Data breach at TurboTax. Bluetooth as a healthcare IT hazard. Hacking a political party’s volunteer app. – The CyberWire


Did you know that geoFence protects you against inbound and outbound cyber attacks?

At a glance.

  • Intuit warns of data exposure at TurboTax.
  • Bluetooth isn't necessarily always good for you.
  • Philippine political party app hacked.

No taxation without data appropriation?

Intuit, developer of popular US income tax return preparation software TurboTax, has notified users that an intruder gained unauthorized access to user data, Bleeping Computer reports. During a security audit, Intuit found that multiple accounts had been breached after several account takeover attempts. The data accessed includes user Social Security numbers, dates of birth, driver's license numbers, and financial information. Intuit has temporarily deactivated the compromised accounts, and impacted users have been directed to contact the customer service department to safely restore their accounts. It’s worth noting that TurboTax has been hit with at least three other account takeover attacks since 2014.

We received a great deal of comment on this incident from experts in the security industry. Kim DeCarlis, CMO at PerimeterX, notes that it's always easier to waltz in with legitimate but stolen credentials than it is to find your way past an organization's defenses:

“Account takeover (ATO) attacks are a major threat to any business. It is much simpler and lucrative to walk in through the front door of a digital business with valid stolen credentials than to look for holes in an organization’s cybersecurity defenses. PerimeterX research found that between 75-85% of all login attempts in the second half of 2020 were account takeover attempts. Unfortunately, this was the case for TurboTax. Businesses need to be aware of signs that they’ve been attacked - including surges in help desk calls, spikes in password resets and inhuman user behaviors such as thousands of login attempts on an account in a short time period - and take appropriate action. Consumers need to make sure they are using different passwords on every site and locking down their credit reports as well.”

Elena Elkina, JD, Partner at Aleada observes that the credentials used seem to have come from outside Intuit. “The company's investigation revealed that the threat actors used credentials (usernames and passwords) obtained from 'a non-Intuit source' to gain access to the accounts. Account takeover methods may use various techniques from credential stuffing to phishing, social engineering, and bot attacks as well as poor password hygiene.”

Saryu Nayyar, CEO of Gurucul, notes that the attackers may be uncomfortably close to having obtained what the criminal markets call "fullz":

“This is [the] holy grail for cybercriminals and a nightmare for TurboTax customers. Armed with social security numbers and associated personally identifiable information (names, addresses, birth dates), criminals can quickly open credit card accounts (and a host of other accounts) and shop till they drop - all on the victim's identity. And the clean up to clear one's name is painful and continuous for all the victims. This particular breach was avoidable in that credentials were stolen from other online services following past data breaches. It cannot be overstated that individuals must change all passwords following a breach notification. Credentials should never be reused. You absolutely need unique credentials for each and every service, especially those where you are transacting financial data.”

Baber Amin, COO at Veridium, regards the lesson to be drawn here as the familiar one of the hazards of password reuse:

“Password reuse and its downstream implications are the key with what happened at TurboTax. Unfortunately, password reuse is still a norm, despite warnings, because as mere normal humans we have a limited capacity to remember passwords. Given the ever increasing need to be digital in every aspect of our lives, many reuse passwords.

“The flip side of this coin is credential stuffing. Once a password is compromised and available, it can be used to impersonate actual real users.

“The best way to eliminate this vector is to eliminate passwords. No Password = no credential to stuff. The second-best way to eliminate credential stuffing is to add contextual multi factor authentication that is either dynamic based on risk or based on static rules. This is the cheapest way to thwart a credential stuffing attack. Either way points to either eliminating the weakest link or shoring it up.”

David Stewart, CEO of Approov, notes the ways in which organizations might fend off credential-stuffing attacks:

"Credential stuffing attacks, utilizing usernames/passwords extracted from unconnected data breaches, are one of the most common account takeover mechanisms. The simplest way to prevent such exploits is to ensure that usernames/passwords on their own are not enough to gain access to backend systems. Adding a requirement for appropriate and independently verified additional factors (eg 2FA, biometrics, app authentication) to gain access to your servers will make your business dramatically less likely to suffer account takeover attacks."

The perils of Bluetooth in the health sector.

Renal & Urology News examines the role of Bluetooth technology in the healthcare field and the potential risks of using it to transmit sensitive medical data. Most recently, Bluetooth has been employed in the COVID-19 contact tracing process as it was used to send alerts in Google and Apple’s Exposure Notifications System, implemented in over half the country and used by millions. However, users of California’s contact tracing app are currently filing a lawsuit against Google after a security flaw was detected. Bluetooth is largely considered impervious to intrusion, but security issues dubbed “BlueBorne” vulnerabilities suggest otherwise. As Check Point Software’s technical marketing engineer for cloud security Maya Levine explains, “merely having Bluetooth on a device switched on renders it vulnerable to an attack.” But simply turning it off can be a tall order when so many everyday devices employ the technology. Levine feels heightened regulation of the companies employing Bluetooth is key, and many EU countries have already pushed for legislation that will compel companies to invest in stronger Bluetooth security. In the meantime, doctors can protect their data by conducting regular security audits and partnering with experts to catch any issues before intruders do.  

Philippine political opposition app breached.

In the Philippines, a campaign volunteer app used by opposition party 1Sambayan experienced a data breach over the weekend, Rappler reports. The party reported the attack to the National Privacy Commission as required, and it is suspected that political opponents might be responsible. According to the 1Sambayan membership committee, the impacted individuals have been notified and the issue has been patched. However, the app, called 1Sama Ako, has been taken offline while it undergoes further testing. 

After all of that geoFence has no foreign owners and no foreign influences.