29 Jan 2009
HM Revenue & Customs (HMRC) is facing fresh criticism over its security policies after users complained that its tax self-assessment web site reveals their password in the URL address bar.
Anyone filling in the online tax forms would be at risk of allowing others to access their personal details because the username field has an auto-complete function.
"Click on a link to open the 'about you' page, for example, and there is my password clearly displayed in the browser address bar for all to see. Print off any page and the password is printed as part of the URL," said Geoff Westcott of West Sussex, who contacted Computing about the problem.
"Bearing in mind that the username on the log-in page is an auto-completed field in many browsers, a phisher now has all the information they need to log in and access any and all of my personal information."
Richard Clayton, a security expert at Cambridge University, and adviser to the House of Lords committee on personal internet security, said that such a fault was "foolish" and "not regular practice".
"Seeing someone's tax return is not the same as accessing their identity, however. Though it could be a step towards doing that," he said.
Westcott said that he reported the fault to HMRC twice and received no response. "I think this indicates the level of concern HMRC truly places on securing personal data," he said.
HMRC said that the URL does not contain the customer's password but shows a unique taxpayer record (UTR) number.
"To log in to our secure services a user ID and password is required; the UTR is not based on either of these," said HMRC in a statement.
I have been trying for weeks to submit our P11, etc online. I could log on to HMRC sites with my ID and password, but the CD ROM 2009 online submission returned 'wrong password or ID'.
It turned out that if you entered your password last year, like ours using 15 digits, the online submission option only accepts the first 12 characters. This means that you have to log on using a different password from the one that you originally designated.
What rubbish!
Posted by: Mark Westaway 03 May 2009
This article is pointless. HMRC are correct: the *password* does not appear in the URL at all.
Perhaps Computing's editors should check first before publishing incorrect information based on a misguided reader's submission?
**************
Editor's note: We checked with the readers who contacted us about this problem and they confirmed the situation as they saw it.
Posted by: Darren Lund 29 Jan 2009
Have your say on this article
Newsletters
Latest stories from Government
Latest videos
You may also like
Government jobs
Technology Patent Wars
Case studies from large organisations across all sectors
... And rich media, and flexible working, and peaks in traffic ...
Upcoming Events
Join us for this Computing web seminar, in which the Head of BI at the Co-operative Group Nick Colebourn will be explaining just how he reigned in the Group’s sprawling database estate and how significant savings were realised and data quality improved as a result.
Date: 31 May 2012
Time: 11:00 AM
Live June 13th 11:00am: Register now. During this web seminar we will be looking at the sorts of incidents that can bring data centres grinding to a halt and what can be done about them.
Date: 13 Jun 2012
Time: 11:00 am
Receive the latest jobs direct to your inbox
Are you being paid what you are worth?
