Thursday, April 09, 2009 - - Security Issues

I just tried to get an email from Intuit. They send automated emails from a system and those emails never come to me. They just sent me a temporary password for a system and I'm not getting the email. I'm 99% sure I was entering the right password in the first place and I don't think I ever changed that password so not sure why it wasn't working.

When I do an nslookup to get the mx records for I get 5 mail servers IP addresses. I checked in Postini and these IP addresses are not blocked. Additionally this domain does not have TLS enforcement on. No, the emails are not in any spam boxes.

So I've been on hold going around in circles with this person online who clearly is not a native English speaker and although I asked if this email was coming from an INTUIT.COM email server many times, finally I asked him - is this email coming from within the US? All intuit mail servers are on a 12.x.x.x IP address so if coming from an INTUIT.COM mail server this email would be coming from the US (ARIN).

Finally the guy admits that the mail is coming from a server in India. I have some IP ranges blocked in India due to spam. Aha. Now we are getting somewhere. So to unblock these mail servers I need to know the specific server from which the mail is coming.

Personally, I would rather that Intuit send such emails from within the United States. I also did not like the fact that Intuit is using some unknown mail server to send my passwords for all my backup information around and that it is not one of the intuit specified mail servers so I can enforce TLS encryption and receive my password securely. I also tried to check if Intuit mail servers support TLS and got booted off the mail server so not sure if it is safe to force TLS and ensure emails regarding my backup service and financial applications are secure.

But at this point I thought I understood what the problem was. Wrong.

After getting escalated again to another manager he told me that the mail was not coming from INTUIT.COM but rather So again I look up the mail servers and can see that the mail is coming from 4 Symantec mail servers. Again I dig through with nslookup and figure out that these mail servers are in the US (Arin) and are not blocked by my mail system.

The manager suggests sending to an alternate email address. OK that will take two days for them to set up and in the meantime my password is floating around out there. Great.

But wait...just as he's about to do this...he notices that the email address in the online backup system is spelled wrong. Two letters are transposed in the system. Hmm. I have gotten many emails from Intuit and I know that I have not recently changed my email address with them. So apparently my emails from them at some point started going to this alternate misspelled domain name. I checked and the domain name WAS previously registered. That means apparently in the past someone would be able to get my emails from them and potentially get hints as to what my password was and/or call into them and get my backup password information.

Of course they assure me no one else has gotten into my backups. Probably because they do not want to be liable when it is uncovered that someone has stolen all the financial and business information I have been backing up with them.

I assume when Intuit has you put in email addresses for a backup system which is highly critical, that they verify the person who put in the email got an email back from them before they start sending passwords out this way to that email address.

This is a pretty serious problem if you ask me. I am now wondering who has stolen all my data that I have tried to back up with them for security reasons.

Finally -- I'm wondering how, after they reset my password to a temporary password - I can still backup my files. If the password has been reset shouldn't access to the backup system be denied if my local software is using the old password?

OK I just got a call from Intuit again and this manager I was speaking to told me they have regenerated the password email. I still do not have any emails from them. I am calling in again. The person I got on the phone is trying to get information from me and I'm telling him just to get me back to that person so I don't have to spend another hour and a half on the phone....

...ok got through to that person again. Apparently he called and told me the email went through but he checked some system and the change to the email to correct it was not made. So he's going to go back and check again. He says usually this process takes a couple of days and he's pushing it through so I appreciate that. It's just kind of a huge hassle to get this resolved.

Hours later...still no email from Intuit. I guess I'll have to call tomorrow a.m.

Next day... I had two emails telling me this issue was resolved and asking for feed back...trying to call again...they are making me go through all the questions again and asking what the problem is over and over again...this is really annoying. Don't they have my business name and all that related to the case number?

...OK the manager I was supposed to ask for is going ot call me back in 15-20 minutes....

I got a call. It was more than 15-20 but I got a call so that's good. I had to leave my house by that time to run errands so wasn't at my computer. The email hadn't arrived by the time I left my house. The manager re-initiated the email shortly after he called me and when I was able to login to my computer a few minutes later the email finally arrived.

The strange thing is that he told me he received confirmation that the automated emails were sent prior to this one - they never arrived. So why did this one?

And in summary...I don't trust online backup anymore. Encryption shemcryption. It doesn't matter if someone can compromise your password - and even after the password has been changed, the software still allows access to upload and download files. Somehow my email got changed in their system, someone set up a fake domain potentially and got access to the files.

Security is not about encryption only. Security is about process and people and auditing and verification and surprise random testing and monitoring.

From here on out I think I'll figure out a way to encrypt my local files before I send them over to the online backup service. This is a total pain as it depends on me remembering my password to encrypt and decrypt the files however so it's a pain.

I think I will also set up a periodic test to download and decrypt my files to make sure someone has not again changed my email, gotten my password, etc. But now it's probably too late. Someone probably has my pertinent data if they already got in there and there's not much I can do about it.

Oh and for the record, the email did not come from OR It would be nice if the service people knew what they were talking about in that regard as well. However it should still be coming from an Intuit mail server and those servers should publish that they use TLS so people can enforce end to end TLS.