How to update from from Win7/8/8.1 to Win 10 using a downloaded copy of Windows 10

Over the past couple of months those who have Microsoft Vista-Microsoft 8.1 on their computer got a sometimes unwelcome message to upgrade to Windows 10.  If you clicked on the pestering pop up, you go to the Microsoft store and "start the process."  This downloads a lot of bits (about 3 g) that is the Windows 10 operating system.  Some of the time, maybe most of the time, the upgrade goes without a problem; but some of the time it fails.  There are some reasons for this that are user issues, such as not knowing how to answer the various questions that have to be answered before the install begins.  If it is successful, you will have Windows 10 installed and all your personal applications and drivers will work.  

If you have a problem, or if you have multiple computers to upgrade, it is easier to download the Windows 10 operating system to a flash drive (or CD, but many computers don't have CDs now; another blog topic).  The procedure is well documented and the download to do it is provided at this url:  https://www.microsoft.com/en-us/software-download/windows10.

It is one of the more painless Microsoft procedures I've encountered.  

Here are pictures of the dialog sequence to complete the download.  I assume they are self-explanatory.  (BTW, the tool that is downloaded and runs this dialog is called 

MicrosoftCreationToolx64.exe.

In the following frame, the first one, pick the second option "Create installation media for another PC": 

Pick USB Drive.  Use a clean 4Gig drive.   By clean I mean that the drive has been freshly reformatted to a "bare" drive and as FAT32.  This USB will be dedicated to Windows 10 installations until you don't need it any more.  

Once the USB Drive is completed, the contents looks like this.  The setup.exe will be the program you run on the computer you are upgrading. 

How to add a new user to your Windows 10 device

Today I wanted to add a new user to my Windows 10 machine.  On the "normal" Windows 10 Settings for adding a user, I could NOT find a way to add a local user.  The only options available required adding a Microsoft account.  You know I don't like those accounts because it logs you into the Microsoft Cloud at login and I don't use Microsoft.  Early on, it was frustrating because the login took so much time.  That's how I discovered the Local User option, which works like a pre Windows 8 user account.  That's the way to go if you don't want to be just a client to the Microsoft Cloud.

Anyway, Microsoft help was no help.  It was wrong!  But I did find a web page that definitely works.  So go here if you want to create a new user account on Windows 10.

For those who have delayed switching to Windows 10

Windows 10 capability has, to date and in general, been released in bits and drabs:  updated features here, fixes there.  This past week was the first very major refresh, meaning that the complete operating system was pushed out by the Update facility.  At this point, it is probably reasonable for most non-business users to switch to Windows 10.  Microsoft will continue to add features and fix bugs before the next complete reissue of the operating system, which will probably be in June, 2016.  Most of the activity will be in the business side of the Windows operating system, so I expect only bug fixes for the non-business user (other than Edge).

The new browser, Edge, now seems to work most of the time, but I still wouldn't rely on it as my only browser.  If you insist on using a Microsoft browser, go to the start button, left click, and then type "iexplo" in the search bar.  iexplore.exe should pop up as the result of the search.  This is the "old" IE 11 browser.  Left click to start the browser.  Then right click on the browser's icon on the task bar and click on "pin to taskbar" to keep the icon for easier access from that point on.  In general, I am an advocate of the "three browser" approach:  whatever Microsoft provides that works, Google Chrome, and Firefox.  Each browser has its advantages.

I would recommend a few minutes of 'handholding' during the installation process.  There are a number of "traps" associated with the default install process that could be unwelcome to most users.

Editorial comment:   Microsoft has "commercialized" Windows... literally... why do you think it is free?  The normal process ties you to logging in to the Microsoft Live Cloud environment at the time you log in to your computer.   The action is one and the same.  It is perhaps reasonable to have an email service that logs you into "commercialization," but I don't expect it with what is supposed to be (to me) an agnostic operating system.

The way around it kind of hidden in wording that suggests you shouldn't "go there" during installation.

Interesting Phishing Technique: Dangerous!

I got this email today concerning jobs at Amazon:

The link has an interesting url:  web.jameye.allaboard.com.  Plus some gibberish after that.  I'd like to know what is at the other end, but could get nothing off the internet.  It is certainly a phisher and could be a trojan as well.  Beware of job ads like this.  

Computer Death by Stink Bug

This is a real computer bug story.  You know those smelly flat bugs that are into everything this time of year.  They seem to be able to get into airtight, watertight, whatevertight spaces and wait to emit their patented odor.  Well, I think I have the first documented case of computer death by stink bug.  I got an ailing computer in and, as I was cleaning the main fan, out popped a stink bug.  It is likely the stink bug was limiting air circulation in the computer and one or more of the computer components succumbed to the lack of cooling.

Conclusion- check your computers; clean out the cooling system and all the pathways.  You just might find a stink bug!

DSL service down at Glassy

As of 9 am, my DSL service is down, with  a comment that  "it will be restored within 24 hours."   OK, for those who say that 4G wireless service is unrealiable,  by 4G service has never been down.  DSL goes down several times a year.  No storms this time.  Storms will cause DSL outages.  In national disaster events, FEMA relies on satellite uplink trucks as a  worst case scenario and cellphone as the next most reliable.  Cable next.  DSL last.

Oh, that's right, you can't read this blog entry because you don't have internet.  Dah!  Well, this can be an historic record.   Wait a minute!  If you have a data plan on your cellphone, then you can read this in "real time." I stand corrected to my correction.

More Problems with Phone Calls- watch out for these... calls from your own phone

I have several blog entries on phishing and scam phone calls.  This entry is that your own phone number is being spoofed.  You will get a call from your very own phone.  That is, the caller ID says your phone number and the caller name is your name.  Answer the call and it will hang up (phishing for active number) or there will be a scammer on the other end.

The actual phone call is from an entirely different number.  It is the Caller ID that is being changed.

How do the spoofers do it?  You can google "caller ID spoofing."  There are a number of free programs that do this.

What do you do now?  Used to be you could ignore any numbers that didn't provide a recognizable caller ID, but now the caller ID has been hijacked.   What if you are in a business where potential customers might call from any number?  How do you know if it is a customer or a spoofer?  You don't.  What if the spoofer is using your home phone number?

Clearly, the technology has lagged behind the ingenuity of the criminal mind.  For now, we have to not answer any calls and await a phone message.  Of course, I listen to the phone message, it is someone I know, so I call them back.  Of course, since they are in the same boat I am, they won't answer the call back.  So we don't communicate at all except through phone messages.

This is pretty bad and the phone companies should fix it using some sort of security mechanism that does not allow caller ID changes.  I would go so far as to say that if the calls are coming from a foreign country and they don't fix the problem ASAP, all calls from that country should be blocked until they do.

Or I guess we go to texting.  What is your experience and do you have a way around the problem?

South Carolina State Support for Rural Communities to Evaluate Rural Broadband Solutions and Manage Projects

This note is intended to kick off a discussion, using the discussion box below, on how a state can facility implementing the optimum broadband solution for rural and even suburban communities.  In general, it assumes that fiber distribution to all homes is too expensive per home and that current service is judged by members of the community to be inadequate for home use or for current or future business use.

I'll start by listing three possible proposals that could be turned into bills at the state level:

- 0 interest loan or a grant to evaluate the best option (pay project manager to manage community or geographic area through RFI and RFQ process)

- tax rebate or tax deduction for installing equipment for the rural type initiatives- transmitters for companies; antennas for houses

- team with Small Business Admin through their small business loan process

Any other candidate proposals?  

Windows 10 default install is insecure: tips to not get caught in their web

When Windows 10 installs, its initial startup process looks a lot like Windows 8.  However, the defaults are set for an intrusive, insecure experience.   Can you believe that?  Well, the reason is that Windows 10 is built for all devices, and so you are getting an initial startup process that might make some sense for a smartphone but not for other devices... unless you want to let them know where you are, what you are browsing, what you shop for, etc.

A good starting tutorial for how to correct Microsoft Windows 10 default settings is found at http://www.wired.com/2015/08/windows-10-security-settings-need-know/?mbid=nl_8515.

I have some pictures of my own Windows 10 installation to show you how to avoid their intrusive experience.

After Windows 10 installs it has some screens that set parameters "for an optimum user experience."  In general, all the settings should be set by you to No or Off, instead of Yes or On.  Here are the pictures:

First screen:  You'll probably want these off.

Almost everyone has an antivirus application to manage web browsing.  Turn off Browser and Protection.  Turn off Page prediction, because your browsing pages will be sent to Microsoft.
Don't automatically connect to browsing hotspots.  Ditto on the next two items.

On the final screen, don't check any boxes unless you want to force yourself into the new Microsoft applications.   Most everybody has their own personal favorites.  If you check the box, you will lose your favorite as a default.  

New Look for an Old Scam- Your email has been accessed from unknown location

The following email is being sent to potential victims:

The blackout in the brackets after E-mail Service is a user id at an email account.  I suspect the hackers bought the email address from a reseller and the email belongs to someone in our community.

The link is unusual and is probably the way future "bad links" will be made.  It is a "tinyurl"  Tinyurl is a web site that changes a long internet address into a short one.  In this case, the url is http://tinyurl.com/q6ornxn  This is called "cloaking" when it is used by black hackers.   I can run an "unshortener" to get back the long url.  However, when I do for this url it says it is not recognized.  So this is not good at all.

Calls from 546-659-4152: what's going on?

Calls from this number are fraudulent and are costing our neighbors money.   Too many are falling for it.  The frauds call the same phone number several times a day. Your caller ID does not give a name.  Out of curiosity or whatever you finally answer.  Let me give you the details on what they do:

1. The tell you that you have some malware on your computer  (If you can understand them.   The person on the other end has a very thick east Asian accent.)
2. They will ask you to run eventvwr, an application that shows the log of all activities on your computer.  (For windows, go to This log will always have warning messages and errors in it.  It has nothing to do with malware or viruses.)  It is normal operation to get errors.  But they tell you that you have malware and viruses and your computer is in danger.  They ask to log on to your computer to fix the erros.
3. They ask you to download Teamviewer (you might already have it, but that doesn't matter)  You give them an ID and password that teamviewer generates and they get control of your computer (Note that I use Teamviewer too.  Teamviewer is not the problem; the problem is the person on the other end. )
4. They will start asking for money.  They will get your credit card information.  (If you have fallen for this fraud, the credit card info is probably being sold on the criminal market.  Get a new credit card.)
5. They will run a number of free, open source and readily available programs that will always show that your computer has some problems.  I think their favorite is CCleaner, which everyone should be using.  You don't have to pay $100 for them to use it  
6. They may have you agree to a contract.  If you do that, then you may not be able to stop payment on your credit card by reporting the fraud.

So, as a community we are in uncharted territory.  Since it looks like everyone is being called, our personal information has been compromised!  That probably includes our social security numbers.  We have to assume that someone is selling that information and we know that this one company is using the information.

You know the drill, but this is serious now.

1. Don't use your social security number as a method for verifying who you are.
2. Don't fall for any of these fraudulent computer service outfits.  In fact, if you want to, play them along and act stupid to waste their time.  You can even let them on a computer you don't care to restore and keep them going as long as you can. 
3. Long passwords.  Don't use the same password twice.  Change your passwords.
4. Always use https:  as your internet site prefix.  That sets a secure connection.
5. Don't save any important documents "on line" without encrypting them.  I can tell you how if you call.
6. Stay away from suspicious sites and don't download any free software without validating that the site is trustworthy.
7. PDF files still contain poison pills.  So do Flash files (Video streaming files).  It is getting to the point where other technology is being used to display video.  You could turn off the Flash plugin and see if it is really used that much for what you do.

Fix-My-Computer Dude Update

In a previous blog entry I described the Fix-My-Computer Dude scam.  This scam and many others like it have "technicians," supposedly from Microsoft, calling to tell you that they have detected a problem on your computer.  You let them on your computer, show you "problems" and then try to get you to buy a service, perhaps up to $300/year.  If you balk, then some scammers will start a program that destroys the data on your hard drive. (This doesn't necessarily happen with the Fix-My-Computer group.)

Well, there is more to the story.  After I published the blog entry, I got comments that extolled the virtues of "Fix-My...".  Apparently, the outfit has people trolling the internet for negative comments and they try to "correct" the misconception.  For your entertainment, here is a screen shot of their comments:

Is Window 10 Free... Forever, or Do You Have to Pay an Annual Fee After the First Year?

Well, it is almost time for Windows 7 and 8 users to be able to get the free upgrade to Windows 10.  But there has to be a catch, right?  The most common catch going around the internet is that it seems to be free for the first year, but, since Microsoft is moving to a rental model for programs, a fee will be charged for each year after the first.  What is the truth?  To summarize what is known:

• Windows 10 will be a free upgrade for Windows 7 and 8 users for the life of the current computer.  There will be no annual fee.  But only for the current computer.  
• You will be able to download a full installation disk for Windows 10, so you will not be stuck with a use until fail scenario, or  a use until you add something to the PC/tablet/smartphone scenario.
• Windows 10 free upgrade will not be available to Vista and XP users. 
• There isn't any special support program for Windows 10.  You get help from me, your own local IT expert, or from the Microsoft knowledge base.  Fee for service through a contractor will be available on the Microsoft website.

For the general user, I am recommending about a 3 month wait after general release before trying to install Windows 10 over an existing system.  This will give Microsoft time to fix the "big" flubs in the system.

 For details, read http://www.forbes.com/sites/gordonkelly/2015/06/17/windows-10-free-for-1-year-what-happens-next/

Caller ID and Spoofing

Do you have caller ID on your phone line?  I do.  Increasingly, I am getting unsolicited calls from my local area code that are unsolicited and even dangerous (The ones that say your computer has been hacked.).   This practice, called "spoofing," is a direct and conscious business decision on the part of the caller to avoid FCC regulations regarding unsolicited phone calls and caller id.  For the regulations, in readable form, see https://www.fcc.gov/guides/caller-id-and-spoofing.  "Intrastate calls are not subject to the caller id regulations."  When I asked the last spoofer, who was marketing technical literature, including literature on internet security, why the company was using local numbers, she quickly and seamlessly replied that it was so I would have a local number to return the call.  Ha!

So this is getting ridiculous.

I guess the response from us has to be NEVER answer a local call that doesn't give caller ID information you recognize.  Let them leave a message.

And I'm outing eWeek (PCWeek) as the spoofer in this last case.  Shame!

By the way, there are many computer and smart phone apps that will provide you with "spoofing" capability.  For example, one can be downloaded at (don't bother going there unless you go in sandbox mode and as a incognito browse session) http://www.spoofcard.com/.  Unbelievable!

Saving to Google Drive from Google Mail

Often I get emails that are really documents; eg, travel reservations, receipts, minutes... There is a way to save them to your Google Drive as a PDF file with two clicks.  You can google "save gmail to google drive" and get many hits; one is http://lifehacker.com/quickly-save-an-email-to-google-drive-with-google-cloud-1593199317  The summary is:

1. Click the little print icon at the top of your gmail email.  
2. You will get a Print dialog page.  If the Destination field doesn't say "Save to Google Drive", click the change button under that.  Find the entry "Save to Google Drive" and click it.  If you don't see it in the selection list, click "More" at the bottom of the list.
3. Back at the Print dialog page, click Print.  Off it goes as a PDF to your drive

Note that it saves the document to the "root" of the drive.  If you want to save it in a Drive folder, you'll have to switch over to the drive, click "recent documents", and then click on the drive folder navigator to find the folder where you want to save the document.  Use your mouse to drag the document to the folder.  That's it.

Recent Corporate Hacks and What You Can Do to Protect Yourself

The US government has been hacked... I got my notice today that I was "on the list."  South Carolina has been hacked.  Lastpass has been hacked.  Basically, you can be assured that information about everyone on line is in multiple databases being sold to nations, terrorist organizations, companies, and individuals that mean to do you harm.  The information they have includes at least

1. Your name
2. Your email address
3. Some preferences on your buying habits
4. Something about your past employment or activities

In addition, they may have your phone number... how many of you have had mysterious phone calls where you answer and no body is on the other end?  Robo-devices checking whether or not the phone number is active:  premium price to the buyer if legit phone number.  They may have your address and your social security number.   This is China, Russia, ISIS/ISIL, Iran, Pakistan,...  They are not amateurs.

Please begin using two factor authentication on all accounts that offer it.  I use it. This is a difficult topic to describe in a written/short tutorial.  Instead, please go to this UTube and follow what it says:  https://www.youtube.com/watch?v=7VUPuf6uwi4.  You can google "Youtube two step verification" and add whatever search terms you want to get other training videos.

For those using Lastpass, Lastpass uses two-step verification, but you have to start it.  Furthermore, it uses, among others, "Google Authenticator," which makes it "easier" to supply the verification number.  To start Lastpass two-step authentication, go to your "My Lastpass Vault" and open your account settings (on the left navigator).  When the new view pops up, click "Multifactor options" in the top menubar.  Follow the directions.   You can select from many different smartphone applications as your "authentication helper," but if you are on google, you might as well have all your authenticator function in one place.

If you need help, let me know...

Example and Tutorial for a Technical Solution for 4G Network (up to 350M) for our Community

See "Rural Connectivity, Cambrium Networks".

From the Verizon 4G page:

LTE in Rural America

At Verizon Wireless, we're committed to extending 4G LTE coverage beyond the footprint of our nationwide network. With the LTE in Rural America Program, we're collaborating with rural carriers that serve areas not currently covered by the Verizon Wireless network. By combining their tower and backhaul assets with our core LTE equipment and premium 700 MHz spectrum, these participating rural carriers can more quickly build and operate their own 4G networks.

Expanding 4G LTE access to rural areas not only provides the speed and reliability of 4G to rural carriers' customers when they travel, it also ensures a seamless experience for Verizon Wireless customers traveling in areas outside our network.  Together with our partners, we're bringing the speed and performance of 4G LTE to rural America.

Here is a press release on what is happening in Europe:  http://press.ihs.com/press-release/technology/high-speed-broadband-and-4g-lte-coverage-dramatically-rises-europe-accordin

Here is a recent opinion piece on 4G Rural Networks:  http://www.aglmediagroup.com/opinion-the-keys-to-the-rural-cellular-buildout/ 

Here is an "easy-read" piece on status and capability:  http://www.wired.co.uk/news/archive/2015-02/11/ee-investment-rural-network.  Here is a youtube example:  https://www.youtube.com/watch?v=3SzGhnIH9Sk.  Here is another "easy-read" overview:  https://danielmiessler.com/study/cellular/

I should mention that 4G and followon technologies can be hybrid networks:  Use fiber where financially cost competitive and use 4G transceivers to bridge the gap.  Don't use copper for any significant distance.  

Among other references:

• Wiki Review- 4G
• Wiki Review- LTE
• Indiana Rural Broadband Report 
• Verizon LTE in Rural America Report
• Connect South Carolina Web Page
• 2015 Final Report
• Broadband USA (a US govt contracted office, if I understand right)
• Building the 4G LTE Wireless Network
• Example of equipment
• A Broadband Wireless Cost Model
• Planning a Broadband Network

Navy Phishing Letter

I got this yesterday.  It is obviously spam:

Dear Customer Important Alert for Account Access Users! You may have recently received an email from Navy Federal Credit Union inviting you to take a survey about Navy Federal Account verification survey, to protect and safeguards your Account Details. Survey invitations are sent to the email address we currently have on file. To get started on the survey, just click the link below. Click here to help you perform this verification survey. © 2015 Navy Federal Credit Union® Security Advisor

It is from Jawalakhel, Lalitpur, Kathmandu, Nepal

What would be the roadmap to a 4G Rural Americas Program Solution?

1.  Education... lots of it... on this blog and by other means.
2.  Identify potential suppliers.  Write an RFI (Request for Information) to see if there is are suppliers that can provide a technical solution consistent with our needs and constraints (eg, terrain)  Who?  Don't know.  Any suggestions?  How about a joint RFI from the three mountain communities?
3.  Identify potential manager companies.  The assumption is that there will be a technical solution and then a business management solution.  I would be very surprised if the two functions would come under the same hat.  The manager corp take care of operations.  I'm working on that.
4.  Serious negotiations could occur only if there are reasonable responses to the RFIs.  RFIs are NOT the final kind of technical document.  It is only a scope and possibility document.
5.  Establish the potential manager company, at least for the timeframe required to evaluate the responses to the RFQs.
5.  After RFIs come RFQs (Request for Quote), which would be generated jointly by the RFI writers and the potential manager company..  The responses would be evaluated and a partner selected.  A contract with the manager company would be established.   A budget for implementation and operation would be drawn up, etc.  From here it is the project management drill for a program.    

Slow Internet, High Costs for Internet, TV, cellphone, phone service in our communities

The communities where most of my readers live are situated in rolling hills or mountains.  4G cell service is spotty- we get it second hand from a nearby city.  4G as a technology has the potential to provide all our communication services at a low cost compared to what we pay today.

However, our "standard" internet service is ATT DSL with a max of  6M and it is costly.  Some of our members have gone to a satellite service, but that is expensive and doesn't move the speed bar that much. I think all of us have to use a satellite service for TV, which is, in itself, expensive compared to options that can bundle all communication services on the same infrastructure.

Some in our communities are lookiing at Uverse-like solutions, solutions that run over fiber and then copper wires.  Those technologies are self limiting because they either include small copper wires, which have limited signal capacity and are degrade the signal with distance, or they include expensive fiber.  Whether it is cable, Uverse, or satellite, they are not long term, economical communication service solutions.

4G, which you should recognize as something your cell phones might use, is a technology that is coming into its own as a community communication service. I've been talking with Verizon tech about "LTE in Rural America Program", VOLTE, and "Small Cell".  (Follow the links for background.)   I've also been keeping track of Verizon progress on the flagpole- technical issues, etc.   Small Cell coupled with the LTEiRA looks like the best choice, but we may have to invest in the Small Cell as a community.

A typical, non-dedicated LTE broadband service can provide a download speed in excess of 30mb/s and an upload speed in excess of 15 mb/s.   LTE-Advanced can provide peak rates up to 1 Gbit/s fixed speeds and 100 Mb/s to mobile users.

I would welcome others who know about how 4G would work for a geography and low population density such as ours to comment below.  

Attention: All AOL users- your mail isn't getting through... and all Google Mail users- look at spam and filter aol

It seems that there has been so much spam/fishing/bad emails from AOL to Google Mail that Google automatically puts all aol emails into the Google Spam folder.  So, AOL people:  your email is not being seen by Google people unless they specifically "filter" messages to allow AOL email in their Inbox.

For Google Mail people. Look in you spam folder. You will have to be proactive and set up a filter for every aol person with whom you correspond.  Details on setting up filters can be found at https://support.google.com/mail/answer/6579?hl=en.  Paste this in your address bar.

Also for Google Mail people:  If you know about filters, you might be tempted to just put aol.com as the filter criterion; then route the messages to your Inbox.  The risk in doing that is Google is putting aol into the spam folder for a reason:  AOL seems to have been infiltrated and there are too many phishing attacks originating from that domain.

Wow! Google has a new contact manager that may enables sharing contact lists across organizations

This is the Google announcement:  http://googlesystem.blogspot.com/2015/03/google-tests-new-contacts-interface.html.  Copy and paste that into your address bar.  It is an early March announcement, but I was just "automatically upgraded to the new version.  It looks like, using the Google+ environment, you can create a "friends" group, which might be an organization you belong to (eg Barbershop, Church) and share the addresses between all that are in the group.  It looks like Google is saying that your address list for your organization will be up-to-date for all people in your organization!  Has anyone tried it?

Warning: Turbotax Fraud on Electronic Refunds- and Possible Coverup?

One of my acquaintances has had a terrible time with the electronic refund process of Turbotax.  I thought I would describe what has happened as a warning to everyone that there is some built in slick bait and switch inside the Turbotax filing process and, in this case I am going to describe, perhaps some fraud from inside the Turbotax refund process (Important:  The Turbotax refund process includes third party financial services, so Turbotax has plausible deniability if there is indeed something going on.)

If you are not familiar with what has gone on with Turbotax earlier, here is a summary I copied from Forbes (My story continues after this copy.  Look for the horizontal line.):

---

TurboTax has resumed acceptance of electronically filed state tax returns after temporarily turning off service in all states on Thursday, February 5 after reports of suspicious activity.

The move to temporarily suspend service followed concerns in at least 18 states that taxpayer data had been compromised. The state of Minnesota actuallytook matters into its own hands, announcing that it would not accept returns transmitted by TurboTax.

As a result, Intuit INTU +1.52%, the company responsible for TurboTax, reached out to Palantir, a third party security expert, to investigate potentially fraudulent activities. The initial findings lead the company to believe that there was not a breach in TurboTax security but rather that data used to file fraudulent returns was obtained from other sources outside the tax preparation process. That data was used to file returns before honest taxpayers could file: when those taxpayers did log in, they found that someone else had already filed using their names and taxpayer information.

TurboTax is still working with state tax authorities to follow-up on the fraud allegations but believe resuming services at this time is appropriate. Brad Smith, Intuit president and chief executive officer, noted that the company is continuing to monitor the situation, saying, “We’ve identified specific patterns of behavior where fraud is more likely to occur. We’re working with the states to share that information and remedy the situation quickly. We will continue to engage them on an ongoing basis in an effort to stop fraud before it gets started.”

Intuit also implemented targeted security measures to combat the type of fraudulent tax activity that it is seeing. According to Julie Miller, Director, Public Relations & Social Media for Intuit, these additional steps include the implementation of Multi-Factor Authentication, a proven technology for protection against identity theft.

Meanwhile, taxpayers who were waiting to file their state returns can move forward. Taxpayers who filed state tax return using Intuit software during the hold don’t need to do anything further: any returns which were being held will be filed automatically as systems resume.

TurboTax stressed that the filing of federal income tax returns was not affected by the hold. The IRS confirmed that to be the case yesterday (see their statement).

Despite TurboTax’ insistence that the move was not system-specific, other tax preparation software companies reported that they were not seeing similar problems. H&R Block HRB -0.19%, which sits at #2 in popularity behind TurboTax in the tax software world, affirmatively stated that “[w]e have no indication this issue exists with H&R Block online state returns.” TaxACT issued a similar statement, stressing that “[w]e are not seeing similar activity in our proactive monitoring, and we will continue to partner with state agencies and the IRS to prevent fraud.”

So what makes one system vulnerable while others are not? And why target state and not federal returns?

It’s not exactly clear. But there may be some common denominators. Criminal tax fraud is big business – but it’s also a crime of opportunity. The more difficult it is to take advantage, the more likely the bad guys are going to pass. Remember that home alarm commercial that made the rounds a few years back? The one where the crooks saw the security company sign in the window and decided to move onto another house? It’s kind of like that.

That’s probably why criminals appeared to be targeting state returns and not federal returns. The potential kitty might be better at the federal level but in many cases, Internal Revenue Service (IRS) has stronger fraud detection systems in place than some states. If IRS does a better job at catching the bad returns, the fraudulent activity might slow down (or never make it into the system).

Additionally, Social Security Numbers are checked and cross-checked at the federal level, making it more difficult to file more than one return with the same number. For state purposes, the same level of checks doesn’t exist – either inside a state or between states – so that a single Social Security Number could be filed at multiple agencies in potentially multiple states without any knowledge that the number was being used fraudulently.

Using online software makes the process potentially easier for fraudsters. As noted by many of my readers over the past couple of days, online tax software requires no actual verification of identity – you don’t have to scan your license or government ID to file a return. You also don’t have to provide a paper tax form, like a W-2, to a specific individual when you file online. You simply need a computer and an internet connection. The lack of controls online make it appealing to those looking to cheat.

That begs the question, then, why aren’t all online tax software companies seeing the same kinds of issues? It may have to do with security screens but it could be even more simple: pricing and order of acceptance.

Like many other tax software companies, TurboTax allows taxpayers to file for free. This is great for taxpayers – but also for fraudsters: they can cheat for free. In other words, there’s very little outlay required.

Order of acceptance may also be a factor. With a product like TurboTax, taxpayers can opt to print and mail a federal return, but electronically file the state return. If a fraudster wants to avoid detection, they can choose not to submit the federal return (which, remember, may have stronger controls) and instead, target states. If filing a federal return is required prior to or together with the state return, it could make it more difficult to cheat: the fraudster would have to jump through the federal screens before landing on the state screens. At least one competitor, H&R Block, does require federal e-file acceptance prior to transmitting the state e-file return.

This matter is far from resolved. While all of the major tax software companies are all open for business, all are acutely aware of the potential for fraud and have issued statements indicated that they are continually monitoring the situation during tax season. Additionally, state agencies are actively involved in reviewing taxpayer returns for suspicious activities. And, of course, IRS continues to warn taxpayers about the potential for identity theft and fraud.

If you have specific concerns, individual companies advise the following:

• HR Block. If you need help, contact Customer Support at 1.800.HRBLOCK FREE (1.800.472.5625 FREE).
• TaxACT. If you suspect you may be a victim of fraud, please contact TaxACT (319.373.4514) and your state agency immediately.
• TurboTax. To assist any customers who believe they are victims of tax fraud, Intuit has implemented a plan that includes a dedicated toll-free number, 1.800.944.8596 FREE, with direct access to specially trained identity protection agents who will provide comprehensive support and filing assistance.

For more about identity theft and IRS, check out the IRS website.

---

So, the story is:  During the Turbotax filing process, the user is given the option to efile.   The federal file is free, but it costs some amount (eg $19.99) to efile the state.  In addition, the user is given the option to have the federal and/or the state refund to be directly deposited into the user's (checking) account. To use the direct deposit, the user has to provide the route and account number of the account where the refund should be deposited.

Here was where the problems started.  To sign up for direct deposit, the user checks a box for direct deposit.  Two things can happen.  If the user has used Turbotax last year, the routing and account fields are filled in from the previous return; otherwise the user has to enter the routing and account number.  The automatic fill in is certainly convenient, but it turns out that it can be incorrect.  The user is supposed to verify the routing and account number, but, in this case, that didn't happen.  It was assumed to be correct.  The entered routing and account number were incorrect!  In fact, as I will describe subsequently, it was to a route and account that was completely unfamiliar to the user.

In addition to direct deposit, Turbotax gives the option to deduct the cost of the state efile (again, something like $19.99) from the federal refund.  Sounds good, huh.  No fuss.  Deducting the cost of the state efile is a bait and switch.  It turns out that Turbotax charges $34.99 to do this.  Don't blow through the forms and miss this!  Furthermore, your remainder tax refund seems to take a different route from the IRS to your  deposit account.  A third party bank, The Citizens Banking Company, in Ohio, fronted by a third party company, Tax Products Group (TPG) in California, handles the transactions.  Apparently, the tax refund is sent by the IRS and the state bank to TPG.  TPG takes out the $34.99 and then sends the tax returns on to the route and account the user provided.  (By the way, if you look at ALL the forms created by Turbotax as part of your return, if you have opted to have this done, you have created and agreed to a 4 page contract.  Bet you didn't know that.)

In this case, the route and account entered by Turbotax had no relationship to my acquaintance.  After many inquiries the net is:  TPG says then received the IRS refund, processed it, and sent the money on to the route and account number.  The route number was to Chase Bank in Illinois.  But, it turns out that the account number is not recognized by Chase. Chase did not receive the money.  It should have been rejected by Chase back to TPG.   TPG has washed there hands of the whole thing- they sent a form "findings" letter saying Chase has the money.  Turbotax has been giving a royal run around.  The individuals I talk to each time I call seem very helpful, but nothing happens.

More to come... But the takeaway is to not do direct deposit through Turbotax, especially if you opt to take funds out of the federal refund to pay for the state efiling.  Something is wrong with the process!  Fraud?  Faulty programming?