Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

2016 IRS Free e-File Audit & Honor Roll

728 views

Published on

Tax time is “Christmas” for cybercriminals. CASC members Symantec & DigiCert's cover what to look out for this tax season.

Published in: Technology
  • Be the first to comment

2016 IRS Free e-File Audit & Honor Roll

  1. 1. 3/8/2016 © 2016 Online Trust Alliance. All Rights Reserved. Updates Visit https://otalliance.org/TaxFraud 1 © 2016 All rights reserved. Online Trust Alliance (OTA) Slide 1 2016 IRS Free e-File Audit & Honor Roll Briefing March 8, 2016 © 2016 All rights reserved. Online Trust Alliance (OTA) Slide 2 Geoff Noakes Flavio Martins Mike Jones Craig Spiezle Jeff Wilbur Senior Director VP of Operations Dir, Prod Management Exec Dir & President Chairman Symantec DigiCert Agari Online Trust Alliance Online Trust Alliance Program Panelists
  2. 2. 3/8/2016 © 2016 Online Trust Alliance. All Rights Reserved. Updates Visit https://otalliance.org/TaxFraud 2 © 2016 All rights reserved. Online Trust Alliance (OTA) Slide 3 Mission to enhance online trust and empower users, while promoting innovation and the vitality of the internet. • Goal to help educate businesses, policy makers and stakeholders while developing and advancing best practices and tools to enhance the protection of users' security, privacy and identity. • Collaborative public-private partnerships, benchmark reporting, meaningful self-regulation and data stewardship. • U.S. based 501(c)(3) tax-exempt charitable organization. • Global focus & charter. • Supported by dues, donations and grants. Who is OTA? © 2016 All rights reserved. Online Trust Alliance (OTA) Slide 4 Why We Care • Tax time is “Christmas” for cybercriminals • Increased precision targeting tax payers ▫ Spoofed & malicious email ▫ Deceptive search ads ▫ Look-a-like domains ▫ Malicious advertising on legitimate web sites • Account takeovers and ransomware targeting tax providers and businesses. • Ongoing attacks targeting IRS & State Agencies • Decreasing consumer trust
  3. 3. 3/8/2016 © 2016 Online Trust Alliance. All Rights Reserved. Updates Visit https://otalliance.org/TaxFraud 3 © 2016 All rights reserved. Online Trust Alliance (OTA) Slide 5 Audit & Honor Roll Objectives • Promote best practices and provide resources to assist the public and private sectors to help enhance their security, data protection and privacy practices. • Recognize leadership and commitment to best practices which promote online trust and confidence. • Offer assistance to the IRS and e-file sites to help improve their consumer protection, security and privacy practices. • Assist consumers in making informed decisions about the security and privacy practices of sites they frequent. • Shift the discussion from compliance to stewardship. © 2016 All rights reserved. Online Trust Alliance (OTA) Slide 6 • OTA does not endorse or recommend any e-file service. • Analysis and methodology is based on global industry standards for data security and responsible privacy practices in addition to the IRS’s e-file security mandate. • Users should review any service provider, banking and commerce site and consider the practices and policies based on their “risk appetite.” • Data may have changed since the audit. • To date, the Free File Alliance, a trade organization created to advance the business interests of e-file firms, has yet to respond to OTA’s offer to review and assist their members. Disclaimers
  4. 4. 3/8/2016 © 2016 Online Trust Alliance. All Rights Reserved. Updates Visit https://otalliance.org/TaxFraud 4 © 2016 All rights reserved. Online Trust Alliance (OTA) Slide 7 Consumer Protection PrivacySecurity Audit & Honor Roll Overview • Analysis of ~1,000 web sites ▫ FDIC Banking 100 ▫ Internet Retailer Top 500 ▫ Top 50 Social ▫ Top 50 News/Media ▫ Top 50 Federal Gov’t ▫ OTA Members ▫ Top IoT 50 (Smart Home, Wearables) ▫ 2016 Presidential Candidates (23) ▫ Free e-file Tax Sites (13) • Scoring ▫ Up to 100 points in each category ▫ Bonus points for emerging practices ▫ Penalty points  Vulnerabilities, privacy policies, data breach, fines/settlement ▫ Honor Roll = 80% of total points, 55% or better in each category © 2016 All rights reserved. Online Trust Alliance (OTA) Slide 8 e-file Sites – How They Compare
  5. 5. 3/8/2016 © 2016 Online Trust Alliance. All Rights Reserved. Updates Visit https://otalliance.org/TaxFraud 5 © 2016 All rights reserved. Online Trust Alliance (OTA) Slide 9 Honor Roll vs. Failing Grades E-FILE TAX FILING SERVICES ONLINE AUDIT RESULTS Honor Roll Failed eSmart Tax 1040.com ezTaxReturn.com 1040Now FreeTaxUSA FileYourTaxes.com H&R Block Free Tax Return.com TaxAct Jackson Hewitt TaxSlayer OLT On-Line Taxes TurboTax © 2016 All rights reserved. Online Trust Alliance (OTA) Slide 10 Comparison of Failure Rates
  6. 6. 3/8/2016 © 2016 Online Trust Alliance. All Rights Reserved. Updates Visit https://otalliance.org/TaxFraud 6 © 2016 All rights reserved. Online Trust Alliance (OTA) Slide 11 • 4 sites had no email authentication at all • 3 sites failed Site Security – old ciphers or lack of current protocols Reasons for Failing © 2016 All rights reserved. Online Trust Alliance (OTA) Slide 12 • Base points ▫ Email authentication  SPF and DKIM at top-level and subdomains ▫ DMARC record and policy ▫ DMARC reject/quarantine • Bonus points ▫ TLS for email ▫ DNSSEC • Penalty points ▫ Domain locking (not locked ) • Can the app or website be spoofed, fooling a person to open/download an update, open an attachment or simply open an email with a drive-by exploit? • Does the site or app exercise best practice to help prevent brand-jacking and domain abuse? Consumer Protection Consumer Protection PrivacySecurity
  7. 7. 3/8/2016 © 2016 Online Trust Alliance. All Rights Reserved. Updates Visit https://otalliance.org/TaxFraud 7 © 2016 All rights reserved. Online Trust Alliance (OTA) Slide 13 Why Care? © 2016 All rights reserved. Online Trust Alliance (OTA) Slide 14 Email Authentication + DMARC • Authenticates Message Path • Authorized senders in DNS SPF DKIM • Authenticates Message Content • Public encryption keys in DNS DMARC Consistency A method to leverage the best of SPF and DKIM Policy Senders can declare how to process unauthenticated email Visibility Reports on how receivers process received email Aggregated Insights Telemetry into mail streams (RUA) Failure & Spoofed email reports (RUF)
  8. 8. 3/8/2016 © 2016 Online Trust Alliance. All Rights Reserved. Updates Visit https://otalliance.org/TaxFraud 8 © 2016 All rights reserved. Online Trust Alliance (OTA) Slide 15 • At lower end of authentication adoption, especially SPF @ TLD and DKIM – 4 sites had no authentication • At higher end of DMARC adoption Consumer Protection Scores 2015/2016 AUDIT RESULTS BY SECTOR CONSUMER PROTECTION ADOPTION IR100 FDIC FED SOCIAL NEWS IoT 2016 PRES E-FILE SPF (any) 94% 87% 80% 92% 80% 62% 100% 69% SPF (TLD) 85% 73% 70% 92% 62% 52% 91% 62% DKIM (any) 93% 68% 50% 78% 64% 30% 100% 62% DKIM (TLD) 31% 30% 28% 56% 16% 14% 78% 38% SPF and DKIM 90% 63% 48% 76% 56% 30% 100% 62% DMARC Record 20% 24% 14% 48% 10% 2% 4% 38% DMARC (R or Q)* 15% 21% 14% 58% 20% 0% 0% 20% TLS 42% 38% 38% 36% 14% 24% 57% 31% DNSSEC 0% 1% 90% 0% 4% 4% 0% 0% Domain Lock 100% 97% 100% 94% 92% 88% 96% 92% © 2016 All rights reserved. Online Trust Alliance (OTA) Slide 16 Site Security • Base points ▫ Server & SSL implementation ▫ Failure of any component = Failure of Site Security Consumer Protection PrivacySecurity • Bonus points ▫ EV SSL ▫ Always On SSL (AOSSL) • Penalty points ▫ XSS / iFrame vulnerabilities ▫ Malware ▫ Malicious links ▫ Bot risk Best practices to secure data in transit and collected by websites, and prevent malicious exploits running against clients’ devices, including desktop, mobile and IoT devices
  9. 9. 3/8/2016 © 2016 Online Trust Alliance. All Rights Reserved. Updates Visit https://otalliance.org/TaxFraud 9 © 2016 All rights reserved. Online Trust Alliance (OTA) Slide 17 Component Failure = Fail © 2016 All rights reserved. Online Trust Alliance (OTA) Slide 18 Evolving Threats & Site Issues
  10. 10. 3/8/2016 © 2016 Online Trust Alliance. All Rights Reserved. Updates Visit https://otalliance.org/TaxFraud 10 © 2016 All rights reserved. Online Trust Alliance (OTA) Slide 19 EV SSL Certificates • Extra validation required to obtain certificate • Provides users with indicator of trust (green browser bar) • Mandated by IRS for free e-file sites Internet Explorer Chrome Firefox Steady year-over-year growth © 2016 All rights reserved. Online Trust Alliance (OTA) Slide 20 2015/2016 AUDIT RESULTS BY SECTOR SITE SECURITY ADOPTION IR100 FDIC FED SOCIAL NEWS IoT 2016 PRES E-FILE EV SSL 24% 67% 11% 21% 8% 4% 4% 92% Always On SSL 15% 78% 17% 35% 14% 20% 70% 54% Web App Firewall 47% 32% 46% 12% 28% 36% 35% 8% Site Security Scores • Top adoption of EV SSL (due to IRS mandate). • Low level of AOSSL adoption compared to leading financial firms, putting data at risk. • Lowest adoption of web application firewall.
  11. 11. 3/8/2016 © 2016 Online Trust Alliance. All Rights Reserved. Updates Visit https://otalliance.org/TaxFraud 11 © 2016 All rights reserved. Online Trust Alliance (OTA) Slide 21 • Base points ▫ Privacy policy ▫ Third-party trackers on site ▫ Do Not Track disclosure • Bonus points ▫ Use of Icons ▫ Tag mgmt or privacy solution ▫ Honoring DNT • Penalty points ▫ WHOIS (if Private vs Public) ▫ Data Breach Incidents ▫ FTC / State Settlements Best practices providing users clear notice and control of the data being collected, tracked and shared with third parties Privacy Consumer Protection PrivacySecurity © 2016 All rights reserved. Online Trust Alliance (OTA) Slide 22 Privacy Practices & Disclosures • Data mining and sharing of site visitors’ data observed including “re-targeting” was unexpected and concerning
  12. 12. 3/8/2016 © 2016 Online Trust Alliance. All Rights Reserved. Updates Visit https://otalliance.org/TaxFraud 12 © 2016 All rights reserved. Online Trust Alliance (OTA) Slide 23 Privacy – Bonus Points Layered Notice & Icons • Publishers Clearing House http://privacy.pch.com/ • Reduced word count from over 4,000 words to 475! • Adds clarity, readability & transparency • Added bonus points for icons © 2016 All rights reserved. Online Trust Alliance (OTA) Slide 24 • Lags many sectors in transparency & discoverability. • Fail to follow IRS’s lead in offering policies in Spanish. • While they maintain privacy of the tax return, since the IRS directs consumers to these sites, it is surprising that many are collecting site data traffic and sharing it with affiliate marketing, ad networks, re-targeting and other entities. • 12 of 13 do not provide any disclosure on honoring Do-Not-Track, a violation of California law which would lead to increased failures per the methodology planned for the June audit. Privacy Concerns
  13. 13. 3/8/2016 © 2016 Online Trust Alliance. All Rights Reserved. Updates Visit https://otalliance.org/TaxFraud 13 © 2016 All rights reserved. Online Trust Alliance (OTA) Slide 25 • Strong following of mandates (with exceptions) for EV SSL, privacy seal and public domain registration. • Questionable adherence to use of challenge/response, meant to prevent auto bot signup/submission. • Password rules are followed, but OTA (and the White House) recommends multi-factor authentication. Audit of IRS Mandates ADOPTION OF IRS MANDATES EV SSL 92% Challenge/Response for Filing* 38% Privacy Seal 92% Public Domain Registration 100% * Tested for account setup/login, not all the way to filing © 2016 All rights reserved. Online Trust Alliance (OTA) Slide 26 Audit Update • Outreach has been positive, several sites have addressed some deficiencies, though oversight remains a concern. • Email authentication ▫ The 4 sites with no authentication have added SPF records (though 1 is invalid) ▫ The 3 valid SPF sites have also added DMARC records ▫ The other failing site has made no changes • Site security ▫ Of the 3 failing sites, one has improved to “A-”, one has no change, and one has made improvements, but still fails • EV SSL certificates – Now at 100% • New vulnerabilities since the audit
  14. 14. 3/8/2016 © 2016 Online Trust Alliance. All Rights Reserved. Updates Visit https://otalliance.org/TaxFraud 14 © 2016 All rights reserved. Online Trust Alliance (OTA) Slide 27 © 2016 All rights reserved. Online Trust Alliance (OTA) Slide 28 • Free e-file Tax Site Audit https://otalliance.org/TaxFraud • 2016 Presidential Candidate Audit https://otalliance.org/2016Candidates • IoT Working Group https://otalliance.org/IoT • Email Integrity & Security https://otalliance.org/eauth • Public Policy - https://otalliance.org/initiatives/public-policy • Online Trust Honor Roll - https://otalliance.org/HonorRoll • Email Integrity Audit – https://otalliance.org/emailaudit • admin@otalliance.org +1 425-455-7400 Resources
  15. 15. 3/8/2016 © 2016 Online Trust Alliance. All Rights Reserved. Updates Visit https://otalliance.org/TaxFraud 15 © 2016 All rights reserved. Online Trust Alliance (OTA) Slide 29 Back Up Slides © 2016 All rights reserved. Online Trust Alliance (OTA) Slide 30 Email Authentication Basics Email Authentication • SPF: Path-based. Sender publishes list of authorized servers. Email receiver checks if server is authorized to send for domain. • DKIM: Signature-based. Sender inserts signature into email. Email receiver checks signature regardless of source. • DKIM+SPF = Resilient email authentication infrastructure
  16. 16. 3/8/2016 © 2016 Online Trust Alliance. All Rights Reserved. Updates Visit https://otalliance.org/TaxFraud 16 © 2016 All rights reserved. Online Trust Alliance (OTA) Slide 31 Transport Layer Security Rapidly being adopted standard for secure email • TLS uses Public Key Infrastructure (PKI) to encrypt messages between mail servers. This encryption makes it difficult for hackers to intercept and read messages. • TLS supports the use of digital certificates to authenticate the receiving servers. Authentication of sending servers is optional. This process verifies receivers (or senders) are who they say they are, which helps to prevent spoofing. https://otalliance.org/best-practices/transport-layered-security-tls-email https://www.google.com/transparencyreport/saferemail/ © 2016 All rights reserved. Online Trust Alliance (OTA) Slide 32 Always On SSL (AOSSL) • Helps secure sensitive data, especially for users of public Wi-Fi hot spots. Counters sidejacking which allows hackers to intercept cookies (typically used to retain user-specific information such as username, password and session data) when they are transmitted without the protection of SSL encryption. • https://otalliance.org/resources/always-ssl-aossl AOSSL – Bonus Points
  17. 17. 3/8/2016 © 2016 Online Trust Alliance. All Rights Reserved. Updates Visit https://otalliance.org/TaxFraud 17 © 2016 All rights reserved. Online Trust Alliance (OTA) Slide 33 Privacy Scores © 2016 All rights reserved. Online Trust Alliance (OTA) Slide 34 Outside the Scope • If 70% of tax payers qualify for free filing; why do only 3% take advantage of it? ▫ Discoverability? ▫ Usability? ▫ Free may end up being fee • Deeper dive in advertising linkages, sharing • Expanded audit of authorized e-File providers.
  18. 18. 3/8/2016 © 2016 Online Trust Alliance. All Rights Reserved. Updates Visit https://otalliance.org/TaxFraud 18 © 2016 All rights reserved. Online Trust Alliance (OTA) Slide 35 OTA Global Collaboration

×