cancel
Showing results for 
Search instead for 
Did you mean: 
Rdoucette
Level 2

Quickbooks support processes and cyber security failings

This is a general request to the support team and Intuit management as well as a request to the community to explore the defects in the QB support process as related to cyber security issues. 

 

I've had challenges activating QB Desktop 2022 and had to contact support for a validation code. In the process of doing this two disturbing things happened:

 

1) I was asked to allow remote control of my accounting system PC so that they could see the screen/message

2) I was asked to provide the full credit card info again with number, expiry, and security code.

 

For those that want to assume that nothing will ever go wrong and we live in a world of compete trust, you'll see no issues here.

 

For those that are concerned about an environment that is fraught with cyber security risks both of these raise a lot of red flags.

 

1) Remote control is the most dangerous thing you can give to someone, even assuming that the individual is legit how do we know that the payload they are using hasn't been compromised? There are multiple instances of vendor installables (or related libraries) being compromised. See Apache Struts, Solar Winds, Kaspersky, etc... Given that there are other options - screen shots, zoom/webex (esp. if owned by the end customer), etc... the use of remote control software is rarely, if ever, the correct level of intervention.

 

The policy of installing remote control software as part of standard operating processes for support should be discontinued.

 

2) Frankly, having a support rep request my full credit card info is inexplicable. The exact same information is already associated with my intuit account, I can go to accounts.intuit.com to see that billing is properly set up and that the card is valid and associated with the product/service. If it serves as some sort of validation that I am a legitimate client then there are other ways. Some vendors populate the account with a unique code number that changes daily and is used by support to confirm that the user has control of the account and is legitimate. Other vendors use 2-factor authentication and text a code to the registered owner's cell number... Using credit card information to validate a non-payment related support request is just insanity.

 

The policy of using credit cards to validate a support request should be discontinued.

 

It boggles my mind that Intuit, the software company at the heart of a huge number of business of all sizes, should have consciously chosen these approaches as being in alignment with their cyber security policies and their obligations to their customer base. It also calls into question whether their approach to other factors in the software supply chain are being handled correctly. 

 

There are many reports of efforts to obtain, compromise or misuse Quickbooks data by bad actors - we're not living in a low threat environment for financial data. In addition to my own responsibilities around keeping my systems, data, and people secure I need Intuit to exercise their responsibilities to the best of their ability. Given the above, I'm not sure that they are.

 

If there is a management meeting somewhere abut this note and actions taken to shore up these and other security practices then it will have been worth starting this discussion.

8 Comments 8
ChristieAnn
QuickBooks Team

Quickbooks support processes and cyber security failings

Welcome to the QuickBooks Community, Rdoucette. This isn't the kind of impression that I'd like you to have, and we know how important your data is. This is why we always have privacy and security in Intuit. With this, I'll be sharing information on how our program protects your data.

 

We depend on advanced, industry-recognized security and virus safeguards to keep your financial data private and protected. This includes password-protected sign-ins, firewall-protected servers, and the same encryption technology used by the world's top banks. We store data on Intuit-managed systems. These are in your home country to satisfy data residency laws. Data is stored in the cloud on Amazon Web Services (AWS). This means your data is protected by multiple layers of network, storage, and physical access security.

 

Then, when our call support performs screen sharing or remote glance with you, there are some reminders before they do a session. 

 

  • You'll have to close out any sensitive information from your screen.
  • If you ever feel uncomfortable, you can end the remote session.
  • Please remain in front of your computer during the session.
  • After the troubleshooting is completed, we will make sure that our support is no longer connected to your screen.

 

Additionally, at Intuit, we build privacy and security into everything we do. We know your details are beneficial and you can't afford to take any risks with it. There are some general tips to keep your account secure and how we protect your financial information. For further details, you may refer to this article: Privacy and security in QuickBooks.

 

On the other hand, please know that QuickBooks Online is constantly changing and evolving based largely on the requests of users. With that, I suggest going to the Gear icon in QuickBooks Online. From there, you're able to choose Feedback to submit a request about discontinuing installing remote control software as part of standard operating processes for support.

 

Lastly, if you receive an email message about the suspicious charges and you believe is not from Intuit, you can forward any suspicious email or person directly to Intuit at spoof@intuit.com. For more details about it, check out the article below: Is this email I received a legitimate communication from Intuit?.

 

You're always welcome to post in the Community anytime you have other concerns or questions. I'll be here to assist you anytime.

Rdoucette
Level 2

Quickbooks support processes and cyber security failings

Thank you for your answer Christie, I appreciate your efforts to engage.

 

However, nothing in your response directly address my concerns, except possibly the guidance to submit a feature request, which is fair game.

 

The security issues I pointed out remain, with no substantive counter from Intuit as to their resolution.

 

If this particular conversation ends up in a weekly/monthly report as a line item like, "Forum Feedback: Security Concerns - 3 posts with negative sentiment" , then I consider this conversation a failure. 

 

Your 202110K SEC filing notes, "Our business depends on our strong reputation and the value of our brands" and "a security incident that results in unauthorized disclosure of our customers’ sensitive data could cause material reputational harm". This is as high level an issue as exists at Intuit and responding by suggesting end customers cooperate with requests for remote access as standard practice is as contrary to the intentions of top management as it gets.

 

The misalignment between your 10K statements and your current support policies is a continuing threat to the entire organization. Upper management is depending on the security team to get it right. Every time Intuit takes remote control of a PC you own what happens in that moment and possibly after. Your CxO team is top notch and more technical than most, but it's unlikely they truly comprehend the risk of specific processes in the support team.

 

I'll jog your memory of why everyone at Intuit should care about security: Target CEO Gregg Steinhafel resigned months after breach, Equifax CEO Richard Smith resigned within two weeks of their breach. Responsibility flows to the highest levels when cyber security is in play.

 

Your 10K has an entire section on operational risks that begins with a focus on cyber security. I'm not your worst enemy in pointing this out. I'm trying to be as persuasive and as helpful as possible since my security is inextricably linked with yours. I can't move a $10 Billion dollar company to action by whispering...

 

I'll make the feature requests as suggested but that's a poor way to handle a security concern.

 

Fiat Lux - ASIA
Level 15

Quickbooks support processes and cyber security failings


@Rdoucette wrote:

The policy of using credit cards to validate a support request should be discontinued.

 

@Rdoucette 

This is new to us. We frequently contacted Support without ever asking for this sensitive information. Not sure if this is a new policy as of this month.

 

Just to clarify about your original issue. Did you get your validation code for QB Desktop 2022?

Rdoucette
Level 2

Quickbooks support processes and cyber security failings

After providing the information, during which I was told recording was paused, they then went away for a bit and came back with the validation code. If I had not provided the card details they were not going to activate the (already purchased) product. #coercion

 

It may be that because the issue was related specifically to activation that the request for card info is part of the process. It doesn't excuse the process but it limits the scope. It's never a good idea to train your end users to provide card details outside of the immediate purchase transaction.

Fiat Lux - ASIA
Level 15

Quickbooks support processes and cyber security failings

Since last year, we have been helping our customers order QB Desktop Pro / Premier without a credit card. We are authorized to pay licenses by ACH to Intuit. Hope we won't encounter any problem regarding the activation code in the future. Our channel reps have assured us that we don't need the code any longer.

Rdoucette
Level 2

Quickbooks support processes and cyber security failings

I wondered about clients paying by ACH - it's even more serious since in the US you have about 24 hours to report ACH fraud otherwise the banks are not responsible and the customer takes the loss. A health professional in the office next to mine lost $32,000 USD just before Christmas to ACH fraud and the banks are not covering it. I have a separate account just for ACH transactions because of this policy.

 

My direct experience of having to provide card details to get support on the validation code should never happen again to anyone. I've put a picture of the chat below, but removed the agents name (who I have no issues with) as it's not relevant - it should be pretty easy to figure out which responses are mine. I terminated the chat after it became clear there was no other way to proceed. As a reminder of context, tremendous amounts of information had already been provided, including license details. I had just declined a request to allow remote control and now I'm being asked to provide cc details. Info already on file with intuit, that was valid and up to date and it had recently been used by me to pay for the product that was the subject of the support request.

 

Re. the remote control, this is prior to a successful install of QB Desktop. They were going to have me download an executable payload, like Teams maybe, and then use that to control my accounting system.

 

Can you imagine someone posting a link on a forum that looks like it might be an intuit support chat link and instead is a bad actor? Intuit should have a clear policy: we will never ask for passwords, we will never ask for payment details (outside of the purchase transaction), we will never ask you to install any software but our own.

 

Intuit Chat.jpg

JoesemM
Moderator

Quickbooks support processes and cyber security failings

The security of our customers' accounts is our main priority, @Rdoucette.

 

Thanks for bringing this matter to our attention. I'm here to help share how we can prevent these fraud calls from parties claiming to be affiliated with Intuit.

 

Outbound calls from a QuickBooks representative should not ask for any personal information. To avoid these scam phone calls, we highly recommend not including any private information such as personal/business phone numbers and personal/business email addresses when posting here in the Community.

 

If you keep receiving this kind of call, I'd suggest reporting this information through our email. Please click on this link for more details: Reporting fraudulent calls or emails received from parties claiming to be affiliated with Intuit.

 

Also, to report suspicious activity or if you think you're being scammed, I suggest reporting this directly to our Security Team using the spoof@intuit.com email address. Just check out this article for the steps and details: Recognize and report suspicious emails (Phishing). Rest assured, everything will get taken care of from there.

 

If you need assistance from our support, please ensure the phone number is from us. I'm adding the link I recommend below for your reference: Contact QuickBooks Desktop support.

 

Please know that you're always welcome to post again if you have any other questions. The Community team will always be here to help. Stay safe, @Rdoucette.

Citizen
Level 1

Quickbooks support processes and cyber security failings

My experience of QBonline Support practices around security is poor indeed.  First, the lack of phone support has become legendary. Second, the serious difficulty in getting pass the dumb bots that keep suggesting irrelevant help topics to customers’ request can at times be Kafkaesque. Third, because it is impossible to get to any QB employee live on chat or phone regarding Security issues without hours of effort, multiple employees passing the buck, that culminates 2 hours later to a button that triggers a request to email security@intuit is not Helpful to the customer, but only to Intuit in monitoring security breaches, scams, data compromises that already occurred.  These are not practices demonstrating care for customer safety or experience.  

Meanwhile some of our Coworkers react to QBO’s lack of phone support as the other workers’ fault, which caused them to call QBO to land in the lap of Tech Scammers, who used TeamViewer to take over the machine to run scripts — potentially compromising far more that our QBO account, but to affect the security of the whole business.

 

QBO Customer interface practices present multiple points of security exposure threats to QBO users by its wall of unavailability.

Need to get in touch?

Contact us