2016 IRS Free e-File Audit & Honor Roll

3/8/2016

© 2016 Online Trust Alliance. All Rights Reserved. Updates Visit https://otalliance.org/TaxFraud 1

© 2016 All rights reserved. Online Trust Alliance (OTA) Slide 1

2016 IRS Free e-File

Audit & Honor Roll

Briefing

March 8, 2016


Geoff Noakes Flavio Martins Mike Jones Craig Spiezle Jeff Wilbur

Senior Director VP of Operations Dir, Prod Management Exec Dir & President Chairman

Symantec DigiCert Agari Online Trust Alliance Online Trust Alliance

Program Panelists

3/8/2016



Mission to enhance online trust and empower users, while

promoting innovation and the vitality of the internet.

• Goal to help educate businesses, policy makers and stakeholders

while developing and advancing best practices and tools to

enhance the protection of users' security, privacy and identity.

• Collaborative public-private partnerships, benchmark reporting,

meaningful self-regulation and data stewardship.

• U.S. based 501(c)(3) tax-exempt charitable organization.

• Global focus & charter.

• Supported by dues, donations and grants.

Who is OTA?


Why We Care

• Tax time is “Christmas” for cybercriminals

• Increased precision targeting tax payers

▫ Spoofed & malicious email

▫ Deceptive search ads

▫ Look-a-like domains

▫ Malicious advertising on legitimate web sites

• Account takeovers and ransomware targeting tax providers

and businesses.

• Ongoing attacks targeting IRS & State Agencies

• Decreasing consumer trust

3/8/2016



Audit & Honor Roll Objectives

• Promote best practices and provide resources to assist the

public and private sectors to help enhance their security,

data protection and privacy practices.

• Recognize leadership and commitment to best practices

which promote online trust and confidence.

• Offer assistance to the IRS and e-file sites to help improve

their consumer protection, security and privacy practices.

• Assist consumers in making informed decisions about the

security and privacy practices of sites they frequent.

• Shift the discussion from compliance to stewardship.


• OTA does not endorse or recommend any e-file service.

• Analysis and methodology is based on global industry

standards for data security and responsible privacy practices in

addition to the IRS’s e-file security mandate.

• Users should review any service provider, banking and

commerce site and consider the practices and policies based

on their “risk appetite.”

• Data may have changed since the audit.

• To date, the Free File Alliance, a trade organization created to

advance the business interests of e-file firms, has yet to

respond to OTA’s offer to review and assist their members.

Disclaimers

3/8/2016



Consumer Protection

PrivacySecurity

Audit & Honor Roll Overview

• Analysis of ~1,000 web sites

▫ FDIC Banking 100

▫ Internet Retailer Top 500

▫ Top 50 Social

▫ Top 50 News/Media

▫ Top 50 Federal Gov’t

▫ OTA Members

▫ Top IoT 50 (Smart Home, Wearables)

▫ 2016 Presidential Candidates (23)

▫ Free e-file Tax Sites (13)

• Scoring

▫ Up to 100 points in each category

▫ Bonus points for emerging practices

▫ Penalty points

Vulnerabilities, privacy policies, data breach, fines/settlement

▫ Honor Roll = 80% of total points, 55% or better in each category


e-file Sites – How They Compare

3/8/2016



Honor Roll vs. Failing Grades

E-FILE TAX FILING SERVICES ONLINE AUDIT RESULTS

Honor Roll Failed eSmart Tax 1040.com

ezTaxReturn.com 1040Now FreeTaxUSA FileYourTaxes.com H&R Block Free Tax Return.com

TaxAct Jackson Hewitt TaxSlayer OLT On-Line Taxes TurboTax


Comparison of Failure Rates

3/8/2016



• 4 sites had no email authentication at all

• 3 sites failed Site Security – old ciphers or lack of current

protocols

Reasons for Failing


• Base points

▫ Email authentication

SPF and DKIM at top-level

and subdomains

▫ DMARC record and policy

▫ DMARC reject/quarantine

• Bonus points

▫ TLS for email

▫ DNSSEC

• Penalty points

▫ Domain locking (not locked )

• Can the app or website be spoofed, fooling a person

to open/download an update, open an attachment or

simply open an email with a drive-by exploit?

• Does the site or app exercise best practice to help

prevent brand-jacking and domain abuse?

Consumer Protection

Consumer Protection

PrivacySecurity

3/8/2016



Why Care?


Email Authentication + DMARC

• Authenticates Message Path

• Authorized senders in DNS

SPF DKIM

• Authenticates Message Content

• Public encryption keys in DNS

DMARC

Consistency

A method to

leverage the

best of SPF

and DKIM

Policy

Senders can

declare how to

process

unauthenticated

email

Visibility

Reports on

how receivers

process

received email

Aggregated

Insights

Telemetry into

mail streams

(RUA)

Failure &

Spoofed

email reports

(RUF)

3/8/2016



• At lower end of authentication adoption, especially

SPF @ TLD and DKIM – 4 sites had no authentication

• At higher end of DMARC adoption

Consumer Protection Scores

2015/2016 AUDIT RESULTS BY SECTOR CONSUMER PROTECTION ADOPTION

IR100 FDIC FED SOCIAL NEWS IoT 2016 PRES

E-FILE

SPF (any) 94% 87% 80% 92% 80% 62% 100% 69% SPF (TLD) 85% 73% 70% 92% 62% 52% 91% 62% DKIM (any) 93% 68% 50% 78% 64% 30% 100% 62% DKIM (TLD) 31% 30% 28% 56% 16% 14% 78% 38% SPF and DKIM 90% 63% 48% 76% 56% 30% 100% 62% DMARC Record 20% 24% 14% 48% 10% 2% 4% 38% DMARC (R or Q)* 15% 21% 14% 58% 20% 0% 0% 20% TLS 42% 38% 38% 36% 14% 24% 57% 31% DNSSEC 0% 1% 90% 0% 4% 4% 0% 0% Domain Lock 100% 97% 100% 94% 92% 88% 96% 92%


Site Security

• Base points

▫ Server & SSL implementation

▫ Failure of any component =

Failure of Site Security

ConsumerProtection

PrivacySecurity

• Bonus points

▫ EV SSL

▫ Always On SSL (AOSSL)

• Penalty points

▫ XSS / iFrame vulnerabilities

▫ Malware

▫ Malicious links

▫ Bot risk

Best practices to secure data in

transit and collected by websites, and

prevent malicious exploits running

against clients’ devices, including

desktop, mobile and IoT devices

3/8/2016



Component Failure = Fail


Evolving Threats & Site Issues

3/8/2016



EV SSL Certificates

• Extra validation required to obtain certificate

• Provides users with indicator of trust (green browser bar)

• Mandated by IRS for free e-file sites

Internet Explorer

Chrome

Firefox

Steady year-over-year growth


2015/2016 AUDIT RESULTS BY SECTOR SITE SECURITY ADOPTION

IR100 FDIC FED SOCIAL NEWS IoT 2016 PRES

E-FILE

EV SSL 24% 67% 11% 21% 8% 4% 4% 92% Always On SSL 15% 78% 17% 35% 14% 20% 70% 54% Web App Firewall 47% 32% 46% 12% 28% 36% 35% 8%

Site Security Scores

• Top adoption of EV SSL (due to IRS mandate).

• Low level of AOSSL adoption compared to leading financial

firms, putting data at risk.

• Lowest adoption of web application firewall.

3/8/2016



• Base points

▫ Privacy policy

▫ Third-party trackers on site

▫ Do Not Track disclosure

• Bonus points

▫ Use of Icons

▫ Tag mgmt or privacy solution

▫ Honoring DNT

• Penalty points

▫ WHOIS (if Private vs Public)

▫ Data Breach Incidents

▫ FTC / State Settlements

Best practices providing users

clear notice and control of the

data being collected, tracked and

shared with third parties

Privacy

Consumer Protection

PrivacySecurity


Privacy Practices & Disclosures

• Data mining and sharing of site visitors’ data observed including

“re-targeting” was unexpected and concerning

3/8/2016



Privacy – Bonus Points

Layered Notice & Icons

• Publishers Clearing House

http://privacy.pch.com/

• Reduced word count from

over 4,000 words to 475!

• Adds clarity, readability &

transparency

• Added bonus points for icons


• Lags many sectors in transparency & discoverability.

• Fail to follow IRS’s lead in offering policies in Spanish.

• While they maintain privacy of the tax return, since the IRS

directs consumers to these sites, it is surprising that many

are collecting site data traffic and sharing it with affiliate

marketing, ad networks, re-targeting and other entities.

• 12 of 13 do not provide any disclosure on honoring

Do-Not-Track, a violation of California law which would lead

to increased failures per the methodology planned for the

June audit.

Privacy Concerns

http://privacy.pch.com/

3/8/2016



• Strong following of mandates (with exceptions) for EV SSL,

privacy seal and public domain registration.

• Questionable adherence to use of challenge/response, meant

to prevent auto bot signup/submission.

• Password rules are followed, but OTA (and the White House)

recommends multi-factor authentication.

Audit of IRS Mandates

ADOPTION OF IRS MANDATES

EV SSL 92% Challenge/Response for Filing* 38% Privacy Seal 92% Public Domain Registration 100%

* Tested for account setup/login, not all the way to filing


Audit Update

• Outreach has been positive, several sites have addressed

some deficiencies, though oversight remains a concern.

• Email authentication

▫ The 4 sites with no authentication have added SPF records

(though 1 is invalid)

▫ The 3 valid SPF sites have also added DMARC records

▫ The other failing site has made no changes

• Site security

▫ Of the 3 failing sites, one has improved to “A-”, one has no

change, and one has made improvements, but still fails

• EV SSL certificates – Now at 100%

• New vulnerabilities since the audit

3/8/2016




• Free e-file Tax Site Audit https://otalliance.org/TaxFraud

• 2016 Presidential Candidate Audit

https://otalliance.org/2016Candidates

• IoT Working Group https://otalliance.org/IoT

• Email Integrity & Security https://otalliance.org/eauth

• Public Policy - https://otalliance.org/initiatives/public-policy

• Online Trust Honor Roll - https://otalliance.org/HonorRoll

• Email Integrity Audit – https://otalliance.org/emailaudit

• [email protected] +1 425-455-7400

Resources

https://otalliance.org/TaxFraud

https://otalliance.org/2016Candidates

https://otalliance.org/IoT

https://otalliance.org/eauth

https://otalliance.org/initiatives/public-policy

https://otalliance.org/HonorRoll

https://otalliance.org/emailaudit

mailto:[email protected]

3/8/2016



Back Up Slides


Email Authentication Basics

Email Authentication

• SPF: Path-based. Sender publishes list of authorized servers.

Email receiver checks if server is authorized to send for domain.

• DKIM: Signature-based. Sender inserts signature into email.

Email receiver checks signature regardless of source.

• DKIM+SPF = Resilient email authentication infrastructure

3/8/2016



Transport Layer Security

Rapidly being adopted standard for secure email

• TLS uses Public Key Infrastructure (PKI) to encrypt

messages between mail servers. This encryption makes it

difficult for hackers to intercept and read messages.

• TLS supports the use of digital certificates to authenticate

the receiving servers. Authentication of sending servers is

optional. This process verifies receivers (or senders) are

who they say they are, which helps to prevent spoofing.

https://otalliance.org/best-practices/transport-layered-security-tls-email

https://www.google.com/transparencyreport/saferemail/


Always On SSL (AOSSL)

• Helps secure sensitive data, especially for users of public

Wi-Fi hot spots. Counters sidejacking which allows

hackers to intercept cookies (typically used to retain

user-specific information such as username, password

and session data) when they are transmitted without the

protection of SSL encryption.

• https://otalliance.org/resources/always-ssl-aossl

AOSSL – Bonus Points

https://otalliance.org/best-practices/transport-layered-security-tls-email

https://www.google.com/transparencyreport/saferemail/

https://otalliance.org/resources/always-ssl-aossl

3/8/2016



Privacy Scores


Outside the Scope

• If 70% of tax payers qualify for free filing; why do

only 3% take advantage of it?

▫ Discoverability?

▫ Usability?

▫ Free may end up being fee

• Deeper dive in advertising linkages, sharing

• Expanded audit of authorized e-File providers.

3/8/2016



OTA Global Collaboration

http://www.ebay.com/

http://www.ebay.com/

http://www.getresponse.com/

http://www.getresponse.com/

http://www.trustsphere.com/

http://www.trustsphere.com/

2016 IRS Free e-File Audit & Honor Roll

Technology

Transcript of 2016 IRS Free e-File Audit & Honor Roll