2016 irs free e-file audit & honor roll
TRANSCRIPT
3/8/2016
© 2016 Online Trust Alliance. All Rights Reserved. Updates Visit https://otalliance.org/TaxFraud 1
© 2016 All rights reserved. Online Trust Alliance (OTA) Slide 1
2016 IRS Free e-File
Audit & Honor Roll
Briefing
March 8, 2016
© 2016 All rights reserved. Online Trust Alliance (OTA) Slide 2
Geoff Noakes Flavio Martins Mike Jones Craig Spiezle Jeff Wilbur
Senior Director VP of Operations Dir, Prod Management Exec Dir & President Chairman
Symantec DigiCert Agari Online Trust Alliance Online Trust Alliance
Program Panelists
3/8/2016
© 2016 Online Trust Alliance. All Rights Reserved. Updates Visit https://otalliance.org/TaxFraud 2
© 2016 All rights reserved. Online Trust Alliance (OTA) Slide 3
Mission to enhance online trust and empower users, while
promoting innovation and the vitality of the internet.
• Goal to help educate businesses, policy makers and stakeholders
while developing and advancing best practices and tools to
enhance the protection of users' security, privacy and identity.
• Collaborative public-private partnerships, benchmark reporting,
meaningful self-regulation and data stewardship.
• U.S. based 501(c)(3) tax-exempt charitable organization.
• Global focus & charter.
• Supported by dues, donations and grants.
Who is OTA?
© 2016 All rights reserved. Online Trust Alliance (OTA) Slide 4
Why We Care
• Tax time is “Christmas” for cybercriminals
• Increased precision targeting tax payers
▫ Spoofed & malicious email
▫ Deceptive search ads
▫ Look-a-like domains
▫ Malicious advertising on legitimate web sites
• Account takeovers and ransomware targeting tax providers
and businesses.
• Ongoing attacks targeting IRS & State Agencies
• Decreasing consumer trust
3/8/2016
© 2016 Online Trust Alliance. All Rights Reserved. Updates Visit https://otalliance.org/TaxFraud 3
© 2016 All rights reserved. Online Trust Alliance (OTA) Slide 5
Audit & Honor Roll Objectives
• Promote best practices and provide resources to assist the
public and private sectors to help enhance their security,
data protection and privacy practices.
• Recognize leadership and commitment to best practices
which promote online trust and confidence.
• Offer assistance to the IRS and e-file sites to help improve
their consumer protection, security and privacy practices.
• Assist consumers in making informed decisions about the
security and privacy practices of sites they frequent.
• Shift the discussion from compliance to stewardship.
© 2016 All rights reserved. Online Trust Alliance (OTA) Slide 6
• OTA does not endorse or recommend any e-file service.
• Analysis and methodology is based on global industry
standards for data security and responsible privacy practices in
addition to the IRS’s e-file security mandate.
• Users should review any service provider, banking and
commerce site and consider the practices and policies based
on their “risk appetite.”
• Data may have changed since the audit.
• To date, the Free File Alliance, a trade organization created to
advance the business interests of e-file firms, has yet to
respond to OTA’s offer to review and assist their members.
Disclaimers
3/8/2016
© 2016 Online Trust Alliance. All Rights Reserved. Updates Visit https://otalliance.org/TaxFraud 4
© 2016 All rights reserved. Online Trust Alliance (OTA) Slide 7
Consumer Protection
PrivacySecurity
Audit & Honor Roll Overview
• Analysis of ~1,000 web sites
▫ FDIC Banking 100
▫ Internet Retailer Top 500
▫ Top 50 Social
▫ Top 50 News/Media
▫ Top 50 Federal Gov’t
▫ OTA Members
▫ Top IoT 50 (Smart Home, Wearables)
▫ 2016 Presidential Candidates (23)
▫ Free e-file Tax Sites (13)
• Scoring
▫ Up to 100 points in each category
▫ Bonus points for emerging practices
▫ Penalty points
Vulnerabilities, privacy policies, data breach, fines/settlement
▫ Honor Roll = 80% of total points, 55% or better in each category
© 2016 All rights reserved. Online Trust Alliance (OTA) Slide 8
e-file Sites – How They Compare
3/8/2016
© 2016 Online Trust Alliance. All Rights Reserved. Updates Visit https://otalliance.org/TaxFraud 5
© 2016 All rights reserved. Online Trust Alliance (OTA) Slide 9
Honor Roll vs. Failing Grades
E-FILE TAX FILING SERVICES ONLINE AUDIT RESULTS
Honor Roll Failed eSmart Tax 1040.com
ezTaxReturn.com 1040Now FreeTaxUSA FileYourTaxes.com H&R Block Free Tax Return.com
TaxAct Jackson Hewitt TaxSlayer OLT On-Line Taxes TurboTax
© 2016 All rights reserved. Online Trust Alliance (OTA) Slide 10
Comparison of Failure Rates
3/8/2016
© 2016 Online Trust Alliance. All Rights Reserved. Updates Visit https://otalliance.org/TaxFraud 6
© 2016 All rights reserved. Online Trust Alliance (OTA) Slide 11
• 4 sites had no email authentication at all
• 3 sites failed Site Security – old ciphers or lack of current
protocols
Reasons for Failing
© 2016 All rights reserved. Online Trust Alliance (OTA) Slide 12
• Base points
▫ Email authentication
SPF and DKIM at top-level
and subdomains
▫ DMARC record and policy
▫ DMARC reject/quarantine
• Bonus points
▫ TLS for email
▫ DNSSEC
• Penalty points
▫ Domain locking (not locked )
• Can the app or website be spoofed, fooling a person
to open/download an update, open an attachment or
simply open an email with a drive-by exploit?
• Does the site or app exercise best practice to help
prevent brand-jacking and domain abuse?
Consumer Protection
Consumer Protection
PrivacySecurity
3/8/2016
© 2016 Online Trust Alliance. All Rights Reserved. Updates Visit https://otalliance.org/TaxFraud 7
© 2016 All rights reserved. Online Trust Alliance (OTA) Slide 13
Why Care?
© 2016 All rights reserved. Online Trust Alliance (OTA) Slide 14
Email Authentication + DMARC
• Authenticates Message Path
• Authorized senders in DNS
SPF DKIM
• Authenticates Message Content
• Public encryption keys in DNS
DMARC
Consistency
A method to
leverage the
best of SPF
and DKIM
Policy
Senders can
declare how to
process
unauthenticated
Visibility
Reports on
how receivers
process
received email
Aggregated
Insights
Telemetry into
mail streams
(RUA)
Failure &
Spoofed
email reports
(RUF)
3/8/2016
© 2016 Online Trust Alliance. All Rights Reserved. Updates Visit https://otalliance.org/TaxFraud 8
© 2016 All rights reserved. Online Trust Alliance (OTA) Slide 15
• At lower end of authentication adoption, especially
SPF @ TLD and DKIM – 4 sites had no authentication
• At higher end of DMARC adoption
Consumer Protection Scores
2015/2016 AUDIT RESULTS BY SECTOR CONSUMER PROTECTION ADOPTION
IR100 FDIC FED SOCIAL NEWS IoT 2016 PRES
E-FILE
SPF (any) 94% 87% 80% 92% 80% 62% 100% 69% SPF (TLD) 85% 73% 70% 92% 62% 52% 91% 62% DKIM (any) 93% 68% 50% 78% 64% 30% 100% 62% DKIM (TLD) 31% 30% 28% 56% 16% 14% 78% 38% SPF and DKIM 90% 63% 48% 76% 56% 30% 100% 62% DMARC Record 20% 24% 14% 48% 10% 2% 4% 38% DMARC (R or Q)* 15% 21% 14% 58% 20% 0% 0% 20% TLS 42% 38% 38% 36% 14% 24% 57% 31% DNSSEC 0% 1% 90% 0% 4% 4% 0% 0% Domain Lock 100% 97% 100% 94% 92% 88% 96% 92%
© 2016 All rights reserved. Online Trust Alliance (OTA) Slide 16
Site Security
• Base points
▫ Server & SSL implementation
▫ Failure of any component =
Failure of Site Security
ConsumerProtection
PrivacySecurity
• Bonus points
▫ EV SSL
▫ Always On SSL (AOSSL)
• Penalty points
▫ XSS / iFrame vulnerabilities
▫ Malware
▫ Malicious links
▫ Bot risk
Best practices to secure data in
transit and collected by websites, and
prevent malicious exploits running
against clients’ devices, including
desktop, mobile and IoT devices
3/8/2016
© 2016 Online Trust Alliance. All Rights Reserved. Updates Visit https://otalliance.org/TaxFraud 9
© 2016 All rights reserved. Online Trust Alliance (OTA) Slide 17
Component Failure = Fail
© 2016 All rights reserved. Online Trust Alliance (OTA) Slide 18
Evolving Threats & Site Issues
3/8/2016
© 2016 Online Trust Alliance. All Rights Reserved. Updates Visit https://otalliance.org/TaxFraud 10
© 2016 All rights reserved. Online Trust Alliance (OTA) Slide 19
EV SSL Certificates
• Extra validation required to obtain certificate
• Provides users with indicator of trust (green browser bar)
• Mandated by IRS for free e-file sites
Internet Explorer
Chrome
Firefox
Steady year-over-year growth
© 2016 All rights reserved. Online Trust Alliance (OTA) Slide 20
2015/2016 AUDIT RESULTS BY SECTOR SITE SECURITY ADOPTION
IR100 FDIC FED SOCIAL NEWS IoT 2016 PRES
E-FILE
EV SSL 24% 67% 11% 21% 8% 4% 4% 92% Always On SSL 15% 78% 17% 35% 14% 20% 70% 54% Web App Firewall 47% 32% 46% 12% 28% 36% 35% 8%
Site Security Scores
• Top adoption of EV SSL (due to IRS mandate).
• Low level of AOSSL adoption compared to leading financial
firms, putting data at risk.
• Lowest adoption of web application firewall.
3/8/2016
© 2016 Online Trust Alliance. All Rights Reserved. Updates Visit https://otalliance.org/TaxFraud 11
© 2016 All rights reserved. Online Trust Alliance (OTA) Slide 21
• Base points
▫ Privacy policy
▫ Third-party trackers on site
▫ Do Not Track disclosure
• Bonus points
▫ Use of Icons
▫ Tag mgmt or privacy solution
▫ Honoring DNT
• Penalty points
▫ WHOIS (if Private vs Public)
▫ Data Breach Incidents
▫ FTC / State Settlements
Best practices providing users
clear notice and control of the
data being collected, tracked and
shared with third parties
Privacy
Consumer Protection
PrivacySecurity
© 2016 All rights reserved. Online Trust Alliance (OTA) Slide 22
Privacy Practices & Disclosures
• Data mining and sharing of site visitors’ data observed including
“re-targeting” was unexpected and concerning
3/8/2016
© 2016 Online Trust Alliance. All Rights Reserved. Updates Visit https://otalliance.org/TaxFraud 12
© 2016 All rights reserved. Online Trust Alliance (OTA) Slide 23
Privacy – Bonus Points
Layered Notice & Icons
• Publishers Clearing House
http://privacy.pch.com/
• Reduced word count from
over 4,000 words to 475!
• Adds clarity, readability &
transparency
• Added bonus points for icons
© 2016 All rights reserved. Online Trust Alliance (OTA) Slide 24
• Lags many sectors in transparency & discoverability.
• Fail to follow IRS’s lead in offering policies in Spanish.
• While they maintain privacy of the tax return, since the IRS
directs consumers to these sites, it is surprising that many
are collecting site data traffic and sharing it with affiliate
marketing, ad networks, re-targeting and other entities.
• 12 of 13 do not provide any disclosure on honoring
Do-Not-Track, a violation of California law which would lead
to increased failures per the methodology planned for the
June audit.
Privacy Concerns
3/8/2016
© 2016 Online Trust Alliance. All Rights Reserved. Updates Visit https://otalliance.org/TaxFraud 13
© 2016 All rights reserved. Online Trust Alliance (OTA) Slide 25
• Strong following of mandates (with exceptions) for EV SSL,
privacy seal and public domain registration.
• Questionable adherence to use of challenge/response, meant
to prevent auto bot signup/submission.
• Password rules are followed, but OTA (and the White House)
recommends multi-factor authentication.
Audit of IRS Mandates
ADOPTION OF IRS MANDATES
EV SSL 92% Challenge/Response for Filing* 38% Privacy Seal 92% Public Domain Registration 100%
* Tested for account setup/login, not all the way to filing
© 2016 All rights reserved. Online Trust Alliance (OTA) Slide 26
Audit Update
• Outreach has been positive, several sites have addressed
some deficiencies, though oversight remains a concern.
• Email authentication
▫ The 4 sites with no authentication have added SPF records
(though 1 is invalid)
▫ The 3 valid SPF sites have also added DMARC records
▫ The other failing site has made no changes
• Site security
▫ Of the 3 failing sites, one has improved to “A-”, one has no
change, and one has made improvements, but still fails
• EV SSL certificates – Now at 100%
• New vulnerabilities since the audit
3/8/2016
© 2016 Online Trust Alliance. All Rights Reserved. Updates Visit https://otalliance.org/TaxFraud 14
© 2016 All rights reserved. Online Trust Alliance (OTA) Slide 27
© 2016 All rights reserved. Online Trust Alliance (OTA) Slide 28
• Free e-file Tax Site Audit https://otalliance.org/TaxFraud
• 2016 Presidential Candidate Audit
https://otalliance.org/2016Candidates
• IoT Working Group https://otalliance.org/IoT
• Email Integrity & Security https://otalliance.org/eauth
• Public Policy - https://otalliance.org/initiatives/public-policy
• Online Trust Honor Roll - https://otalliance.org/HonorRoll
• Email Integrity Audit – https://otalliance.org/emailaudit
• [email protected] +1 425-455-7400
Resources
3/8/2016
© 2016 Online Trust Alliance. All Rights Reserved. Updates Visit https://otalliance.org/TaxFraud 15
© 2016 All rights reserved. Online Trust Alliance (OTA) Slide 29
Back Up Slides
© 2016 All rights reserved. Online Trust Alliance (OTA) Slide 30
Email Authentication Basics
Email Authentication
• SPF: Path-based. Sender publishes list of authorized servers.
Email receiver checks if server is authorized to send for domain.
• DKIM: Signature-based. Sender inserts signature into email.
Email receiver checks signature regardless of source.
• DKIM+SPF = Resilient email authentication infrastructure
3/8/2016
© 2016 Online Trust Alliance. All Rights Reserved. Updates Visit https://otalliance.org/TaxFraud 16
© 2016 All rights reserved. Online Trust Alliance (OTA) Slide 31
Transport Layer Security
Rapidly being adopted standard for secure email
• TLS uses Public Key Infrastructure (PKI) to encrypt
messages between mail servers. This encryption makes it
difficult for hackers to intercept and read messages.
• TLS supports the use of digital certificates to authenticate
the receiving servers. Authentication of sending servers is
optional. This process verifies receivers (or senders) are
who they say they are, which helps to prevent spoofing.
https://otalliance.org/best-practices/transport-layered-security-tls-email
https://www.google.com/transparencyreport/saferemail/
© 2016 All rights reserved. Online Trust Alliance (OTA) Slide 32
Always On SSL (AOSSL)
• Helps secure sensitive data, especially for users of public
Wi-Fi hot spots. Counters sidejacking which allows
hackers to intercept cookies (typically used to retain
user-specific information such as username, password
and session data) when they are transmitted without the
protection of SSL encryption.
• https://otalliance.org/resources/always-ssl-aossl
AOSSL – Bonus Points
3/8/2016
© 2016 Online Trust Alliance. All Rights Reserved. Updates Visit https://otalliance.org/TaxFraud 17
© 2016 All rights reserved. Online Trust Alliance (OTA) Slide 33
Privacy Scores
© 2016 All rights reserved. Online Trust Alliance (OTA) Slide 34
Outside the Scope
• If 70% of tax payers qualify for free filing; why do
only 3% take advantage of it?
▫ Discoverability?
▫ Usability?
▫ Free may end up being fee
• Deeper dive in advertising linkages, sharing
• Expanded audit of authorized e-File providers.
3/8/2016
© 2016 Online Trust Alliance. All Rights Reserved. Updates Visit https://otalliance.org/TaxFraud 18
© 2016 All rights reserved. Online Trust Alliance (OTA) Slide 35
OTA Global Collaboration