HMRC under fire over site security

Users claim password appears in URL

HMRC: under fire again

HM Revenue & Customs (HMRC) is facing fresh criticism over its security policies after users complained that its tax self-assessment web site reveals their password in the URL address bar.

Anyone filling in the online tax forms would be at risk of allowing others to access their personal details because the username field has an auto-complete function.

"Click on a link to open the 'about you' page, for example, and there is my password clearly displayed in the browser address bar for all to see. Print off any page and the password is printed as part of the URL," said Geoff Westcott of West Sussex, who contacted Computing about the problem.

"Bearing in mind that the username on the log-in page is an auto-completed field in many browsers, a phisher now has all the information they need to log in and access any and all of my personal information."

Richard Clayton, a security expert at Cambridge University, and adviser to the House of Lords committee on personal internet security, said that such a fault was "foolish" and "not regular practice".

"Seeing someone's tax return is not the same as accessing their identity, however. Though it could be a step towards doing that," he said.

Westcott said that he reported the fault to HMRC twice and received no response. "I think this indicates the level of concern HMRC truly places on securing personal data," he said.

HMRC said that the URL does not contain the customer's password but shows a unique taxpayer record (UTR) number.

"To log in to our secure services a user ID and password is required; the UTR is not based on either of these," said HMRC in a statement.