Thursday, 5 February 2009

Security Matters?

Security Matters?HMRC has been taken to task by Richard Clayton, a security expert at Cambridge University and adviser to the House of Lords committee on personal internet security, over the security of its online filing system.

It seems that people filling in the online tax forms could be at risk of allowing others to access their personal details, because the username field has an auto-complete function.

Computing quote Geoff Westcott:

"Click on a link to open the 'about you' page, for example, and there is my password clearly displayed in the browser address bar for all to see. Print off any page and the password is printed as part of the URL.

Bearing in mind that the username on the log-in page is an auto-completed field in many browsers, a phisher now has all the information they need to log in and access any and all of my personal information
."

Richard Clayton said that such a fault was "foolish" and "not regular practice". He noted that being able to see someone's tax exposed the taxpayer to possible id theft.

Westcott claims to have reported the fault to HMRC twice, but has yet to receive a response.

HMRC contest the claim and note that that the URL shows a unique taxpayer record (UTR) number, not the password.

Tax does have to be taxing.

HMRC Is Shite (www.hmrcisshite.com), also available via the domain www.hmrconline.com, is brought to you by www.kenfrost.com "The Living Brand"

7 comments:

  1. HMRC have always had an auto-complete function.

    I know, I've experienced it.

    Ve haf auto-completed (and auto-overwritten) your gwoss earninks box for ze year. Ve calculate zat you made £150,000 from your part-time business and so you will be sending us a cheque for £everything you own und ze dog und ze dog's new bed within seven days. If zis is not true zen kindly forward seven different kinds of proofings und ve will maybe send back ze cheque or maybe not. Ze dog however, ve vill keep as it vill make a gud liddle sniffer doggy.

    Apologies to anyone else who heard that (very) little Allo Allo-ish accent as I typed (I will be turning myself into the nearest PC Realignment Centre for the hard of caring first thing tomorrow mornink. I mean "morning").

    The online system simply carries on this HMRC tradition of plucking silly figures out of their Arsenal Villa are doing amazingly well this year aren't they?

    Incidentally, in another security breach, the word verification for this comment was "blessem". I kid you not. Even blogger is getting sarcastic these days.

    I still miss the dog.

    ReplyDelete
  2. Talking of security... remember the payoff Paul Grey had after he quit over the datagate fiasco?

    "no reward for failure"
    http://news.bbc.co.uk/1/hi/business/7871828.stm

    Yet again... double standards.

    ReplyDelete
  3. Differing stories there. Does it show the password or the tax reference? I will have to complete my tax return again to check which is true. On second thoughts I think I'll pass.

    ReplyDelete
  4. So - HMRC say that the information displayed in the URL is the UTR and not the password. So that's alright then. Except that - if I give out the UTR over the phone, even to an authorised representative or the taxpayer themselves (who have successfully completed a 5 question security interrogation) I get hauled over the coals. We can only send out the UTR by letter post - or in a URL it seems. The security at HMRC was conceived by amateurs and deployed by the lunatics that took over the asylum.

    ReplyDelete
  5. Did you hear the one about the lady who attended a Data Security Workshop held at an HMRC building?

    Apparently sitting through both the morning afternoon sessions, and enjoying the departmental coffee and sandwiches, she obviously found it all to be a worthwhile exercise.

    The fact that she was actually a member of the public, who had mistakenly wandered in to the building, only came to light when the facilitator asked everyone present to hold up their Data Security booklet, and of course the lady had to admit that she hadn't actually been given one.

    You couldn't make it up

    ReplyDelete
  6. I think I forsee tomorrow's blog entry...

    ReplyDelete
  7. Hurrah! I was right. I probably deserve a prize or something.

    One of these days I'm going to make up a tall tale, post it here, and see if it makes it to the blog. How about: "Hartnett, Strathie and Clasper in three-in-a-bed shocker"?

    ReplyDelete