Tax firm H&R Block doesn’t verify client’s e-mail, leaks personal info

With tax season in full swing, it's time for the yearly reminder that the security practices of many tax-preparation services are lacking. Case in point: H&R Block's reported failure to confirm the e-mail addresses of at least some of its online account holders. The lapse was reported to Ars by reader Aaron Johnson, who said H&R Block in recent days has e-mailed him the name, address, and security question of a complete stranger. Johnson said he is confident he has everything he needs to access this person's account, steal his most valuable personal data, and hijack any owed tax returns. We created an account at H&R Block and were not asked to authenticate the e-mail address we used. The stranger happens to share Johnson's first and last name, and for reasons that aren't entirely clear, the alter ego occasionally uses Johnson's e-mail address when creating accounts. At no point, Johnson said, did he receive an e-mail from H&R Block requiring him to confirm that his e-mail address was connected to the other person's account.
Read 2 remaining paragraphs