QB Power Hour Podcast

Securing Your Intuit Login [9.30.25]

Dan DeLong

Share episode

QBO is only as secure as your login, and there are vulnerabilities that Bad Actors are exploiting causing lost productivity time and fraud to you and your clients. We'll be discussing the concern, identifying the loopholes bad actors are taking, and give you practical steps to secure you and your client's login. Filling in for Matthew while he is away is the always entertaining Sharrin Fuller!

QB Power Hour is a free, biweekly webinar series for accountants, ProAdvisors, CPAs, bookkeepers and QuickBooks consultants presented by Dan DeLong and Matthew Fulton who are very passionate about the industry, QuickBooks and apps that integrate with QuickBooks.

Earn CPE through Earmark: https://bit.ly/QBPHCPE

Watch or listen to all of the QB Power Hours at https://www.qbpowerhour.com/blog

Register for upcoming webinars at https://www.qbpowerhour.com/

00:00 Introduction and Housekeeping
01:17 Earning Continuing Professional Education Credit
02:23 Technical Difficulties and Welcome
03:27 Intuit Login Issues and Security Updates
07:57 New Invitation Process in QBO Accountant
16:32 Securing Your Intuit Login
29:00 Scam Interconnections and Data Mining
29:34 ProAdvisor Profile Scams
31:31 Identifying Phishing Emails
32:38 Personal Experiences with Scams
39:22 Protecting Your Accounts
41:07 Password and Authentication Best Practices
45:20 Email Aliases and Backup Admin Accounts
54:41 QuickBooks Payments and Bill Pay Vulnerabilities
58:41 Concluding Thoughts and Next Steps

Dan DeLong:

well, welcome to another QB Power Hour. I was noticing in the chat that Kathy Gki skipped Toastmasters to come to the QB Power Hour today. So I am deeply honored that, uh. I, I, I, where I rank in the, uh in the, Toastmaster. Hey, hey, I'm

Sharrin Fuller:

co-hosting. It could be me. Come on Kathy, let us know.

Dan DeLong:

That's very true. Right? So if you're here for Sharon, type one on the chat. If you're here for me. No, don't, I don't want

Sharrin Fuller:

that survey. I don't want that survey. Survey. Come on.

Dan DeLong:

You don't want that instant feedback.

Sharrin Fuller:

No, Dan.

Dan DeLong:

Well, today is a, is a real hot topic. Um, and we, if you've been on the, the QB power user, uh, Facebook group or the other Facebook groups for, for accounting professionals, uh, you've no doubt, uh, been seeing some some issues with, uh, the Intuit login. And good news is there's actually been an update from Intuit to finally close some of the, the vulnerabilities that we've been, screaming about. I guess that's just the easiest thing to say, but they've been

Sharrin Fuller:

listening.

Dan DeLong:

They, they have been listening. Sometimes it takes a little loing of the voice in order for that to happen. But I'm, uh, pleased to report that there is some, some changes and we'll talk about that. Um, and then what's also some other things that you can do as a, as an accounting professional to help, uh, secure your account as well as your client. So we'll be talking about that. Uh, so today my name's Dan DeLong, owner at Dan with and School of Bookkeeping, worked at Intuit for nearly 18 years. Co-hosting today, also the workshop Wednesdays oddly enough on Wednesdays over at School Bookkeeping, and Sharon joining us, uh, filling in again for, uh, for spot.

Sharrin Fuller:

Hello. Do, do I, do you wanna Hello everybody, introduce yourself. I just, sure. I just came back from 11 day vacation and I, through the last three days of it, I've been sick. So I'm joining you guys today with hot flashes, cold flashes, and body aches, basically. I am, I am a menopause with Mucinex right now, so happy to be here. And I'm gonna, I actually have my link ready for my clone and conquer hub this time, you guys. Okay, good. And watch my socials, because I got a really exciting thing coming up that I am, I'm pretty excited, which we've kind of, sort of announced, but,

Dan DeLong:

yeah. Well, we appreciate you, you're such a trooper, uh at, being'cause I hate doing this stuff alone. So I really appreciate you, uh, being here, even when you're not feeling a hundred percent. So thank you. Um, of

Sharrin Fuller:

course.

Dan DeLong:

So again, uh, the insightful account nominations are open. There's a link there in the handouts, which I forgot to put in the chat now that I, I'm reminded. Uh, so I will quickly do that if you're watching on the social, uh, there's a QR code and it looks like a couple people have already, uh, done that. But let me just throw this in here. No, they did

Sharrin Fuller:

it a little bit different this year and I wanted to, you know, I had a talk with Gary and I think they did it different because I think a lot of the people assume that this was Intuit's ProAdvisor and it's not, it's insightful Accountants into it, of course is supportive of it. So I think this year they made some changes to make it very obvious that it is the insightful accountant top mm-hmm. Pro advisor. And I love that they added in some of the things they did. So, yeah. How do you guys feel about that?

Dan DeLong:

Yeah, this is definitely, um, it's a tax something that, is not Intuit. I mean, it's, they have their own pro, they have the same problem as Intuit as branding. They, yeah. Never quite understand who makes these things. I think it's a

Sharrin Fuller:

pro-advisor thing that confuses people, you know? Mm-hmm. But, um,'cause I said the same thing. I said it to Gary and Gary goes, I'm Sharon, this is Insightful account. And I go, Ooh, good to know. I'm gonna go switch some social media there, because for some reason I was thinking it was like, co. But no. Anyhow, I, I'm excited that they have some, um, some more UpToDate topics.

Dan DeLong:

Categories, yeah. Yeah, yeah. It'll turn into the Oscars by the time

Sharrin Fuller:

No. Best we care about Right. Best supporting

Dan DeLong:

ProAdvisor best. Uh, no one

Sharrin Fuller:

wants to watch. We all just sit there and pat ourselves on the back. It's amazing. There go.

Dan DeLong:

So if you're just joining us for the first time, a little bit about the QB Power Hour webinar series it is the longest running, uh, series of, uh, QuickBook stuff that is not. Sponsored by Intuit. Um, uh, we do have it's every other Tuesday at noon Eastern. And we do have a CPE credit through earmark. But you can always go to qb power hour.com/resources to find the handouts of prior of all of our, our webinars, past recordings, podcasts, and other resources as well. So let's talk about what we're gonna talk about. there is a new invitation process, uh, inside of QBO accountant, and we'll talk a little bit about that, and that may play into what we're talking about with securing your Intuit login. Uh, so we'll talk about what has been happening with some logins being compromised the, and talk about the Intuit password reset vulnerability that we've been, uh, chatting about. And then some steps to take to protect your log login, as well as minimizing any damage that might have might occur. And then Intuit as mentioned, did make some changes already in that vulnerability, uh, aspect. And so kind of plugging up the, loophole, um, and I was talking about with Rachel on the, on the workshop chairman, it's very like these types of things, especially when there are bad actors out there exploiting these vulnerabilities. It's very similar to TSA right when you, when you travel, right? Like, oh, we can't bring a quart size, you know, larger than aquar sized bag of liquids, or we gotta take our shoes off, or they can't make

Sharrin Fuller:

up their mind over there. Thank goodness we didn't have to

Dan DeLong:

take our underwear off when the underwear bomber came out. Right? So, but those steps were always reactionary, right? Like they, yeah. There's so many things to. Respond to, it's, it's really hard to plug up everything. But being that it's all it, that most of Intuit's, uh, services contain PII, personally identifiable information, uh, and sensitive information, it is very paramount that, uh, security is a main concern. So let's talk about the first polling question. Uh, what version of QuickBooks do you currently serve with your clients? Sharon, do you have that handy? Um, I have

Sharrin Fuller:

no questions open for me here. I have no questions.

Dan DeLong:

Hold on. Let's see here. There we go. Launch. I'll do it.

Sharrin Fuller:

Okay, I got it. Yeah, I have none.

Dan DeLong:

I dunno where it, went there, but. Problems with the, oh my goodness. With a live, I

Sharrin Fuller:

have the wrong thing open. I'm sorry, you guys. I am still recovering from a NyQuil coma. I, I'm sorry.

Dan DeLong:

There we go. So while, uh, while you guys are answering that, let's just go ahead and kick into, uh, the Intuit News, uh, which is all about a firm invitation. So you probably haven't seen it because you don't invite yourself, maybe you have. But, um, and we'll, talk a little bit about this. So, what happened is, um, and, and you you, have probably experienced one or more of the challenges with getting an accountant invitation. To QuickBooks online from a client, right? So the old process, it relied on email, right? So somebody had to go in, invite you, put your contact information and they've, they've tried to make it easy in the past where you could just click on accountant and invite your first accountant with by just an email. But that relied on the email being received and that also relied on them typing in your email properly, right? So it's riddled with issues sometimes. You never received it. There could be a typo in the email. It could be the wrong email. Uh, I know that some people have a preferred email for invitations. But then email communications go back and forth and they just copy the email that you're communicating with. And then it could. Be filtered out, right? Um, and then of course the process of accepting is clicking the link that's in it. You could be logged in already in, in a different login or a different browser, and then there's cache and cookies that that deal with it. And all you get is, hmm, that didn't work. So there's a lot of, um, challenges that, that come along with those invitation processes. So now when you go into add a new accounting firm inside of QBO, uh, for a client, uh, there is this new option that says, invite my accountant's firm with a little help bubble to give you, give them an understanding as to what it is. Now, even though this is super simple, all they have to do is put in the firm id, which is your QBOA company ID for QuickBooks, right? So you can just press the keyboard shortcut of control. And the question mark, key or control option in the, if you're on a Mac and, provide that to them. You can copy it, just send it in an email or, or what have you. It's like all you gotta do is just put in this number and then there's no email that gets sent. You go into your your client list, right? So in your client list, you'll see client invitations inside of QBOA, and it's, and it'll just be there. And then all you have to do is just, uh, click the action, drop down and, and accept it. Now that client is in your, in your firm. So there's, so Dan

Sharrin Fuller:

is,

Dan DeLong:

yeah,

Sharrin Fuller:

I'm sorry. I know I interrupt you. But's, I think talked about how I, I need to do this on the back end because I know that you can see me. So are we able to do it the old way or is it only this new way? Because, you know, we all are a little wary of trusting Intu. Its new product. So I personally would still keep saying, please invite my firm at QBO at, and we'll deal with all the rest of it. In two years when I stopped seeing people complain. Or is it just, they're just like, Nope, here it is. And you I'll pay$5 more a month now.

Dan DeLong:

Yeah. This is, sorry. Sorry guys.

Sharrin Fuller:

I'm not snarky.

Dan DeLong:

No, no, this is, uh, it's a good question. Um, there still is the old way, right? You can see on the screen. I don't know if, yeah, I just didn't, if it was like a,

Sharrin Fuller:

but it won't send the email anymore. It doesn't send email. It says you've been invited. Now click here. It'll it

Dan DeLong:

will still send a confirmation email saying that you have been invited. Okay. But okay. There, there, there isn't too many act, there is an action that's required to be taken from the email. It's more of a confirmation that you have been invited.

Sharrin Fuller:

Got you.

Dan DeLong:

Oh, and you stopped sharing the or.

Sharrin Fuller:

Oh my god, I'm so sorry. You I

Dan DeLong:

give

Sharrin Fuller:

up.

Dan DeLong:

No, that's okay. It was a

Sharrin Fuller:

lot. It was both, it was the same. It is Dan. Same as it is every week. 60% both.

Dan DeLong:

Although only 1% or desktop only. So that is, yeah. Uh, that is that, uh, getting smaller.

Sharrin Fuller:

I'm curious like, and it's a whole other topic, but the 1% or they get ready to retire. Because I

Dan DeLong:

be,

Sharrin Fuller:

I'd be like, you know, anyhow, sorry.

Dan DeLong:

And we are, we are gonna actually going to have, uh, the state of desktop after Intuit Connect. So our, our first QBA Power hour after Intuit Connect, uh, we're gonna have Marjorie Adams from Four Lane to come on to talk about the, state of, uh, affairs of, of QuickBooks Desktop. She's a very heavy desktop user enterprise for a lot of her clients. So we're gonna talk about that.

Sharrin Fuller:

Can I tell you real quick, I'm My A DH ADHD is all over today. It's, do you wanna tell me something that drives me nuts about the Intuit process here? Is that people can invite us, but we can't remove ourselves. So I have clients from decades ago that I still get their stupid QuickBooks notices because I cannot remove myself. And I email them and they're like, oh. So when I go to like my QuickBook companies, they're in there. I'm like, I don't care. I don't, I hide them or whatever, but remove me. I don't want anything to do with your company anymore.

Dan DeLong:

Yeah, well, there is a way to permanently disconnect, but you have to make, there is now primary ad. Yeah. Uh, it's been for a while,

Sharrin Fuller:

just

Dan DeLong:

the firm, but it's a it's a severing, right? So if, yeah, you were, uh, associated with the client and more, more problematic I guess is if you were getting the payroll notifications and things like that. Yes.

Sharrin Fuller:

Uh,

Dan DeLong:

they will still continue to happen even after that seven, seven instances.

Sharrin Fuller:

Is it a little bit soothing when it was a terrible client and you kind of let them go and they didn't remove you and you're seeing all their checks bounce? Do you feel A little bit, come on, accountants. You know, there's a little bit of happiness and warm and fuzzy there.

Dan DeLong:

Yeah. It's, uh, yeah. Okay. So let's talk about the, the topic of the day was really securing your Intuit login. Let's set the stage on what has been happening, right? So. I don't know why every every image when I tried to Google do, a search for hackers. It's always these faceless people in a hoodie for some reason. But, um, what was happening is that, uh, a hacker uniform, exactly, that's the uniform of a hacker is a hoodie with with no face. So logins have, have been been compromised. And it's, it's very paramount for accountants in this case because they are the tip of the iceberg when it comes to, if you are, if your accounting law, if your login that is associated with your QBOA is compromised, that provides a gateway to all of your clients, right? So if you're, if your login happens to be com compromised, then you're. They have access, uh, to all of those clients. And now that there is a lot of services attached to QuickBooks Online, that is real money movement. That is concerning, right? Because someone who doesn't have the scruples that you do, uh, being able to access your clients and initiate real money movement, that is a concern, right? Because bad actors use that to provide access to clients and, and leverage those money movement services. And this example of, I'm gonna butcher her name and I apologize. Uh, Omo. Omo friend talked to her several times at, at conferences. Her login was, compromised, and she has a, a post, uh, on her Facebook group detailing you know, the, the horror story that, that occurred. Now, she had a a backup admin account, and we'll talk about that in, in, a little bit. So she was able to, to sign in and access those clients in real time, the whole day. She was combating the, bad actor, right? So they, she would see what would happen. They would add a, a user and she would go in and delete said user, right? So it was just a the the Dutch boy, you know, trying to. Put the fingers in the dyke and, uh stop the, water. Meanwhile, at the same time, she's trying to correct the issue by contacting Intuit you know, stop this from happening. And uh, as she mentions in her post, uh, she did five case tickets, submitted her information 11 times to be able to prove her, identity so it would stop happening and the turnaround time. And the answer was, uh, we'll get this resolved in about five days. That's not a great experience for sure. But she, had MFA and two FA, uh, enabled. She practiced, you know, pass password standard operating procedure, you know, she had unused passwords, right? So, um. She saw before she was, you know, officially kicked out of her own firm. At least five clients, uh, that were accessed and money movement occurred. Fortunately, you know, she's a great person, had a great relationship with her clients and they were very gracious, uh, while this was getting sorted out. You know, a lot of people say, well isn't two fa or, uh, you know, strong passwords or pass keys, you know, supposed to mitigate that? Standard login securities is, really not enough. Because the password reset process bypasses all of those security measures, right? If it really doesn't matter if you have a pass key, which is something stored on your device itself, right? Because if they are able to. Find a way to reset your password with your login. Then, you know, all of all bets are off because it doesn't matter if you've, if you've got a code being sent to you, if they can update the contact information of where those codes are actually sent after a password reset is done, uh, then of course, you know that's, how these things happen. And hopefully they're not watching, um, to get some money. Let us teach

Sharrin Fuller:

you. Right. This is how not to let people hack into your account

Dan DeLong:

Right Now you have, uh, Sharon you were, we were talking a little bit about, about this, that you have a process or operating procedure in place where you basically require your team members to do that. Oh yeah, but I, a free

Sharrin Fuller:

loop over here.

Dan DeLong:

You, you still can't. Enforce it unless no, like you can't see it in ha uh, happening, even if they have, uh, multifactor authentication turned on.

Sharrin Fuller:

Yeah, I just saw that in chat too. The, the one thing that really, so I is required, like I'll, I have a, we use rippling, so there's an agent that oversees the computers. So I'm like, you will do the updates, you will do all the things and I will, I wanna be able to, you call me and go, someone stole my laptop. I wanna shut it down in Apple. I wanna shut it down in 15 places. So I'm a, I'm a little crazy about MFA, but in Intuit, I was hoping there was an update this morning. I can go in and see who has two factor turned on, but I cannot require it or force it. I can kick'em off of my books or off of my team if they don't. But I mean, what a, what a pain in the rear to log in every couple weeks and just look to make sure that nobody shut it off.'cause they're inconvenienced, Right.

Dan DeLong:

And, um, someone was asking in the chat how do they get these passwords, right? So, mm-hmm. You know, the dark web is a real thing, right? And, you know, sometimes, you know, you, you see every day you know that there has been uh, a breach of some sort somewhere, right? Yeah. And of course, these, um, these passwords are, available to the highest bidder. But. If you're resetting or changing your password and using some kind of password vault to, store those, those strong passwords that are automatically generated, those types of things. Of course, that password, that's the number one, the key

Sharrin Fuller:

there though, right? Like, so the number one key, everybody, and I'm, I'm cutting you off again down, but we're, we're okay now. Fine. We do this, um if you are saving your passwords in a spreadsheet, if it's your dog's name, your high school mascot, I'm gonna drive to your house and snuck you with my thing. Everybody here, what was that? It's my wrist rest. Oh,'cause I'm ergonomically correct. It's the only thing correct about me. One pass last pass. If you have that set up correctly for you and your firm, it'll tell you, Hey, this has not been changed in 30 days. Hey, this is not strong enough. Hey, there has been a breach of this password. And you can create requirements. So your number one priority here above QuickBooks is making sure your firm is set up correctly at the top. And I am, I am crazy about that. Like my team knows better. They know I, and knock on wood, we've had no issues with any of this. So.

Dan DeLong:

So somebody asked, how are these bad actors compromising their login? So Yep. The, weakest link, right? Uh, the, the game show, right? The, weakest link of all of this is there was a vulnerability, and I'm saying was in past tense because Intuit has finally, you know, taken some, some steps to close that vulnerability, which we certainly appreciate with with, this. Um, but they were, with minimal information and I'll, and I'll, I'll demonstrate and well, I won't demonstrate, but I'll, I'll show, you know what actually. They could have, could happen prior to what, occurred. Uh, but with mine information, a forged id, I mean you know, it's it, it, since the fifties, you know, fake IDs have been a thing right Before it was just to get beer. But now there's other things that the these bad actors can do. But with that, with mine information and a for id, they could basically update the email address on, on your login. And part of the process of updating your email address was Intuit would send them a password reset to that new up that new email, right? So now. Now that's it, that's all they needed, right? So now they can intercept those, MFA codes, they can change where those codes are actually going. Uh, they can update contact information by putting in their phone number to get the MFA codes. They can reset the password, which now locks you out of your own login and then have access to, to all of those clients, right? So how were they able to do that? Right? So pass the password reset process on QuickBooks is article of, you know, fill out this form is all they had to do. what what are you trying to do? Right? Let's get you back into your account. There's email, there's three choices in that dropdown. There's email, phone, or email and phone. But all they would need to do is just choose the email All they need Yeah. Is your current user id, which a lot of people use their email as a user id. Then the current email, which is, well, they have that too, right? Mm-hmm. Then just what is the new email? And confirm that new email. The next thing they need is a government ID at that point, um, which could be a driver's license, passport, state ID, or some notarized document, which could all be effectively for forged so, great. So now with all of that information, they could change that, but now Intuit has closed that vulnerability because they have now added. Facial rec, a facial recognition selfie. And it's not just the same thing as a selfie pointing your finger, right? It's, uh, if you've ever done and set up an account at, uh, id.me with the IRS, you know, they make you you know, go through this process and you have to look in all sorts of different directions in order for every nook and cranny of your face to be to be scanned and, and recognized. But that puts an, additional layer of of, friction with this entire process. So in addition to the the government id, uh, they have to go through this facial recognition. So now, now there's points of comparison to, is this the same as you know, and they can compare where this. Where this information was taken from. So it's, it's really hard to to do that right. To, to forge that in information, you know,'cause that's, that's just a, it's not just a picture. So kudos to, um, to Intuit for finally getting to getting this process. Uh, started to plug that up, what took you so long? Yeah, right. Yeah. So how are they getting the email address? So a lot of times scams are interconnected, right? You know, if you've ever seen or, or, or gotten an email from someone saying, Hey, I want you to charge my credit card. Or I, I can't accept credit cards. You know, I

Sharrin Fuller:

got five last week, five. I'm not even joking. It was the craziest thing. I'm like, get outta here. Sorry.

Dan DeLong:

But, yes, there's, it's, it's, it's an elaborate multi-step, uh, data mining, right? Uh, about the end of last year there was a rash of people posting on our Facebook group of like, I got this, uh, somebody reached out to me on the, on the pro-advisor profile. And here, here's one of mine, right? uh my name is so and so. I'm the owner of, uh, this construction company and I wanna hire you to train my team. Right? And they, they offer some exorbitant fee for, for doing that, or there was a lot of, I don't casting directors for some reason that were reaching out to pro advisors wanting to train. I don't know why casting directors have a need for QuickBooks online training, but. That's that was the, uh, that was the setup. And then what you do is you reply to these things, and that goes back into your, ProAdvisor portal so they can see the lead and the, and the reply. But what really happens is they get sent an email from your ProAdvisor email address, right? So they now have that information, right? So that is now one of those things. So those things that seemed harmless at the time are now part of the you know, potentially part of this whole, you know, sting operation, right? So it wasn't necessarily, you know, if you've ever watched the movie the Sting and, you know, since Robert Redford passed away, it's readily available. Um, you know, it wasn't just Robert Redford and Paul Newman as part of this operation, it was, you know, many, many people, right? So there's. Coordinated effort to be able to, to, mine this data, to get this information and exploit the, vulnerability that was, that was there, right? So, uh, there are ways, right, of course, to identify, uh, those fishermen, uh, things to look for in, in emails that you get or correspondence. The from address is, is typically the, the first giveaway. You know, does the from address end in intuit.com, right? And is intuit.com spelled correctly, right? Yeah, because it's very easy to say capital L or capital I, lowercase l right? They sometimes look the same. And, uh, you know, they, they could forge things that way. It's very, um, sometimes it's, it's real sim easy to miss, I guess is the best way to look for it. Look for the rele, the requested action that they're wanting you to take and said email, right? Don't click the link. I, don't know why I said click link in the, in there, but yeah, never

Sharrin Fuller:

click the link and do not reply.

Dan DeLong:

Don't, that's what I want to say. Whenever I see something

Sharrin Fuller:

like that, yeah. Whenever I see something like that, I always, like, I get a lot from Coinbase, like crypto, somebody's trying to log in. If this isn't, I go directly to Coinbase, directly to that chat, that email, and go, Hey, I just got this email. And they're like, Nope, we, no, nope. So just don't reply, don't click, watch some scammer things. If you click on things, that is how they get access to your computer and they dive right in and like. I spent the last three days just watching all those videos.

Dan DeLong:

Yeah. And um, you know, somebody was, uh, mentioning that there was an email scam that was posted in the Facebook group where they actually did have@intuit.com as the, as the from address. What I would probably look at is the o in.com, right? So is that a zero or something like that? You know, that, uh, well, not only that,

Sharrin Fuller:

they don't always want you to reply to the email. Sometimes they do just want you to click on the link. So they don't care if they spoof that email or not. They're just like, just click that little link. We just need access.

Dan DeLong:

And, often you, when I'm not passionate about

Sharrin Fuller:

this,

Dan DeLong:

you wanna look for typos. Sometimes they're easy to spot. Um, and it's, and it's sometimes it's um what's the word I'm looking for is, um, sometimes. You know, you get insulted like, oh my God, how, who would fall for this? Right? But that's actually who they're looking for is people who would overlook a, a a, blatant, uh, typo or something like that, or bad grammar or things like that, right? Like, um, because if you are the type of person who would overlook that and still act on an email, that's the kind of person that they're looking for. But you can check the, check out this article. Four ways to tell, uh, if it's a, if it's a scam. And then also looking at the Intuit security site for previous previous security identifications. Right. So what kind of damage? I actually,

Sharrin Fuller:

I have,

Dan DeLong:

go ahead.

Sharrin Fuller:

I have two QuickBook, I have three QuickBooks online IDs, and as I was trying to go screenshot for everybody, I realized one of'em doesn't have MFA on, so I'm doing it right now. Oh,

Dan DeLong:

you are wagging the finger at yourself.

Sharrin Fuller:

I, I didn't, I never get in that one, but anyhow.

Dan DeLong:

Yeah. And, uh, the, um, if you download the, uh, handouts all the links are there. They're also on on our landing page as well for, uh, for this webinar. Uh, but what kind of damage can they do? The potential impact is really compounded by Intuits services, right? The QuickBooks Business Network. QuickBooks Payments, instant access to funds, uh, the QuickBooks Bill Pay. Somebody mentioned in the chat. Yes. And we talked about that, that QuickBooks Bill Pay basic is half already enabled. Uh, they just have to go in and finish the setup, which. Once they're logged in as, you, they are an admin, right? To, to the, um, to the company, right? Every accountant user is an admin, uh, unless they're in as a firm user, uh, a firm, a teammate, right? Uh, but as you, as the, uh, primary admin of your firm, as well as the main firm accountant, the lead accountant, that's the word I was looking for the lead accountant can enable services. And that's again, you know, they're leveraging your login to be able to do that. Of course then there's payroll and contractor payments. You know, all of those lead to real money movement that can potentially be siphoned, uh, from, from your client's uh, bank account. Ver and, and, if, if they know what they're doing and they set things up properly, they could send an invoice or a bill from one company, one of your clients to another one, and instantly have access to the funds by them paying the, the, invoice themselves. Okay, so second. Yeah, I could

Sharrin Fuller:

do, oh, you, I could do it. Here we go.

Dan DeLong:

Okay. Perfect. Yay. Have you ever had an issue with identity theft? I mean, oh my God. I mean, I, I had, uh, my login compromise. We, don't know how it, I mean, this was not my QuickBooks login, this was my banking login for, with capital One some somewhere. And they're assuming that I logged in to, to my banking app, uh, like at a Starbucks or an unsecured, uh, wifi, uh, where, you know, somebody. Scraped my keyboard shortcut, right? Or my, my keyboard strokes. Keystrokes. There we go. I don't stroke the keyboard. I, they're keystrokes. And, um and, because, uh, my, my wife's login was fine, right? So there wasn't wasn't done. But what happened was is, uh, at, they changed the email for my login to themselves. And in order to distract me, they sent me 2000 spam emails at the same time. They, Rob robo signed me up for all sorts of communities that I never signed up for. So while I was concerned about what the heck am I doing with all these, uh, 2000 emails that just showed up at one time they were in, in my account sending themselves$999 payments. Um, but inside that blast of emails. Was buried an email. Hey, uh, we've updated your email address. Uh, so I couldn't see I was, not

Sharrin Fuller:

Sneaky. Sneaky,

Dan DeLong:

yes. I, I didn't understand. I, I mean, I was completely,

Sharrin Fuller:

Nope,

Dan DeLong:

totally distracted. I just, sorry.

Sharrin Fuller:

I just, Michael raised his hands and I meant to message him and said I allowed him to talk. I am is of zero help today. I'm just a spazz. I'm sorry. All right.

Dan DeLong:

Um,

Sharrin Fuller:

my ex used to steal my credit for years. I actually had to put a credit block. He would go get all those stupid little payday loans in my name. Oh my God. That's, that's even worse when you know where it's coming from and you can't do anything about it. I still, to this day have to lock down my credit all the time. Just survey knows.

Dan DeLong:

Yeah, that's a good idea. He's coming after my,

Sharrin Fuller:

my solid 4 25. Just kidding. There we go.

Dan DeLong:

All right, so let's talk about some steps that you can take to protect you and your clients and mitigate any damage, right? So steps that put friction between you and the bad actors, right? So password, best practices, changing your password. When we were talking about this on the workshops, somebody said, uh, when the clocks change, all of your passwords, right? So it's just a one of those routines to, to put yourself in, right? So adding that the two FMA, uh, two F-A-M-F-M-F-A, which there's a difference between the two. Um, and I think I talk a little bit about that in a second here. Uh, authenticator apps, having a second app that gives you those, those codes is, again, nothing is foolproof because fools are so ingenious, but they keeps the honest people honest and, uh, and, and, and those. Somebody who wants to break into your car will still find a way to break in your car, even if you lock the door. But you, you can definitely make it harder for them, right? Put a, the club, those types of things. But my mom had one of

Sharrin Fuller:

those'cause her car kept getting stolen,

Dan DeLong:

right? Um, entering a, making a user ID as opposed to, uh, your email address, masking your email address, uh, so that it's not. So the contact email address for your login is not your real login or your real email address. Having a backup admin account, and then limited access for new customers. And then disabling unused services. So, uh, password, best practices, of course, you know, strong passwords unique, changing them frequently, uh, using some kind of password vault and not sticky notes attached to your monitors. Oh my gosh. Or Excel spreadsheets or, you know, things that aren't necessarily secure. MFMA two FA and the authenticator apps, right? That's that six digit code that's gonna be sent to presumably you you know, the contact information that's, that's on the account. Now MFF. MFA is mandatory, right? So it's not something that you can opt into. This will be, this is something that Intuit has when there is a new or unrecognized login. Like, I get MFAs all the time because I'm never in the same place twice. Yep. For much long. Right? Or, very long. Whether I have two fa, which is an optional setting on your account enabled or not. If I'm in a new location, a new browser, a new computer, a new whatever, I'm gonna get an MF MFA code regardless of the setting that I might have, right? So two FA is. A two step process that you enable on your account, that is, that will always send that six digit code regardless of whether it's a new login or not. And then Authenticator Apps is just a completely separate app that provides the code. Now you don't get those codes until you enter in the password. So again you're gonna have those other options. But if your password has been reset, then you'll never get the code because you won't be able to sign it. Mm-hmm. Right. Then there's this relatively new thing called a pass key, uh, which is, uh, a locally slightly

Sharrin Fuller:

annoying. They're slightly annoying, I ain't gonna lie.

Dan DeLong:

Yeah. Especially if you're doing it off of different computers and that Yes. Doesn't have the passkey stored on it. But it's a locally stored file, so something on your machine that stores the file and then authenticates that with a login server. This is very similar. I think the best way to describe it is it's like war games, right? Uh, you know? Yep. There's, they need two different keys and two different people to turn insert the keys and turn at the same time, so that mm-hmm. The redundancy of that is very hard to uh, to mimic mm-hmm. But and what this also does is it, it avoids passwords and MFA codes, right? So those, uh, you don't have to deal with those, but you have to be on the device or have the device accessible that has that pass key stored on it, all right. Using an email or using a, a, a user id, that is not your email, right? So keeps people guessing. Especially when you have, uh, a user ID that's not your email, it's typically that's not readily available. The challenge though is that it must be unique, right? So just like your email is unique to you that makes it real simple to create a user ID that's an email address because it's already something that is presumably unique to yourself, right? Uh, so if you go into accounts.intuit.com and update your user id just keep in mind that you have to pick something that is unique to you and then that might not make sense. Uh, you know, when you start adding numbers and letters and some iterations of that, so that's, um that, that's something to keep in mind when you're thinking of what your user Id should be. Now we wanna, uh, appreciate, uh, Rachel Barnett, uh, from Gentle Frog for I identifying a, a great workflow that you can mask your, your email addresses so that they're not readily available, even if they have your, um, if, even if they have access to your account and they can see, uh, what your contact email address is, that is not your real email address. So you're protecting your, they're putting a buffer between your real email address and and the login contact information. So don't want you best practices here. You don't want to use an email address that is externally available. So don't put it on your website or, or things like that to, to show that, uh, that email address. Um, and then you can create typically with, uh, Google Workspace or, um, outlook accounts, you can create email aliases things that auto forward mm-hmm. Uh, to your root email address. So, mm-hmm. So I wanna go in here and kind of,

Sharrin Fuller:

that's what we do, but I don't wanna say what we do because if the hackers are listening, they're gonna know what we're gonna know, what we do.

Dan DeLong:

So this article on, uh, school of Bookkeeping, you can actually listen to it if you want to. Too long, too long, don't read. Uh, you can listen to it then. But this walks through, uh, this process and I have a scribe embedded in here to creating email aliases in, uh, in Google Workspace. So you can kind of walk through that. I tried to block out anything personally identifiable in mine, but, uh. Typically you go into the admin console. And, uh, I also did put a link to how do you do this in in Outlook as well. But the, general idea is you want to create a never used backup admin with mm-hmm. Some email address. You set your operational primary as an alias that's different from your real email address.

Sharrin Fuller:

Oh, so many cartwheels. Isn't it insane? Intuit can just make us not have to do all of this, but keep going, keep going.

Dan DeLong:

And then adding a proposal only user that has, uh, minimal access, right? So there's essentially three users. One, a backdoor for you to be able to log in should your normal, uh, login become compromised because, or, you know, if you get locked out. Right. Um, I saw. A situation where, uh, a legitimate ProAdvisor was living overseas and they got logged out or locked out of their account because Intuit noticed there was several, several attempts to sign in outside of the United States, right? So that was, um, that was a, a security concern. And, uh, then they, um they had to prove who they were in order to get in. So with having a back a, a secret entrance into your firm, uh, you can still continue to do your work while you're, you know, while that workshop, uh, not work, um, while that is being worked on. Right? Mm-hmm.'cause there is a, I use a

Sharrin Fuller:

VPN for everything. So mine can never keep up with where we're sharing out today. Exactly. Like today, we're gonna be in Dallas next, tomorrow we're gonna be in la I'm all over the place, so I'm always having to put in my, my two factor. I don't even think the government doesn't even know where I live at this point in time.

Dan DeLong:

Exactly. So then, uh, so then you'll have this, uh, quotes only, um, and then your intake for new clients is the client invites the quotes only, uh, user. And then you go in right after you accept it, and then you know, move it to your, your super secret login. But you could also use this firm ID process, uh, to do that as well. Right. So there is no email, uh, that user that, that accepts it. To create those aliases, uh, you, you log into the admin, you've browse to the, the user profiles that you have in your, your, your account. You edit yourself. And then there's an option here called add additional emails, right? And then here's where you can create any number. Uh, I think you, the maximum you can do at Google is 30 I that you can preset. You can always add a plus sign and a number or something after the plus sign, uh, to auto forward that. And it is a unique email address, but you know, you gotta keep track of all of those. So might as well document that in your in your admin console here. Uh, but you're creating three aliases. One's a super secret, one's a not telling, and then one is for quotes. And then at that point, you're gonna invite the, backup email as well as the quotes. As a user right inside of your firm, the quotes only would be standard, no access, right? So they don't have access to your, your firm books, which protects you from being, if that login happens to be compromised, uh, they won't have access to your books. And more importantly, they won't have access to any of your clients either because mm-hmm. You're going in and removing their client access after you've, uh, done that, right? And then so you would then send the, uh, invite. You're gonna add another user. This is the backup admin user, and they're gonna be a company admin of the firm that is just, uh, you're never gonna use this, uh, backup unless you need to, right? So having other team members do this as well. Is, an also an option. Also down below here, I have implementation for the multis staff, uh, firm. So you can create different different aliases for, for that process if you wanted to. Uh, or you could continue to leverage this one as, as well, right? So you're gonna receive two invitations in the main inbox, uh, but you're going to accept each one and create a login. Create an Intuit login under those email addresses that each one is assigned to. So now, uh, your email your email address is, is safely masked because it's now the super secret or non not telling you know, name of a email address. So correspondences are gonna be sent to that, but you'll still receive them because they are you'll still get them because they are the way email aliases work is they auto forward to the main email address as well. And then you wanna manage your Intuit account at that point. Uh, go in, uh, if you see, you know, hey, a new user ID might help, they'll maybe alert at the top. If not, then just clicking on this sign in and security section here, and then you'll be able to modify the user id. You just, again, you just have to choose something that's unique and confirm it. Uh, and then it gets saved. You get email, it's along the way every time that you make a change. And then you do the same thing for your email address. You would go in, update it to the new alias email, and that way your login email address, you know, the your, particular email address is not exposed. And we walk through that. And then you, you always have to, you know, communicate all of that and confirm when there's, when they're make, when you're making changes like this. So you'll get an MFA code for that. And then you also get an email address along, or an email along the way saying that these changes have have taken place. So this is all here, um, as well as more information about, about that, so can check that out. So those, those additional users so you got the limited access for invitations, the backup admin user, and the auto forwarding web-based email. If you are on an exchange server, I don't know the process. So, um. Check with your IT guy, if that's, if that's possible to create those, auto forwarding emails like that. And then once that's, once that infrastructure is, is taken place, then you're able to, uh, just make those changes, add Intuit. So damage control, right? So here's here's the challenges, right? And, and things that you want to do is in, with QuickBooks payments close unused accounts, right? So if you, uh because you are an admin to to all of your clients and QuickBooks Payments is kind of half set up for for accounts. It only takes someone to finish setting them up, uh, to start the actual real money movement. But if they're not using QuickBooks payments, um, you can go in and close those accounts. If they are, if they don't have an a, a dire need for instant deposits, uh, you can opt out of that that option. Now, you know, you can get access to instant deposits for a fee. But if you're using the QuickBooks checking you can avoid the, the fee by doing that. Um, the QuickBooks Business Network, uh, you can opt out if, uh, if that's not necessary or needed, and then the QuickBooks, uh, bill Pay if they're on QuickBooks Online Advanced, you can set up workflows that you get notified when a bill is created and those types of things so that you're, aware, uh that, something might might be happening here. So with, uh, QuickBooks Payments, you know, the instant deposits is a, is a 1% fee unless they're using QuickBooks checking. All new accounts are partially enabled. So you can close those accounts if they're not being used, and there's a link to being able to do that here in the slides. Uh, the business network it's, a nice convenient feature. But this is potentially a vulnerability that people are exploiting, right? Because it keeps your contact info up to date. There is an invitation process to connect between QBO subscriptions, but if they have the logins on both companies to be able to do that, then they can do that. But the convenience factor is invoices sent from one company are turned automatically into bills. By another company which if now you're accessing the money movement process of QuickBooks Payments and QuickBooks Bill Pay, that just allows people to streamline that process of fraud, uh, by doing that, right? So they can opt out of the, account under settings. Of course it doesn't stop someone from opting back in, right? So if they're logging in as you, uh, they can opt back in. But again, putting up those obstacles, uh, to make things a little harder for, people to do QuickBooks Bill Pay. Again, nice convenient features. You can't talk, turn off QuickBooks Bill pay, uh, because they, they're automatically half enabled for the basic service, right? So you can't even not have the basic service because it's already. There, right? So maybe a best practice is keeping money movement outside of QuickBooks, right? Mm-hmm. Uh, using different outside services. You know, I'm sorry to be saying this about Intuit services, but Yeah. Um, because you do lose those integration conveniences. But it's really inconvenient if something were to happen like this. You only have to go and ask, uh, Omo how inconvenient, uh, this was for her. Yeah. Um. Okay, so, wow. We, we timed that right. Sharon, any thoughts, comments, concerns of this? Always.

Sharrin Fuller:

I've always got thoughts, opinions. It's just crazy. Somebody mentioned earlier in their right, like, I don't think I started noticing the hacking and the, the issues until QuickBooks really started launching their bill pay function. So I feel, and like people are saying, that's the hardest part is people log in and they process the bill pay and there's no way around it. And then QuickBooks logs you out and you're, it's just, it's ab it's insane to me. But I am, um, yeah, I mean you saw me tagging in you, tagging you in everything over the weekend. All of those. I'm like Dan, Yeah. I don't, use anything. I use QuickBooks as my gl. I don't use any other pieces of it whatsoever because I don't feel secure.

Dan DeLong:

Yeah. Yeah. I mean, and I don want my

Sharrin Fuller:

clients when

Dan DeLong:

I, uh, when I was work, when I was working there, I mean, I would con that was back when QuickBooks payments and payroll was it. So the actual sending of money, you know, initiating the, where the QuickBooks world and the real world actually intersect, uh, with money being sent, you know, they started with, you know, their partnership with Bill, and then they moved to Memeo and now the QuickBooks bill pay. The, movement of money out of the business, uh, I think is where things really came to light for Yeah. Uh, for this sort of thing, uh, simply because and, and, well, and then the, the in instant payment and, in instant access to that, to that fund because now you have or, or these bad actors have. Access to both sides, potentially sending invoices to your other clients and then paying them, um, because they've now compromised, you know, this whole thing. So this is very elaborate. And it's very important, uh, I think for folks to make sure that they're doing their best, their due diligence to make sure that their login is as secure as possible. And we appreciate, uh, Rachel and Uomo for being vulnerable enough to let us know their experience to, so that we can others can, benefit from, from their trailblazing, uh of this process. So we appreciate you all joining us here today, uh, on the power Hour. And, uh, next time. Uh, yeah. So we were supposed to have tech saving tips you know, act workflows and, and apps that, that help accountants save time. Uh, but we felt it was more topical and important to talk about this very important topic today. But so next time on the power Hour, Sharon and I are gonna be oh yeah, you gotta launch the last, uh, poll question. Yep.

Sharrin Fuller:

I didn't have anything that told me to, so

Dan DeLong:

Yeah. Sorry guys. I should have should have done that. So I appreciate you joining us here today, and, uh, next time we'll be talking about some tech that saves accountants time. And, workflows that, that streamline your process and get you outta busy work, uh, doing things, uh, that actually bring greater value to you and your clients. So we will see you next time on the Power Hour and hopefully everybody has a great day. And Sharon, I hope you feel better real soon. Hey,

Sharrin Fuller:

I'm gonna go get high on some NyQuil right now, or some day Quil. So we're, we're good.

Dan DeLong:

Alright, have a great day everyone. All right.

Sharrin Fuller:

Bye everybody.

Dan DeLong:

Bye-bye.