With tax season in full swing, it's time for the yearly reminder that the security practices of many tax-preparation services are lacking. Case in point: H&R Block's reported failure to confirm the e-mail addresses of at least some of its online account holders.
The lapse was reported to Ars by reader Aaron Johnson, who said H&R Block in recent days has e-mailed him the name, address, and security question of a complete stranger. Johnson said he is confident he has everything he needs to access this person's account, steal his most valuable personal data, and hijack any owed tax returns. We created an account at H&R Block and were not asked to authenticate the e-mail address we used.
The stranger happens to share Johnson's first and last name, and for reasons that aren't entirely clear, the alter ego occasionally uses Johnson's e-mail address when creating accounts. At no point, Johnson said, did he receive an e-mail from H&R Block requiring him to confirm that his e-mail address was connected to the other person's account.
"I imagine that this other Aaron Johnson (same name as me) has an e-mail address close enough to mine that he occasionally mistypes and uses mine instead," Johnson told Ars. "Ordinarily this is just annoying because I receive email for accounts I don't control, but the stuff I'm getting from H&R Block is disturbing."
E-mail verification is a standard practice—or at least it should be. When done correctly, account set-ups aren't complete until new users demonstrate they have control of the e-mail address they associated with their username. But this step requires more work on the part of website operators and often creates resentment among some users. It wouldn't be surprising to learn that H&R Block isn't the only online financial service cutting this corner.
reader comments
65