H&R Block Owe Us a big Thank You

H&R Block Owe Us a big Thank You
Written by Daniel Longieliere
Provided by Logic Unlimited

This is a true story, strike me dead of I am lying. It was around tax time, we had just rapid refunded a totally sweet refund, and got it loaded on that emeral card through H&R Block. I was on thier website a few days later checking the balance of it and what not. I had setup thier super secure system so i could log in.

A few days later, as I was troubleshooting a problem with one of our client's sites, I had cleared my cookies and cache. Well I use an app which logs me directly into saved sites, and so I went to check my balance again, and it went to the emerald card site, it put in my username then submitted it, and thier site started asking me all sorts of questions. (The usual security questions)

Not remembering that I had cleared my cookies and cache, thus losing my cookies from prior, I hit the back button thinking something had gone wrong, and boom, I was in my account.

"What?, How did I get into my account, I was being asked security questions, and All i did was put in my password.", I thought.

So thinking to myself, Did that really just happen? I just logged into my emeral card account without a password, surely they couldnt have been so sloppy in thier code. Well I logged onto another computer here at the home to be sure, punched in the URL, and did the same thing, and boom, I was in. Okay, I am not a hacker, and had no intentions of hacking, but I wanted to find out if my information was secure or not. Keep in mind that my transactions, account control, and personal information was wide open if there really was a security hole THIS obvious. So I punched in a generic name (Usernames are always first initial, last name together) and boom, was in a total strangers account, all by hitting the back button.

That was it, the back button, no crazy malicious code, or brute force attacks. Just the back button.

So I get excited, these guys are really going to be thankful if I call them, I called a friend, who told me to sue them. :P Not being a jerk, I elected to call thier technical support, I was met with someone who was absolutely clueless. They were completely unable to direct me to anyone technical minded, and advised me to call turbotax. I did, they were about the same, and told me to call Emerald card support, Seeing a patern here, I decided to find the root company. So I ran a whois on the domain name, and pulled a company called Metavante, I went to thier site, and got thier number, and was met with a very helpful lady who had me hold while she got thier emergency on call tech on the line.

He asked me to go through it, and take screenshots. (So if it comes down to it, Yes, I can prove it.) I walked him through the problem, and he acknowledged the problem, and they shut down the entire emerald card account site for a day while they worked on the code. I told Metavante that I was in the middle of our Startup, and all I wanted as a thank you was just a letter from someone who makes more than me saying thank you for pointing it out. I received a call from Metavante a few days later thanking me for being so vigilant in reporting the problem. However, they said they couldnt give me a letter because thier lawyers couldnt acknowledge there ever was a problem. They said a representative from H and R block would be contacting me in a few days.

To this day, months later, no contact from H and R Block, No thank you letter, and I guess thats the best I can hope for. I should have recorded it, though he was very careful not to state directly in that phone call that there was a problem. Honestly, I would have just liked to have a nice conversational peice for our shop we one day will have. It's disappointing that an individual can do so much to save face for a company that houses some of our personal data, and yet get not even a thank you letter in return.

Either way, It's a good story, and it shows the importance of security, and testing in your code to avoid a late night call from a guy telling you your company is about to make the news.

Did this help? If not, click here and contact us for further assistance.