Sunday 20 September 2009

HMRC NDO notification form could be used maliciously.

I am somewhat dismayed by the disclosure form for email notification of a desire to take advantage of the New Disclosure Opportunity - found here .


(On looking at HMRC's site, I discover they have taken down the offending page)


What's wrong with it?


 It appears to be a perfectly innocuous form.


But it is lacking in several important security features.
  • It asks neither for the taxpayer's reference number or national insurance number. 
  • It does not ask for a valid email address which could be verified,
  • It does not employ any captcha technology to verify that it is being completed by a human being and not a bot.
  • The underlying javascript code (which I have examined) does not check the details entered against a database - merely checking that data exists in the required fields but not the validity of the data entered.
Why does this matter?


As it stands the form could be used by a grudge bearer or malicious individual to make false notification of a desire to take advantage of the New Disclosure Opportunity. This could well involve their hapless, innocent target in a long and fruitless inquiry by HMRC into a non-existent off-shore account.


HMRC needs to be more proffessional in the design of their forms and not produce shoddy, ill-considered rubbish such as this.
Posted by at

2 comments:

  1. AnonymousMonday 5 October 2009 at 08:39:00 BST

    Well done, John for drawing our attention to yet another deficiency in HMRC's IT systems.

    ReplyDelete
  2. UnknownFriday 9 October 2009 at 02:28:00 BST

    HMRC have now redesigned the form to incorporate all the security points mentioned.Pity it had to be publicised to make them do it.

    ReplyDelete

Subscribe to: Post Comments (Atom)

Disclaimer

The information contained on this site is for general guidance only. You should neither act, nor refrain from action, on the basis of any such information. You should take appropriate professional advice on your particular circumstances because the application of laws and regulations will vary depending on particular circumstances and because tax and benefit laws and regulations undergo frequent change.

Whilst I will do the best i can to ensure that the information on this site is correct at the date of first posting, I shall not be liable for any loss or damages (including, without limitation, damages for loss of income or business or increased liabilities) arising in contract, tort or otherwise from the use of or inability to use this site, or any information contained in it, or from any action or decision taken as a result of using this site or any such information. Third parties are responsible for ensuring that material submitted for inclusion on this site complies with appropriate law. I will not be responsible for any error, omission or inaccuracy in the material submitted by third parties.

I accept no responsibility for the availability or content on any site to which a hypertext link from this site exists. The links are provided on an "as is" basis and I make no warranty, express or implied, for the information provided within them.


You are permitted to access, print and download extracts from this site on the basis that the use of all material on this site is for information and non commercial or personal use only; any copies of these pages saved to disk or to any other storage medium may only be used for subsequent viewing purposes or to print extracts for personal use.


By accessing any part of this site, you shall be deemed to have accepted these terms in full.


These terms shall be governed by and construed in accordance with English Law and the courts of England shall have exclusive jurisdiction.

I will not respond to individual queries posted as comments on this blog. If you need advice on a specific situation, email the full details to me at jpointon@gmail.com.