IRS Free File Audit & Honor Roll Briefing Highlights Security and Privacy

3/8/2016
© 2016 Online Trust Alliance. All Rights Reserved. Updates Visit https://otalliance.org/TaxFraud 1
© 2016 All rights reserved. Online Trust Alliance (OTA) Slide 1
2016 IRS Free e-File
Audit & Honor Roll
Briefing
March 8, 2016
Geoff Noakes Flavio Martins Mike Jones Craig Spiezle Jeff Wilbur
Senior Director VP of Operations Dir, Prod Management Exec Dir & President Chairman
Symantec DigiCert Agari Online Trust Alliance Online Trust Alliance
Program Panelists

3/8/2016
Mission to enhance online trust and empower users, while
promoting innovation and the vitality of the internet.
• Goal to help educate businesses, policy makers and stakeholders
while developing and advancing best practices and tools to
enhance the protection of users' security, privacy and identity.
• Collaborative public-private partnerships, benchmark reporting,
meaningful self-regulation and data stewardship.
• U.S. based 501(c)(3) tax-exempt charitable organization.
• Global focus & charter.
• Supported by dues, donations and grants.
Who is OTA?
Why We Care
• Tax time is “Christmas” for cybercriminals
• Increased precision targeting tax payers
▫ Spoofed & malicious email
▫ Deceptive search ads
▫ Look-a-like domains
▫ Malicious advertising on legitimate web sites
• Account takeovers and ransomware targeting tax providers
and businesses.
• Ongoing attacks targeting IRS & State Agencies
• Decreasing consumer trust

3/8/2016
Audit & Honor Roll Objectives
• Promote best practices and provide resources to assist the
public and private sectors to help enhance their security,
data protection and privacy practices.
• Recognize leadership and commitment to best practices
which promote online trust and confidence.
• Offer assistance to the IRS and e-file sites to help improve
their consumer protection, security and privacy practices.
• Assist consumers in making informed decisions about the
security and privacy practices of sites they frequent.
• Shift the discussion from compliance to stewardship.
• OTA does not endorse or recommend any e-file service.
• Analysis and methodology is based on global industry
standards for data security and responsible privacy practices in
addition to the IRS’s e-file security mandate.
• Users should review any service provider, banking and
commerce site and consider the practices and policies based
on their “risk appetite.”
• Data may have changed since the audit.
• To date, the Free File Alliance, a trade organization created to
advance the business interests of e-file firms, has yet to
respond to OTA’s offer to review and assist their members.
Disclaimers

3/8/2016
Consumer
Protection
PrivacySecurity
Audit & Honor Roll Overview
• Analysis of ~1,000 web sites
▫ FDIC Banking 100
▫ Internet Retailer Top 500
▫ Top 50 Social
▫ Top 50 News/Media
▫ Top 50 Federal Gov’t
▫ OTA Members
▫ Top IoT 50 (Smart Home, Wearables)
▫ 2016 Presidential Candidates (23)
▫ Free e-file Tax Sites (13)
• Scoring
▫ Up to 100 points in each category
▫ Bonus points for emerging practices
▫ Penalty points
 Vulnerabilities, privacy policies, data breach, fines/settlement
▫ Honor Roll = 80% of total points, 55% or better in each category
e-file Sites – How They Compare

3/8/2016
Honor Roll vs. Failing Grades
E-FILE TAX FILING SERVICES
ONLINE AUDIT RESULTS
Honor Roll Failed
eSmart Tax 1040.com
ezTaxReturn.com 1040Now
FreeTaxUSA FileYourTaxes.com
H&R Block Free Tax Return.com
TaxAct Jackson Hewitt
TaxSlayer OLT On-Line Taxes
TurboTax
Comparison of Failure Rates

3/8/2016
• 4 sites had no email authentication at all
• 3 sites failed Site Security – old ciphers or lack of current
protocols
Reasons for Failing
• Base points
▫ Email authentication
 SPF and DKIM at top-level
and subdomains
▫ DMARC record and policy
▫ DMARC reject/quarantine
• Bonus points
▫ TLS for email
▫ DNSSEC
• Penalty points
▫ Domain locking (not locked )
• Can the app or website be spoofed, fooling a person
to open/download an update, open an attachment or
simply open an email with a drive-by exploit?
• Does the site or app exercise best practice to help
prevent brand-jacking and domain abuse?
Consumer Protection
Consumer
Protection
PrivacySecurity

3/8/2016
Why Care?
Email Authentication + DMARC
• Authenticates Message Path
• Authorized senders in DNS
SPF DKIM
• Authenticates Message Content
• Public encryption keys in DNS
DMARC
Consistency
A method to
leverage the
best of SPF
and DKIM
Policy
Senders can
declare how to
process
unauthenticated
email
Visibility
Reports on
how receivers
process
received email
Aggregated
Insights
Telemetry into
mail streams
(RUA)
Failure &
Spoofed
email reports
(RUF)

3/8/2016
• At lower end of authentication adoption, especially
SPF @ TLD and DKIM – 4 sites had no authentication
• At higher end of DMARC adoption
Consumer Protection Scores
2015/2016 AUDIT RESULTS BY SECTOR
CONSUMER PROTECTION ADOPTION
IR100 FDIC FED SOCIAL NEWS IoT
2016
PRES
E-FILE
SPF (any) 94% 87% 80% 92% 80% 62% 100% 69%
SPF (TLD) 85% 73% 70% 92% 62% 52% 91% 62%
DKIM (any) 93% 68% 50% 78% 64% 30% 100% 62%
DKIM (TLD) 31% 30% 28% 56% 16% 14% 78% 38%
SPF and DKIM 90% 63% 48% 76% 56% 30% 100% 62%
DMARC Record 20% 24% 14% 48% 10% 2% 4% 38%
DMARC (R or Q)* 15% 21% 14% 58% 20% 0% 0% 20%
TLS 42% 38% 38% 36% 14% 24% 57% 31%
DNSSEC 0% 1% 90% 0% 4% 4% 0% 0%
Domain Lock 100% 97% 100% 94% 92% 88% 96% 92%
Site Security
• Base points
▫ Server & SSL implementation
▫ Failure of any component =
Failure of Site Security
Consumer
Protection
PrivacySecurity
• Bonus points
▫ EV SSL
▫ Always On SSL (AOSSL)
• Penalty points
▫ XSS / iFrame vulnerabilities
▫ Malware
▫ Malicious links
▫ Bot risk
Best practices to secure data in
transit and collected by websites, and
prevent malicious exploits running
against clients’ devices, including
desktop, mobile and IoT devices

3/8/2016
Component Failure = Fail
Evolving Threats & Site Issues

3/8/2016
EV SSL Certificates
• Extra validation required to obtain certificate
• Provides users with indicator of trust (green browser bar)
• Mandated by IRS for free e-file sites
Internet Explorer
Chrome
Firefox
Steady year-over-year growth
2015/2016 AUDIT RESULTS BY SECTOR
SITE SECURITY ADOPTION
IR100 FDIC FED SOCIAL NEWS IoT
2016
PRES
E-FILE
EV SSL 24% 67% 11% 21% 8% 4% 4% 92%
Always On SSL 15% 78% 17% 35% 14% 20% 70% 54%
Web App Firewall 47% 32% 46% 12% 28% 36% 35% 8%
Site Security Scores
• Top adoption of EV SSL (due to IRS mandate).
• Low level of AOSSL adoption compared to leading financial
firms, putting data at risk.
• Lowest adoption of web application firewall.

3/8/2016
• Base points
▫ Privacy policy
▫ Third-party trackers on site
▫ Do Not Track disclosure
• Bonus points
▫ Use of Icons
▫ Tag mgmt or privacy solution
▫ Honoring DNT
• Penalty points
▫ WHOIS (if Private vs Public)
▫ Data Breach Incidents
▫ FTC / State Settlements
Best practices providing users
clear notice and control of the
data being collected, tracked and
shared with third parties
Privacy
Consumer
Protection
PrivacySecurity
Privacy Practices & Disclosures
• Data mining and sharing of site visitors’ data observed including
“re-targeting” was unexpected and concerning

3/8/2016
Privacy – Bonus Points
Layered Notice & Icons
• Publishers Clearing House
http://privacy.pch.com/
• Reduced word count from
over 4,000 words to 475!
• Adds clarity, readability &
transparency
• Added bonus points for icons
• Lags many sectors in transparency & discoverability.
• Fail to follow IRS’s lead in offering policies in Spanish.
• While they maintain privacy of the tax return, since the IRS
directs consumers to these sites, it is surprising that many
are collecting site data traffic and sharing it with affiliate
marketing, ad networks, re-targeting and other entities.
• 12 of 13 do not provide any disclosure on honoring
Do-Not-Track, a violation of California law which would lead
to increased failures per the methodology planned for the
June audit.
Privacy Concerns

3/8/2016
• Strong following of mandates (with exceptions) for EV SSL,
privacy seal and public domain registration.
• Questionable adherence to use of challenge/response, meant
to prevent auto bot signup/submission.
• Password rules are followed, but OTA (and the White House)
recommends multi-factor authentication.
Audit of IRS Mandates
ADOPTION OF IRS MANDATES
EV SSL 92%
Challenge/Response for Filing* 38%
Privacy Seal 92%
Public Domain Registration 100%
* Tested for account setup/login, not all the way to filing
Audit Update
• Outreach has been positive, several sites have addressed
some deficiencies, though oversight remains a concern.
• Email authentication
▫ The 4 sites with no authentication have added SPF records
(though 1 is invalid)
▫ The 3 valid SPF sites have also added DMARC records
▫ The other failing site has made no changes
• Site security
▫ Of the 3 failing sites, one has improved to “A-”, one has no
change, and one has made improvements, but still fails
• EV SSL certificates – Now at 100%
• New vulnerabilities since the audit

3/8/2016
• Free e-file Tax Site Audit https://otalliance.org/TaxFraud
• 2016 Presidential Candidate Audit
https://otalliance.org/2016Candidates
• IoT Working Group https://otalliance.org/IoT
• Email Integrity & Security https://otalliance.org/eauth
• Public Policy - https://otalliance.org/initiatives/public-policy
• Online Trust Honor Roll - https://otalliance.org/HonorRoll
• Email Integrity Audit – https://otalliance.org/emailaudit
• admin@otalliance.org +1 425-455-7400
Resources

3/8/2016
Back Up Slides
Email Authentication Basics
Email Authentication
• SPF: Path-based. Sender publishes list of authorized servers.
Email receiver checks if server is authorized to send for domain.
• DKIM: Signature-based. Sender inserts signature into email.
Email receiver checks signature regardless of source.
• DKIM+SPF = Resilient email authentication infrastructure

3/8/2016
Transport Layer Security
Rapidly being adopted standard for secure email
• TLS uses Public Key Infrastructure (PKI) to encrypt
messages between mail servers. This encryption makes it
difficult for hackers to intercept and read messages.
• TLS supports the use of digital certificates to authenticate
the receiving servers. Authentication of sending servers is
optional. This process verifies receivers (or senders) are
who they say they are, which helps to prevent spoofing.
https://otalliance.org/best-practices/transport-layered-security-tls-email
https://www.google.com/transparencyreport/saferemail/
Always On SSL (AOSSL)
• Helps secure sensitive data, especially for users of public
Wi-Fi hot spots. Counters sidejacking which allows
hackers to intercept cookies (typically used to retain
user-specific information such as username, password
and session data) when they are transmitted without the
protection of SSL encryption.
• https://otalliance.org/resources/always-ssl-aossl
AOSSL – Bonus Points

3/8/2016
Privacy Scores
Outside the Scope
• If 70% of tax payers qualify for free filing; why do
only 3% take advantage of it?
▫ Discoverability?
▫ Usability?
▫ Free may end up being fee
• Deeper dive in advertising linkages, sharing
• Expanded audit of authorized e-File providers.

3/8/2016
OTA Global Collaboration

IRS Free File Audit & Honor Roll Briefing Highlights Security and Privacy

Recommended

Recommended

More Related Content

Viewers also liked

Viewers also liked (14)

Similar to IRS Free File Audit & Honor Roll Briefing Highlights Security and Privacy

Similar to IRS Free File Audit & Honor Roll Briefing Highlights Security and Privacy (20)

More from CASCouncil

More from CASCouncil (20)

Recently uploaded

Recently uploaded (20)

IRS Free File Audit & Honor Roll Briefing Highlights Security and Privacy