IRS works to prevent identity fraud this tax season

The IRS has released six new security and privacy standards aimed at ensuring authorized IRS online e-File providers handle tax filers' data with care. This is definitely a good move, as I'd like to believe that e-File provider web sites make juicy targets for attackers; an attacker would have a smorgasbord of social security numbers, bank account numbers, financial profiles, and all other supporting information necessary to commit identity fraud.

The abbreviated summation of the new standards:

1. Use extended validation SSL certificates (EV-SSL), with a minimum of 1024-bit RSA and 128-bit AES
   
2. Weekly external vulnerability scans, following PCIDSS standards and using a US-based PCI ASV (Approved Scanning Vendor)
   
3. Accessible privacy and safeguard policies available on the web site
   
4. All submissions must be subject to a "challenge-response test" (i.e. CAPTCHA)
   
5. The system(s) must use a registered domain name with a US-based ICANN accredited registrar, and ensure the domain name is locked against transfers and the registration information is publicly available
   
6. Any discovered security incidents must be reported to the IRS within 24 hours after incident confirmation

Overall, these are nothing ground-breaking per se. But it is nice to see the IRS mandate a fair level of security requirements on some of the most sensitive data electronically transferred by consumers. Requiring weekly vulnerability scans bodes well for the US-based PCI ASVs; it reminds me of this Dilbert comic.

As an aside, I also ran across this related press release from Verisign. Basically they talk about how the IRS has mandated the use of EV-SSL certificates. More interesting is that it states "More than 7,000 Web sites already rely on VeriSign EV SSL Certificates." It's unclear whether that's 7,000 *tax-related* web sites (doubtful), or 7,000 web sites total (more likely). I'm assuming the latter, and as such, I'm a bit surprised at how few EV-SSL certificates have been issued over the last two years (EV-SSL was announced in late 2006). It seems a lot of sites are just not buying into EV-SSL...yet?

Until next time,
- Jeff