Monday 31 October 2011

HMRC Hackers



There was a rather interesting article in yesterday's Sunday Times, about hackers gaining access to HMRC systems and diverting tax refunds.

The article also refers to an earlier piece on this site (published in June 2011) about 91client accounts being hacked. The Sunday Times uses the "polite" alternative domain name of this site www.hmrconline.com.

Here is the article in full:

Tax rebates stolen by Revenue and Customs hackers

HMRC has emerged as the most recent target of hackers after fraudsters tap refunds system and divert funds into their own accounts

Jon Ungoed-Thomas and Cal Flyn


Fraudsters have found a way to hack into government tax records and divert refunds meant for others into their own bank accounts.

An investigation by The Sunday Times has revealed that criminals are secretly examining HM Revenue & Customs’ records looking for anyone who has paid too much tax. They then change the details of the bank accounts into which the repayments are to be made.

Alternatively, the hackers file fictitious tax returns showing large overpayments directly into the HMRC computer in the names of genuine taxpayers, then ask for refunds.

Victims become aware of the scam only when they are officially contacted by HMRC and told an overpayment is being transferred into their account.

HMRC is now facing questions over its security procedures and how the hackers are able to infiltrate its records. Experts claim it has failed to react as promptly as the banks to the risk of online fraud.
Roger Symes, 53, a ship broker from Surbiton, in south-west London, received a letter last month from HMRC advising him of a refund. He said: “They gave details of a bank account into which they were paying the money, but it wasn’t my bank account.

“My accountant said he had the same problem with 18 other clients.” The refunds applied for were between £100 and £4,000.

The hackers are accessing the tax files using the sign-on and passcodes assigned to accountants who file clients’ tax returns online. How they are obtaining these security details is unclear. It is not known whether it is via computer attacks on individual accountancy firms or by breaching HMRC’s own systems.

One hacker who spoke to The Sunday Times this year said he had accessed HMRC’s systems and had been able to obtain details of agent sign-ons and passcodes. A security expert said the claim was credible but HMRC denied its systems had been compromised.

Once a hacker has an agent sign-in, he can read the tax records of all the accountant’s clients, amend them and change the bank account details. Accountants who have spoken to this newspaper said hackers have been accessing taxpayer records for at least two years.

Claire Savage, a chartered accountant in Milton Keynes, Buckinghamshire, spotted irregularities in one of her clients’ files in June last year.

She said: “I called him up to ask about his new bank account, which turned out not to be his at all. When I realised that security had been breached I went through all of my clients’ files. A fair chunk of them — around 10 — were affected, and repayments of up to £3,000 had been requested in each case.” None of Savage’s clients lost money to the fraudsters.

Ralph Hayden, a chartered accountant at GW Cox & Co in Frinton-on-Sea, Essex, said 41 of his clients had been affected by a similar scam, which was first noticed in November 2009.

He said: “HMRC said that it must be our systems that had been breached but we called in computer experts who confirmed that it definitely wasn’t.

“In most cases, a tax return had not yet been filed, so a false return was submitted. In others, their returns had been edited, so that a repayment was now due. HMRC were not advising their frontline staff in case it was an inside job.”

On hmrconline.com, a blog about the HMRC, one taxpayer reveals that his accountant was also targeted. The posting states: “We recently returned from holiday to the news that 91 of our accountant’s client accounts had been hacked at the HMRC government gateway website.
“Hackers had accessed information on 91 individuals or organisations and had entered false end-of-year accounts in order to claim self-assessment refunds.

“We then received a letter from HMRC to advise us that the refunds were on their way to what we knew were false accounts. They actually paid out. HMRC now apparently know what they have done but to add insult to injury they have now started to send demands for repayment to the people [whose] accounts had been hacked.”

Unlike HMRC, the big banks ask customers conducting transactions online to provide additional passcodes for each financial transaction. These are generated by inserting a bank card into a hand-held reader provided by the bank.

Jason Hart, managing director of Cryptocard, a computer security company, said: “If you just had a static passcode, then once it’s compromised, you’re going to be a massive target for the fraudsters. It’s an invisible threat because they can get into your system at any time and you don’t even realise.”
A spokesman for HMRC said: “We take the security of our customers’ data extremely seriously and we do not discuss the details of our security defences ... We actively monitor repayment transactions and continue to address any fraudulent repayments.”



Tax does have to be taxing.

UK EXPATS: Reduce tax on UK Pensions
HMRC QROPS provider. Unlock your UK pension and access a 25% lump sum today.

Quote ID code "ABC" when contacting a QROPS specialist.

Professional Cover Against the Threat of Costly TAX and VAT Investigations

What is TAXWISE?

TAXWISE is a tax-fee protection service that will pay up to £75,000 towards your accountant's fees in the event of an HM Revenue & Customs full enquiry or dispute.

To find out more, please use this link Taxwise

Tax Investigation for Dummies, by Nick Morgan, provides a good and easy to read guide for anyone caught up in an HMRC tax investigation. A must read for any Self Assessment taxpayer.

Click the link to read about: Tax Investigation for Dummies

HMRC Is Shite (www.hmrcisshite.com), also available via the domain www.hmrconline.com, is brought to you by www.kenfrost.com "The Living Brand"

7 comments:

  1. Nice work Ken. Youre going mainstream. Dont forget us little people:) Now they are aware of the site, hopefully they'll have the balls to follow up on some of your posts. A new day?

    ReplyDelete
  2. LOL:)

    Thanks

    "Mainstream" media have always been worried about offending their readers, and won't print the "shite" part of the name of this site;)

    Hence I suspect media won't be knocking my door down just yet:)

    ReplyDelete
  3. It's one thing for the Times to blame us, the poor sods at the coalface, but to accuse HMRC of being hacked and then state "The hackers are accessing the tax files using the sign-on and passcodes assigned to accountants who file clients’ tax returns online".... Anyone with someone else's user details can access the records. It's not rocket science. No different to stealing a bank card and PIN. How they came about that info should be the reason for the article. If 1 agent has suffered the same thing for 18 clients, maybe they are to blame?!?

    Don't get me wrong, I've been in HMRC for more years than I dare think about and blame them for all my ills and ailments, but this seems a little one-sided.

    ReplyDelete
  4. I don't believe they have been hacked it must be the users. The user makes the password HMRC do not have access to it. The user ID is randomly generated and is a mix of numbers and letters. They are posted to agents who log in using it and their OWN password. Sorry, not the fault of HMRC this time.

    ReplyDelete
  5. In my experience rocket science is actually relatively straightforward, it's rocket engineering that's the tricky bit.

    ReplyDelete
  6. There was a discussion on this site just over 4 months ago that HMRC should answer any old query that comes to it via the e-mail system.

    Most of the discussion centred around HMRC being unhelpful by following standard security procedures followed by financial institutions that for customer service/efficiency reasons carry out some business online.

    During the discussion, someone iterated that apparently their bank do business with them via simple e-mail (which has absolutely no verification procedures whatsoever). The argument then degenerated from that point due to blinkered points of view.

    So, where do HMRC draw the line when it comes to providing a customer service to individuals that obviously is open to abuse against providing a customer service to accountants that obviously is open to abuse.

    A reference was made to banks providing extra security over and above HMRC as follows.

    Unlike HMRC, the big banks ask customers conducting transactions online to provide additional passcodes for each financial transaction. These are generated by inserting a bank card into a hand-held reader provided by the bank.

    This is not a uniform policy by the 'big banks' (a media-friendly term if ever there was one). I have never received such a contraption that apparently the big banks uniformly provide to all customers.

    Also, having worked in a section that has replied to customers appeal letters. A percentage of those beleive that HMRC should reveal their online password over the phone when they phone HMRC on 31 January. Could you imagine the chaos caused if customers had to then put in a randomly generated sequence in to a website to identify themselves?

    ReplyDelete