedly rebuffed and told Intuit couldn't do anything that would 'hurt the numbers'," MacDougall wrote in his SEC filing. "Complainant repeatedly offered solutions to help stop the fraud, but was ignored."

Intuit denies that it has a large fraud problem, or that it deliberately allowed fraud to take place because it was good for its bottom line. Which, of course, because that's the response from every thoroughly evil corporation when they're caught with their pants down. I suggest using a certified accountant, because there's a statistically much lower chance that you'll be letting a sociopathic entity handle your taxes.

Contact the author at biddle@gawker.com.
Public PGP key
PGP fingerprint: E93A 40D1 FA38 4B2B 1477 C855 3DEA F030 F340 E2C7