WSW - Podcast Securing your Intuit Account
===
[00:00:00]
Introduction and Casual Setup
---
Dan DeLong: Oh, welcome again to another workshop Wednesday, where it's casual conversations for serious workflows brought to you by school bookkeeping.com, where it's all about learning QuickBooks
Rachel Dauchy: your way.
Dan DeLong: That's right. However you want. My camera is not centered here. There we go.
Rachel Dauchy: Mine's not either. I don't, [00:01:00] I don't know how to fix it right now.
Dan DeLong: It's the worst. Oh, that's because I don't have it on the center of my laptop, that's why. Anyway. All right.
Today's Topic: Login Security
---
Dan DeLong: As our thumbnail kind of in, in our description. Indicated we were, gonna be talking about some integration updates, but leave it to Intuit and the, news of the day sort of thing.
So to, speak of we're, having to pivot and talk about something a little bit more. Urgent. I guess it could be the way. And, because I've been seeing on Facebook and, various social channels, people have been getting their logins, compromised,
Rachel Dauchy: oh yeah.
Dan DeLong: and, and it's not all their [00:02:00] fault. And that's what we want to talk about today. Because bad actors, whether they be Vin Diesel or, a fraudster online, are so good about doing what they do. And, I've had my, login with my bank compromised.
It's not a matter of. If, but when When, yeah. And
Rachel Dauchy: I just recently had some issues with that as well, and even if it's not fraud, just even issues surrounding login security, it can just be confusing and it's always good to get the most updated information that Intuit is putting out there
Dan DeLong: And Intuit to their to their credit, they have a variety of ways to.
To [00:03:00] secure your account. And with, they've implemented pass keys, there's authentication apps, there's, MFA versus the two factor authentication FA.
Rachel Dauchy: Yeah. And then there's something I wanna ask you about too, and maybe we can get into that in a little bit. 'cause that's something that I am considering.
And I wanna ask your opinion of. Such a thing.
Dan DeLong: Got it.
Revenue Share Announcement
---
Dan DeLong: Now, before we get into the, nuts and bolts of what we're gonna talk about we do have a couple announcements. We are oops, where is this? So in November we are gonna have another cohort at school, bookkeeping. And this one is gonna be all about.
Revenue share. And being able to work smarter and not necessarily harder to be financially connected to your clients if that [00:04:00] is something that interests you. And Rachel, I think you need to be part of this because yesterday we're co-working on a, with a client and you had the impression that if you had already.
Referred a client to QuickBooks. Any additional services like payroll or payments would automatically be tied back to you and, oh, no.
Rachel Dauchy: Yeah, that is super confusing because I thought at the very least QuickBooks Payments was, and I feel like I read something that Intuit had mentioned that if you connect their, oops, Gusto ISS calling me. That's weird. If you, then sign up for QB payments in addition to already signing them up under yourself for QBO, I thought that would automatically [00:05:00] be a thing. So I would appreciate that, that information. For sure. Because we also have QPS out there too and, there's a lot of confusion of, oh yeah, what exactly.
Can I get, and then, by the way this is a very big deal because I remember when I first started, I got maybe like a trickling of a few different commissions here and there, but over the course of six years, it has increased. And let me tell you, it is very cool and very worth it. And I would love to make sure that folks get the correct information, like right out the gate because.
This is it like the, finally, I feel like the hard work is starting to pay off and it's really worth it to get those revenue shares.
Dan DeLong: Yeah. Yeah. And in your case it looks like I'm a little choppy. Am I, yeah. Am I coming through okay?
Rachel Dauchy: Yeah. A little choppy.
Dan DeLong: [00:06:00] All right. Lemme just change my, I'm gonna change my.
Video settings to a little bit. Okay. Don't change your wifi
Rachel Dauchy: in the middle of the thing. No
Dan DeLong: We won't do that. We won't do that. So maybe this is a little better. Is this okay? Yeah. Yeah. Okay. So I'm a little grainy, but that's okay. Yeah, the, where we're at today starlink is not, is not as, fast as it could be. I'm not, I'm lower on the Elon Musk priority schedule anyway. So like in your case though, right? You had you had originally referred a customer to QuickBooks through, through your channels and you know that was all great and in your, your, thought was, is that any additional services that would be added to that since you already broke the seal, so to speak?
Yeah. Or referring the customer, that would already be tied back to you, but [00:07:00] in reality, that's not the case. There's, channels that you have to go through. There's things that you have to. Thi things you have to report to Intuit in order to make sure that those Yeah, those are happening. And it's really
Rachel Dauchy: confusing.
And they wanted to upgrade to, or not upgrade, but they wanted to add payroll Elite. Yeah. And that's the highest payroll. I really wanted to make sure that I got the credit for that. So I have now worked that out, but yeah, it's not as easy as you'd think.
Dan DeLong: Yeah. Yeah.
It's the, process is relatively simple. You just have to make sure that you're crossing the T's and dotting the i's. Yeah. In order to make sure that, you're, gonna get this. Don't ever assume,
Rachel Dauchy: because then you make you know what outta you know what,
Dan DeLong: so that's that's coming in November.
We are offering for the month of September. If you pre-register for the course, you get $300 off. So essentially it's less than a hundred bucks to, sign in or pre-register [00:08:00] for the for the live cohort. And if you, even if you don't attend the live cohort, all the sessions are gonna be recorded, so you can always go back and review them at a later time because.
November is right before the fifth quarter of the year, which is December, which is getting ready for tax season. So I understand there's never a great time to have four weeks, a four week cohort, but we are gonna record the session, so there's that.
Understanding Intuit Login Security
---
Dan DeLong: Now, today we want to talk about, your Intuit login, right?
Because that is. And, I've always said this when I talk to people on the phone, when I worked at Intuit, QuickBooks as is as secure as your login, right? So that is the gateway to getting into QuickBooks, right? So QuickBooks online we're talking about. The things about, [00:09:00] the bank level security and all of the data being secure is really only as secure as.
Your login, right? As long as you can log in, there's nothing to download, install, save, nothing of that, right? You can just sign in. If your login is, gets compromised by a bad actor that's out there, a fraudster. They essentially have the keys to the castle and as yeah, an accountant. As an accountant, you know you're going to have access to a variety of.
Rachel Dauchy: Yeah, that's in my, what I would call that if, and I have never had anybody have access to my Intuit login, but I would consider that a total nightmare. I take that so seriously, access to my clients'. Books. There's just no way. [00:10:00] Even within there, it's not like we can make transactions, and let's say for example, they got into one of my clients QBO.
It's not like they can see full checking account numbers or full credit cards or anything like that. But even just seeing their activity, I don't want anybody seeing anything like right at all.
Dan DeLong: And you have not, only do they have access to sensitive data, payroll.
'cause as an accountant you're gonna have company admin access, right? Which means Yeah. You do have access as an accountant user for all of your clients to see EINs. That's true.
Rachel Dauchy: Yeah. That information you can see.
Dan DeLong: Yep. and and seeing employees, social security numbers and that sort of thing.
True. But what's, [00:11:00] really concerning now is that QuickBooks is doubling down on included services that, have to deal with real money movement. Yeah.
Rachel Dauchy: Although I feel like. Even in advanced even in the most robust offerings they have, I feel like I cannot see a full social security number.
I don't know, maybe I'm wrong, but I feel like I can only see the last four digits, even as a, as an accountant user. Can I see the whole thing?
Dan DeLong: Yeah. There's a lot of places they put a view. Like a hyperlink, and then you have to click on that, and then you get the MFA code. Okay. And then you're able to see
Rachel Dauchy: So, basically if anybody would like to find full. Versions of things, they could easily [00:12:00] do that.
Dan DeLong: With that login. With the login,
Rachel Dauchy: yeah.
Dan DeLong: That is the keys to the castle, right? The keys
Rachel Dauchy: to the castle. Okay.
Real-Life Fraud Stories
---
Dan DeLong: And as, you probably are well aware with, a lot of these fraudsters, it's not just one thing, right?
So it's not just one, one task. It's, it's since Robert Redford died they're playing a lot of Robert Redford movies on, on tv and the other day the Sting was on, right? It was and, the sting was not the the actual sting that they were doing on actor Robert Shaw wasn't just Robert Redford doing it, it was a whole.
Of individual. Oh that sounds cool.
Rachel Dauchy: I never saw that movie.
Dan DeLong: Yeah. Like they all had this nose thing where they that was the [00:13:00] signal and all sorts of things. So when there are bad actors out there, it's not just one thing. Like in my case, the way my, the fraud happened to me was I got a, flood of emails at.
While I was working and I was like, why am I getting 2000 emails right now? And it was all in service to somebody was going into had going into my bank and changing the email address. Oh. So with all of the flood of emails, that was a distraction that. Took my attention. I'm like, why am I getting all these spam emails?
Oh, buried in those, in that spam was an email from the bank saying, we updated your email address. So I was not able to catch that, and by the time I did catch it, [00:14:00] oh, there's money missing out of my bank account.
Rachel Dauchy: Oh man.
Dan DeLong: And they were so smart because. They moved $999. And I was like, why that weird amount?
And the investigator that I finally was able to get ahold of was like, because a thousand dollars is a felony. So they knew they knew that if they just if they got caught it'd just be a misdemeanor slap on the wrist or whatever going on going. In that regard, right?
Yeah. So it's all very intricate, right? There's, as this relates to why do I even bring up this intricate story, right?
ProAdvisor Profile Vulnerabilities
---
Dan DeLong: Because this is part of the Dean of Mining that I think back few months ago, a lot of accountants were getting these spam requests from their, ProAdvisor profile, right?
It would be, yes. [00:15:00] Hey, we're, we need some training.
Rachel Dauchy: Oh, everybody was getting that and I got a ton of them. It's so annoying.
Dan DeLong: You as a pro advisor trying to use, the, your ProAdvisor profile as a way to get legitimate business, right? What's the first thing you're gonna do? Is at least the first time that you see that I'm gonna reply to that.
Rachel Dauchy: Yeah. And also it my old mentor used to tell me that you had to reply to those because. If you didn't, you were ranked lower in the ProAdvisor search. So she told me, always reply to them because then the algorithm knows that you're replying. And so
Dan DeLong: here's the, and then I
Rachel Dauchy: don't know.
Dan DeLong: But here's the thing, right?
When you apply the way that you reapply, no, I'm sorry, not apply. Reapply, re reply. When you [00:16:00] reply, it doesn't all go through just your QuickBooks. ProAdvisor profile, you can still see it there, but when you reply to those responses, what, in whatever route, right? They now can see your email, right?
Because now they have a, an access point, and that is the first step of this whole process of compromising your account.
Rachel Dauchy: I see. I see. So once they see your email, then they can start running those bots to try and log in.
Dan DeLong: No, nothing. Nothing like that. This is actually, oh, they could, right?
They could start if they've purchased a whole bunch of compromised PA passwords and things like that on the dark web, perhaps. Yeah, I'm not a bad actor, so I don't know. Yeah. All the intricacies of [00:17:00] what they could do. I'm sure there are plenty of things that they could buy to, start just logging in, but.
The security measures that are already in place, if they log in out, if they log in outside of the normal workflow, MFA is going to kick in, right? Yeah. So in which case, if they guess your password, whatever it is, you're gonna know about it because you're gonna get a code. So how would they get around that?
So that's what we're gonna talk about.
Rachel Dauchy: That's what I wanna know.
Dan DeLong: Yeah.
Rachel Dauchy: Because I feel like every once in a while I will get a code. And I'm like, I didn't request that code.
Dan DeLong: Yeah. That and that certainly could be something logging in on your behalf that you're not aware of, or it could be someone [00:18:00] that you don't know logging in, not on your behalf.
I'm, oh, whoops. I'm putting in the the QR code and I didn't even see it up there. But here's the article that we're gonna, we're gonna run through here, but here's the, this hang it. I didn't wanna,
all right. When you go to sign in. All right. First thing, come on now. I didn't wanna show that I had it up just fine. And then, okay all right, I'm gonna, I'm gonna sign in here. Yeah. This is what I want. So there's three ways that someone can sign in, right? So if they've got the password, they can sign in right now.
Now there's this. Pass key and we have an article on.
Rachel Dauchy: Yeah, and we've talked about that before.
Dan DeLong: Yeah we talked about that. Yeah. That [00:19:00] just avoids this whole MFA two factor authentication code thing. But still doesn't matter if you have a password, right? Yeah. Texting a code, calling with a code, and then this way verify my account a different way.
Takes longer, right? So let's, take a peek here. All right, so let's get you back into your account, right? Let's, what do you wanna update is the first question that it asks? Email, phone number. Email and phone number. So if I choose email, here's all I need in order to start this whole process.
I just need the current user id, which if you're using your email address as your user id. That's all they need. Which they've gotten by sending a phony request. Yeah. And you've replied to it. And
Rachel Dauchy: you replied. Yeah.
Dan DeLong: So current, I, current user id, [00:20:00] current email, which could be one in the same, and then new email address, and then,
Yeah. Confirming that new email address. So this is current login and. Fraudster login and then when they continue, the only thing that they're gonna be asked for is to upload a valid, ID.
Rachel Dauchy: Which they could, pull anybody's picture off of the internet.
Dan DeLong: Yeah. I, and put together since happy days, fake Id ever since Happy days.
Fake IDs have been a thing, right? They could go
Rachel Dauchy: down to RA Street in downtown LA and go get themselves a fake id.
Dan DeLong: Yeah. If they're willing to purchase your, your, password. They probably know a way to forge
Rachel Dauchy: Yeah.
Dan DeLong: A, a realistic looking id, so Okay.
Rachel Dauchy: That this is very scary.
Dan DeLong: Yeah. And this [00:21:00] is what I've been talking about for the the last few, months and this is how Yeah. It's really helpful
Rachel Dauchy: to see it visually like this.
Dan DeLong: Exactly. But my
Preventive Measures and Best Practices
---
Rachel Dauchy: question to you is, okay, the key is that you don't wanna be using your email address as your customer Id. Or current user id.
User id.
Dan DeLong: That is one step. That is one step in the process. Okay. It's just, that's like locking your doors. Locking your car doors. Uhhuh. It will keep the it will keep people honest, if you try the door and the door's locked. Okay. I'm not gonna, yeah, I'm not gonna go in there if making, they could still bust
Rachel Dauchy: through the window.
Dan DeLong: Exactly. If they still wanna get into your car, there are ways that they can still do that. So that's one thing, but again, that's not all of it. Okay. And we'll talk [00:22:00] through, what another Rachel, has socialized and I document it in the, article.
Okay. So here's, here is the vulnerability at Intuit. And until they put stronger restrictions on this, in order to recover your account, you there, there is still a vulnerability and that's, wait a minute,
Rachel Dauchy: should we put a disclaimer here that says, Hey, thieves and fraudsters, don't watch this.
Dan DeLong: Maybe. Or they could. Probably their algorithm is something that, that they'll probably they probably either already know about it or they're watching anyway. Yeah.
Rachel Dauchy: Or they're probably not watching our workshop Wednesday, how to do things. Correct. In [00:23:00] QuickBooks online, they're probably searching how to.
How to hack into things the illegal way. Yeah,
Dan DeLong: exactly. Oh, two people just dropped off. So maybe those were the, maybe those were the fraudsters. Oh my gosh. Anyway, all right, so here's part of the challenge, right? So the. We wanna make it as difficult as possible for, for fraudsters to get through this vulnerability.
Because again, all they need is a fake ID and your email address. And because what happens after that is when your email, when your identity is verified through that, through that ID then, intuit will send a password request to the new email. Yeah. Yeah. So anything about pass keys, [00:24:00] MFAs, and your password is really out the window, right?
It doesn't matter how strong your password is if it's, if you're able to reset your password with just updating your email address. So that yes, you'll get an email saying to your old email that your email was updated. So that will be the indicator. If you're getting a flood of emails at the same time, you may miss that.
Intuit is very. Email communication focused. Yeah a lot of people, have rules about intuit emails going into a certain area, and maybe they'll check the, on daily or something like that. So it certainly is not some not something that. Someone will be able to be like, oh, okay.
I see it happening. I [00:25:00] the latest thing that, that brought this up to the surface, again, they were watching in real time, someone adding. Users to their account. Yeah. And they would go right in and delete them. Yeah. So they they were battling with the bad actor live on in in their account.
But what if you did
Rachel Dauchy: this, what if on your ProAdvisor profile you put to prevent fraud. If you are interested in my services, please reach out to me at this email address. And it's not an Intuit login email address at all.
Dan DeLong: Yeah. that that is putting a buffer between your login and the communications is all part of the.
The protection that we're, that we, yeah. That we're talking about here. Again, it's [00:26:00] not I'm not gonna make any claim that this is foolproof because fools are so ingenious.
Rachel Dauchy: Yeah. Yeah. And leisure artists just said, change your financial and email passwords when you change your clocks. Yeah, totally.
And guess what? I change 'em more frequently than that because I, feel like I see any weird little thing and I immediately go in and I change my email password. I'm like, Nope.
Dan DeLong: But the thing that I'm saying, and I appreciate, those, is that your passwords are useless in this case because there is this vulnerability,
Rachel Dauchy: right?
It's because of the they're dangling a carrot with the Please respond in my Intuit profile. And that's how they're getting your, yeah. Intuit related email.
Dan DeLong: Yeah. Re regard regardless of how they're getting it, this screen that we're showing [00:27:00] right here is the vulnerability. Because all they need is that one thing. And then they can change. That thing.
Rachel Dauchy: But they might not know your current email. Exactly.
Introduction to Email Security Measures
---
Rachel Dauchy: So Exactly. If they dunno your current email, then no.
Dan DeLong: So here in this blog article, is, all about that. So Rachel Barnett at Gentle Frog.
Oh yeah, She, she, socialized this and I just leveraged that to make this, article. But here's the implementation thing.
Creating a Backup Admin Account
---
Dan DeLong: First, you want to create a never used backup admin. So you would create an email address, which can be an alias and, I'll show you how to, do that in, Google workspace in here in a second.
But you create a super secret at your domain login, right? [00:28:00] A-A-A-A-A-U user id, right? And then in QBOA, add that firm user as, as an admin. A company admin, but you never use that. Got it. That is only, for you to get in case of emergencies. That's the, login when you have to break the glass.
Yeah.
Setting Up Alias Email Addresses
---
Dan DeLong: And in there you can also create various other aliases so that email address is not visible and that sort of thing. Then your operational primary the, which is the user ID that you use to. To do your work. You set an email address that's different than your real email address, Right. This example is, I'm not telling at Yeah, your domain.com. Yeah. And you make this the QBOA owner and the daily admin. But you're also gonna go in and modify your login and your contact [00:29:00] information inside of QBOA to this new, email address. That is an e that is an alias.
Implementing Proposal-Only Users
---
Dan DeLong: And then the third thing is to create a proposal only user, or a, an invite only user that has minimal access, right? So they have minimal access to your firm or your other clients. So when you get an invitation from a client. It will be sent to this quotes at your domain, whatever that Yeah.
Hap happens to be. And then as soon as you get that invitation, you remove that user from, from the client. And then that if that particular user gets compromised, they don't have access to any client. So now you're, putting in this buffer of an invitation only user. That has very [00:30:00] limited access.
Your email addresses and logins are have various layers in between them so that what they see is not what they get.
Rachel Dauchy: Okay.
Dan DeLong: And then, this
Rachel Dauchy: is all just for solo practitioners.
Dan DeLong: Yeah. And then down below we have the implementation for multi staff, which is really just adding a different.
Sub, or username and then additional processes to audit your stuff in here. So I've put in here how, do you create an email address and an email. Email, yeah.
Rachel Dauchy: This is I, feel like I've done it, but I would like the, like correct step by step.
Dan DeLong: And of course it's not showing so.
Okay. All right.
Google Workspace Configuration
---
Dan DeLong: So you log into your Google work, [00:31:00] the thing at the top says log into your Google Workspace admin, and then you click the admin button. And then that gets you into be able to, okay, let me just refresh the page. Let's just, there we go. Okay. So I tried to, blur out anything that was.
Identifiable to myself but I you log into your admin workspace and you can do this also in your Microsoft or Outlook account as well. But I don't use that, so I don't, I couldn't do, I couldn't walk through it. But then you go into your users, you manage the users, manage yourself, right?
So you're the main admin. And then there's a an option called add alternative emails, right?
Rachel Dauchy: Ah, okay. Yep. I know exactly where that says.
Dan DeLong: And then when you go into that, then you're gonna be creating those [00:32:00] multiple email addresses, right? So you've got your super secret, you're not telling.
And your quotes, all of those are gonna be tied to your real email address so that when emails come to those email addresses, they will come to your real email address. But at no point externally, your real email address is exposed unless you reply, yeah. To those, emails. Okay.
So then sorry, the screenshot got messed up here. But then you're gonna go into the your portal your QBOA portal and then add new users in the into your team. This is the quotes only user, right? The [email protected]. Standard, no access, right? So they don't have any access to your books or your firm.
They only have access to clients, right? That's the standard only, and then you save it, and then that in that invite is gonna come to your [00:33:00] regular email address. You create a user id associated with quotes at your domain, and that is the user that would be used to accept those invitations, right?
And then you do the same thing for your backup. Your backup admin, right? So now you've got.
Final Steps and Best Practices
---
Dan DeLong: Three users, one that is your user that you would do your daily work. One is just the backup admin user. And then the other is the quotes. Right now you're gonna receive, this is where you're gonna, you're gonna receive two invitations to your main inbox.
You accept each one and create a login under that email address of which each one is was assigned to. Then you're gonna go into your Intuit account. And if you see this new user ID might make it easier to sign in alert, you can review your user id, otherwise you can go into the sign in security and update your user id.
So [00:34:00] at that point, you change your user ID from an email address to a user id. And it, it has to be unique, right? So it just has to be, it's different than anybody else's login. Incidentally I picked one and then I signed in and reversed it, and then it wanted to send an email to someone that wasn't me.
So I'm like, oh my goodness. Okay. So I, need to make sure I put in the right user ID when I'm signing in. Otherwise it's gonna think something else. So you want to. Create a user ID that's not your email address. It can be an email address, but it's not your real email address. 'cause that's just the way you sign in.
And then you would go in and update the email address to the one that the alias that you just created. [00:35:00] That was super secret, so that way it's now going to have that email address for communications. Which is not your real email address. So that's, the thing. Which means that anytime that any of these bad actors happens to get ahold of that and try to do these things, you're gonna get notified and you're gonna get notified on your real email address.
Not, the one that might be compromised. So you're gonna get the, the six digit codes, when that happens that's gonna code anytime that you make a change to your account, you're gonna get these two FMA, the two FA codes, the six digit codes are gonna come to that email address.
And then you enter that in, and that's that. And you're also get this email confirmation that your email was updated, right? So those are the ways that you can put a [00:36:00] little friction. In between you and the bad actors, if they were happening to compromise your invite or
Rachel Dauchy: and your solo practitioner.
Yeah, it's just, and.
Dan DeLong: Yeah. And then down here is when you have a, when you have a team just some suggestions.
Rachel Dauchy: Oh,
awesome. Thanks Rachel. Yeah, that's really cool. And I'm guessing you can follow She's got it step by step. Yeah.
Dan DeLong: Yeah. And then other checklists of things to, to do.
Making sure your passwords are unique. 20 plus characters stored in a password manager prohibit. Reuse, right? Yeah. Those, are all best practices. But again these passwords, the MFAs, the pass keys, the authenticator apps, they don't get around, this [00:37:00] account recovery, issue, right?
Yeah. Be because once those, bad actors have access or not, necessarily have access, but just know your email address. Yeah. That is, that nugget of information. Yeah. So
Rachel Dauchy: long story short, it's protect that Correct. True email with aliases and they can not use this particular thing.
Yes.
Dan DeLong: Yeah. Because this, is the vulnerability and this is the, the way that, that, bad actors are getting around all of these other security measures that are in place. So would you
Rachel Dauchy: say that anybody that's able to hack into any accountants or bookkeepers QuickBooks is this way?[00:38:00]
Dan DeLong: I think this is the route that they're going, this
Rachel Dauchy: is what they're doing.
Dan DeLong: I am just speculating. I have no I can either confirm nor deny. Yeah. Just knowing what I know about the process of what happens after this happens. Yeah. What I don't know is how scrupulous and, stringent they are on confirming that the ID is valid.
And,
verifying identity based off of that.
Rachel Dauchy: Yeah. Now can I ask you what I wanted to ask you about this other thing?
Dan DeLong: Sure.
Rachel Dauchy: Okay, so I, this is what I am considering.
Discussion on Practice Protect and Right Works
---
Rachel Dauchy: So have you heard of, it used to be practice protect. But Practice Protect sold to networks. Now I actually used, which is now Right
Dan DeLong: Works.
Rachel Dauchy: Right Works. Sorry. So [00:39:00] I, and I think Networks became Right Works. Yes. Okay. So I used to use Practice Protect, but years ago, and it was just me and then I realized. I'm just a solopreneur, so I, it just was too much for Yeah, just me. And it's really meant for teams, multiple people logging into lots of different things all at once.
Now that I have a bigger team I'm seeing all these vulnerabilities and so now, it's now works that now has the product and it's basically. A one login, you log to this single force field, single, that sort of a single sign
Dan DeLong: on
Rachel Dauchy: Yeah. All of your apps that you get into, including QuickBooks. And and the, idea is nobody can get beyond that single sign on and.[00:40:00]
When I did have it before, there's a couple features that I thought were really cool. You can basically see anybody that's trying to access
Your sign-on and where they are throughout the world, and I thought that was really cool. Now I'm wondering though, is there any vulnerability, like what we just went through of getting into that single sign on?
Because, and if is that. True that once you get into your system with that single sign on. Then do you still have to do all these two fas? Do you still have to do all this? I have to look into it a little bit more, but I was just curious to know what you know of that.
Dan DeLong: It's it's no different than a password manager, right?
That you have, right. Where you have a master password and then uhhuh all of your passwords, your unique passwords are, after that. So again, just like. What we're [00:41:00] talking about with your accountant login it's only as secure as that login in that process. I would, Ima I would imagine, I would hope that services that are saying that they're protecting your practice, have a different aspect of being able to get through that, That, that option. Yeah, because
Rachel Dauchy: I guess my question is, okay, fine. You can't access all of these apps unless you go through this front door. Yeah. But let's say I've got my last pass within this force field, right? Couldn't somebody just lock hack in the last pass and has nothing to do with this external protection?[00:42:00]
Dan DeLong: It's potential. It potentially, yeah. So
Rachel Dauchy: that's what I'm, and again, could, couldn't somebody still get ahold of your if you are responding to your Intuit inquiries and they could still hack in that way. I don't think these practice barriers are disabling the ability to do any of that.
Dan DeLong: They, wouldn't necessarily be doing, that because this is the that's the challenge. Unless your, unless they put something that you can't log in except through here.
Rachel Dauchy: That's what I was curious. Is that what they do? I don't know.
Dan DeLong: Yeah. I know, of other people who have legitimately been locked out of their account because they were outside of the country when they were logging into QuickBooks.[00:43:00]
Yeah but
Rachel Dauchy: I do know though that like when I did have Practice Protect before and again, now it's owned by this other company and I don't know what the same protocols are, but you can. You can, be in contact with them and let them know, I'm physically gonna be here, I'm physically gonna be there.
And that's part of the service. And then that way you, don't run into that issue.
Dan DeLong: Yeah. So yeah, I don't know if that will stop anyone from trying to, reset your, password if, they go through this process,
Rachel Dauchy: does have that ability to say. You, cannot log into anything unless you go through here.
That is what I'm interested in. And if I do find out, I'll keep you posted. Yeah. And then maybe we can further
Dan DeLong: because all other
Rachel Dauchy: Discuss that
Dan DeLong: all other softwares that are services are, could potentially be [00:44:00] vulnerable to that too. Yeah. But the thing the, thing is that, the here where the rubber hits the road here.
With regards to this, and originally I was like, if they're, if you're sending a, an id, right? I mean that, that is proving who you are, to Intuit. And I assume they're doing their due diligence on that, sort of thing. But. I, started to look at what does it take for you to change your, or update your contact information or your email address or phone number at your bank?
And when you do that at the bank, they ask you something completely different, right? They ask you, what's your debit card number or your account number, right? Yeah. Or they ask for other information that presumably you would be the one to know. Or at least have access. Yeah. So I get
Rachel Dauchy: [00:45:00] on it like, let's, why are they doing this?
This is absurd. It should be more, the only thing
Dan DeLong: they're asking for here is what's the old email address? Which is Yeah. Pretty readily available. And I'm wondering
Rachel Dauchy: You know how I have clear, it's like I go to the airport and it like scans my eyes. Yeah. And then it knows d can't we do something like that where I don't know.
Dan DeLong: Yeah, that's maybe it's
Rachel Dauchy: like they won't take. A physical fake I, potential fake id. It's gotta be you. Yeah. Just live with them where they can scan your eyes. I don't know. Yeah.
Dan DeLong: Some kind of biometric eye retinal scan. I, don't know what it's ultimately gonna boil down to, but just having to take your shoes off, right?
These things are reactionary to to somebody already. Doing it right? Yeah. There's going to be another thing that [00:46:00] iteration, and this is the reaction is hiding and obscuring your email address. Yeah. From your login, from your Intuit login. Yeah. This is the taking of your shoes off.
Yeah. As it's a pain in the behind to be able to do thi to have to do this, but this is protecting all of the other passengers. On the flight here. By doing that because as if your login does get compromised it is a headache. It's a bigger issue because Intuit and QuickBooks is providing simpler access to.
Real money movement, right? Yeah. And
Rachel Dauchy: It's, and there's nothing more horrifying than having to go to a client and say oh, guess what happened? Luckily nothing like that has ever happened to me. I have had two clients that they've been [00:47:00] hacked.
And in one of 'em, they got ahold of my email address.
Yeah, that's. It's awful. So anyway, I'm gonna follow those steps that, that she put. 'cause until I make a decision about this other thing, I'm gonna follow the one for teams and I'm gonna put all those things in place because I still have 45,002 factor authentications and all I do all day is sun codes.
All I do. But I still feel like that's not enough.
Dan DeLong: Yeah.
Inviting Accountants via Firm ID
---
Dan DeLong: Yeah, so that's, that's that as far as that is concerned Now you and I actually did a, a different way to to invite an accountant that avoids the whole email. Because [00:48:00] that's, another challenge getting if you don't get the email, it's spam filtered out or something like that.
Yeah. Especially, now that you added on, because that's
Rachel Dauchy: what was happening is I wasn't getting the email. So we set up a, additional user with that email address.
Dan DeLong: But now, but
Rachel Dauchy: But that doesn't fix the replying to the inquiries.
Dan DeLong: No. It doesn't fix that part. However, if. You are having a challenge, getting the invitation right, getting the invitation into your inbox because you now have higher security on your emails getting to you.
There is now an option to be able to invite through the firm id, right? Yes. And
Rachel Dauchy: I just did that to you yesterday. Yeah. And that's actually great.
Dan DeLong: It's actually really cool. So the way that it works is when you go into, the account that you want to invite people to.
Now we're not talking [00:49:00] about inviting team members into QBOA that we're talking about being invited as an accountant. Yeah. In inside of a QuickBooks online general subscription simple start through advance. When you go into the managed users and the accounting firms, there's now a new option, to invite by firm.
So all you have to do, and all I had to do was provide to Rachel, my firm ID for QBOA and that's all she had to put in was the firm id. Yeah.
Rachel Dauchy: No name, no email address, n nothing.
Dan DeLong: And then all I had to do was log into my QBOA and then there's a section for a client invitations, and all I had to do was accept it.
Yeah. So I didn't have to. Click on a link that was in an email and then log in. It was already there because I was able to provide my firm [00:50:00] ID to to, to Rachel. So that can be a practice. And actually
Rachel Dauchy: what I'm gonna do now is I'm gonna I, have a scribe, like a step by step for this is how you invite me into your QBOA.
Yeah. I'm actually gonna update that and I'm gonna have, 'cause now I actually, right now I have somebody. You know that I've I've had to say, please use this email address when inviting me in. And they think it's just the email address that they email me, and it's not, it's a different email address.
So that is a potential mistake. And then now I have somebody who is I have to remind please invite me. And so I, wanna have just this one way, this is how you invite me in, right? Here's the instructions. There you go. Here's my company id. But now I'm a little worried though, is can they, is there a way for them to get into, for hackers to get into my [00:51:00] QBOA if just through a company id?
Dan DeLong: No, not really. Yeah. Okay. Because you would still you still need to sign in first. And then it's gonna present to you all of the firms and, and company IDs or companies that you would have access to. Okay. At that point. So you gotta get the login first, and that's why we're stating QuickBooks is as secure as your login,
Rachel Dauchy: right?
So the, as long as nobody is able to monkey with your login, there's no other way they can get into your QBOA.
Dan DeLong: Yeah, I don't wanna say no. I have a difficult time agreeing to absolutes.
Rachel Dauchy: Yeah.
Dan DeLong: Because I'm sure there are ways to do that. It's just a challenge to be able to, to be that.
Okay, all [00:52:00] right, now we have to take our shoes off. Now we have to put, all liquids in a court sized bag and yeah. Who would've thought of that? You know when that occurred, right? Yeah. And thank goodness we didn't have to take our underwear off when the underwear bomber
Rachel Dauchy: yeah.
I'm no it person, but I have learned, as a firm owner that has to deal with very. Careful security now for several years that I've learned that it's through. The login usually is how mu 99% probably of all of these things happen.
Dan DeLong: So if Intuit is listening, and I hope they are, do something about that process.
Yes.
Put something in, put some more friction in the way,
Rachel Dauchy: don't have it be just they have to upload an Id have it [00:53:00] be where they have to have a physical meeting with you, even if it's a five minute thing.
Dan DeLong: Or tell us what is the process like? What are the scru, what is the procedure to confirm that what is being provided is accurate.
And I know from, when we required, ProAdvisors to upload IDs, there were all sorts of bad. Pictures
Rachel Dauchy: ID and great grandmother's maiden name and blood type and f first street you lived on and all kinds of stuff.
Dan DeLong: Yeah. And it's getting that way that it's harder to prove who you really are.
When you need to, these bad actors have a, great way have a, have an easy, easier [00:54:00] road than the real people who are trying to pro
Rachel Dauchy: yeah.
Dan DeLong: Proof who they are. I had this with a, with an old Stripe account today. The original owner, passed away. So we were trying to change it over and I had this interview from Stripe to be like, all right gimme this information, Yeah. Oh my God, I can't see that. He's passed away. I don't know what his birthday was. So it's getting harder to prove who you are Yeah.
Than it's, to actually safeguard your own account. Yeah.
Concluding Thoughts and Future Topics
---
Dan DeLong: So next week we will talk about the square integrations and updates on, those applications. And hopefully you all had a have a great week ahead and we appreciate you joining us on the workshop [00:55:00] Wednesday, and we will see you next time.
[00:56:00]
