Quicken Backdoor Could Give Feds Access to Finance Data

A Moscow-based password-recovery vendor Thursday accused Intuit of hiding a backdoor in its popular Quicken personal finance program that gives it—and perhaps government agencies—access to users’ data files.

Intuit called the charges baseless, and said that although there is a way to unlock Quicken’s encrypted data, it’s used only by the company’s support team to help customers who have forgotten their passwords.

In a statement, Elcomsoft, a Russian maker of password-recovery tools, said Quicken versions since 2003 have used strong encryption designed to foil hackers. But those editions also have a backdoor that unlocks the encryption with the 512-bit RSA key that Intuit controls.

“It is very unlikely that a casual hacker could have broken into Quicken’s password protection regimen,” Vladimir Katalov, Elcomsoft’s CEO, said in the statement. “[We] needed to use advanced decryption technology to uncover Intuit’s undocumented and well-hidden backdoor, and to successfully perform a factorization of their 512-bit RSA key.”

Elcomsoft then theorized that Intuit added the backdoor so law enforcement and other authorities, from the U.S. Internal Revenue Service to the FBI, could open password-protected Quicken files. “Unfortunately, the existence of such a backdoor and key creates a vulnerability that might leave millions of Quicken users with compromised bank account data, credit card numbers and income information,” Elcomsoft charged.

Harry Pforzheimer, who heads Intuit’s communications, dismissed the idea. “We certainly do not design any of our products with any access for any agency,” Pforzheimer said. “If any government agency wanted to get into a Quicken file, they have lots of other ways of doing it.”

Pforzheimer acknowledged that there is a way to access encrypted Quicken files without a password, but that the ability is hardly secret. “It’s for Quicken users who have forgotten their passwords—and only done when they call customer service or support.”

In fact, a quick search of Quicken’s support site revealed what Intuit calls its “password removal service,” which for $9.95 per file, scrubs out the password and then returns the unprotected file to the user.

Pforzheimer was mystified by Elcomsoft’s allegations. “We heard from them only a couple of days ago via e-mail,” he said.

Elcomsoft was in the news nearly six years ago, when in 2001 one of its employees was arrested at a Las Vegas hackers conference after giving a presentation about company software that unlocked the copy protection on Adobe Systems’ eBooks. Charges against Dmitry Sklyarov were later dropped in return for his testimony during an ensuing trial, in which the Russian company was brought up on criminal charges under 1998’s Digital Millennium Copyright Act. Elcomsoft was acquitted on all charges in a jury trial that ended in December 2002.

Elcomsoft officials were not available for comment.

—Gregg Keizer, Computerworld (US online)