Security audit identified risky e-filing tax services
The Online Trust Alliance (OTA) evaluated the privacy, security and consumer protection practices of the thirteen IRS-approved free e-filing tax services.
After an assessment based on nearly 50 criteria, standards and internationally accepted privacy practices, six of the 13 websites – or 46 percent – failed due to poor site security and not taking steps to help protect consumers from fraudulent and malicious email. Conversely, the sites that performed specifically well received an Honor Roll status.
“Given that tax data is extremely sensitive with a high risk for victimization, the failure rate of over one-third should concern customers and the IRS,” said Craig Spiezle, Executive Director and President at the Online Trust Alliance. “Consumer use and IRS approval of such services should be carefully reconsidered.”
Evaluating e-filing tax services
OTA evaluated the IRS-approved e-filing sites using both its own industry developed methodology, and the IRS’ security and privacy mandated standards. Seven sites scored highly in all areas of the audit, five failed due to poor consumer protection and three received failing grades for their site security.
Most failing sites did not properly authenticate email addresses, which leaves consumers open to spear phishing and malicious email scams, the exploit of choice for tax fraud. Based on the IRS security mandates for these tax providers announced in 2010 and updated in 2015, one provider was out of compliance for failing to adopt Extended Validation SSL Certificates.
Other providers were out of compliance for failing to provide adequate third party audits of their privacy policy and web activities, implement anti-botnet protection for fraudulent account signups, and regularly scan their sites for SSL vulnerabilities.
The OTA has been in contact with the IRS regarding these findings offering assistance and briefings. It encourages the IRS to re-evaluate the list of free e-filing tax services and continued inclusion of firms that do not comply with industry standards and the IRS’ security and privacy mandates.
The following e-file websites have been awarded Honor Roll status:
- eSmart Tax
- ezTaxReturn.com
- TaxAct
- TaxSlayer
- FreeTaxUSA
- TurboTax Free File
- H&R Block Free File.
“In an increasingly web-connected economy, organizations need to value strong identity assurance and data encryption as critical steps to ensuring consumer privacy and security,” said Jason Sabin, Chief Security Officer at DigiCert. “The findings of this report can help advance consumer safety by recognizing e-filers following best practices and providing guidance to consumers in choosing companies they can trust.”