Compromised Intuit accounts have left business owners on the hook.
Starting in late 2015, a growing number of Intuit Merchant Services and QuickBooks Payments users have publicly claimed that their merchant accounts were compromised by an unknown third party. These hackers discreetly changed the merchants’ account settings, initiated fraudulent transactions worth tens of thousands of dollars, and then disappeared, leaving merchants with a bill from Intuit for the massive amounts that were stolen.
On third-party message boards, complaint forums, review websites, Twitter, and even Intuit’s own support forums, merchants are reporting the exact same scam. Without their knowledge, a third party somehow obtained access to their Intuit accounts and changed the linked bank account information, ensuring that any payments would go to the hacker’s bank account rather than the merchant’s. The merchants then noticed huge transactions—sometimes up to $20,000 per payment—being charged to customers’ credit cards without the authorization of the merchant or customer. Some merchants contacted Intuit immediately and received varying responses from the company’s risk department. Others claim to have not received any notifications whatsoever from Intuit regarding these transactions until the transactions were eventually disputed by customers. In all cases, however, Intuit closed the merchants’ accounts and proceeded to bill the merchants for the fraudulent payment amounts, which, of course, they never actually received.
Many of these merchants have openly wondered why Intuit is billing them for the full payment amount given that these transactions weren’t initiated by the merchants, did not end up in their bank accounts, were clearly outside of their established average/maximum transaction limits, and, in some cases, were dutifully reported to Intuit. These merchants further assert that Intuit, not merchants, should be held accountable for the funds because Intuit processed payments that were clearly fraudulent and then deposited those payments into unauthorized bank accounts. Intuit’s Terms and Conditions, however, state the following:
SUBJECT TO APPLICABLE LAW, INTUIT, ITS AFFILIATES AND SUPPLIERS ARE NOT LIABLE FOR ANY OF THE FOLLOWING: (A) INDIRECT, SPECIAL, INCIDENTAL, PUNITIVE OR CONSEQUENTIAL DAMAGES; (B) DAMAGES RELATING TO FAILURES OF TELECOMMUNICATIONS, THE INTERNET, ELECTRONIC COMMUNICATIONS, CORRUPTION, SECURITY, LOSS OR THEFT OF DATA, VIRUSES, SPYWARE, LOSS OF BUSINESS, REVENUE, PROFITS OR INVESTMENT, OR USE OF SOFTWARE OR HARDWARE THAT DOES NOT MEET INTUIT SYSTEMS REQUIREMENTS.
The company’s terms also make this claim:
YOUR USE OF THE SERVICES, SOFTWARE, AND CONTENT IS ENTIRELY AT YOUR OWN RISK. […] INTUIT AND ITS AFFILIATES AND SUPPLIERS DO NOT WARRANT THAT THE SERVICES ARE SECURE, FREE FROM BUGS, VIRUSES, INTERRUPTION, ERRORS, THEFT OR DESTRUCTION.
These clauses seem to release Intuit from any liability related to these hacked accounts.
One major issue appears to be whether the merchants are at fault for the original unauthorized breach of their Intuit accounts. On an individual level, it is standard for merchants to be held accountable for a failure to protect their account login information from malicious third parties. However, the scope and timing of these reports raises the question of whether such a high number of merchants, located throughout the country, could really have been this careless with their account details within the same few months in late 2015. More than one frustrated merchant has theorized that the hacks were due to a breach at Intuit rather than merchant neglect.
If such a breach did occur, it would be the second major security failure associated with Intuit in 2015. In February 2015, Intuit reported a spike in fraudulent tax return filings through its TurboTax program. Independent analysts eventually confirmed that Intuit’s own systems had not been breached; rather, the fraudsters had used stolen identity information to generate false tax returns through the TurboTax website and issue those tax returns to untraceable prepaid debit cards. Even though Intuit’s servers had not been compromised, some independent experts criticized the company for not doing enough to verify the identities of its users, including notifying users of account changes and requiring email and phone validation upon signup.
Is it possible that QuickBooks Payments users have fallen victim to a similar scam in less than a year? The available merchant complaints don’t provide enough details to draw a conclusion one way or another. In a more general sense, however, these reports raise serious questions about the protections that payment processors actually extend to merchants. If a processor’s internal monitors don’t immediately flag uncommonly large transactions, then what purpose do transaction limits serve? And if a merchant’s account is hijacked and used to process tens of thousands of dollars in fraudulent payments, then why is the merchant required to pay those costs? The answers to these questions are more troubling than the average business owner might expect.
Has your Intuit merchant account been hacked? Share your experience in the comment section below: