[throwaway6845]

This is pretty horrifying.

But almost as bad: websites that insist on over-elaborate security measures for trivial stuff. Take a bow, HM Revenue & Customs:

> You’ve got a new message from HMRC

> Dear Fred

> You have a new message from HMRC about Self Assessment.

> To view it, sign in to your HMRC online account. For security reasons, we have not included a link with this email.

> Why you got this email

> You chose to get paperless notifications instead of letters by post. This means we send you an email to let you know you have a new message in your account.

> From HMRC Self Assessment

And HMRC have mandatory 2FA. So to read the spam they've sent me - and it is pretty much spam, it says "you need to do your self-assessment before next January", I know that already - I need to go through the rigmarole of entering my Government Gateway number, which I don't remember but starts with a 4 or something and hopefully that will be enough for Chrome to autofill it, then authing with my mobile phone. Which I think I left upstairs or something. Wait while I ring it with the landline to find where it is.

Seriously, I might just go back to getting letters by post.

Edit: No. My Government Gateway number which starts with a 4 is my company one. My Self-Assessment login appears to be a different number.

People elsewhere in the world, whenever anyone tells you that the UK Government Digital Service is a beacon of usability and good practice, please don't believe them.

[handelaar]

People elsewhere in the world: whatever anybody tells you when they're crapping on the UK Government Digital Service, make sure they're not using HMRC as an example.

Famously HMRC resists everything GDS has ever tried to do, and after GDS built a entire system for secure gov ID login which is deliberately not tied to a single vendor, HMRC refused to use it and instead is building another one, which is locked to a single vendor in perpetuity.

Search "UK GDS HMRC" for a sample of just the most recent bit of tiresome Whitehall infighting.

[Edit: Oh, and -- the identity system that HMRC wants is a replacement for its nearly-20-year-old pre-existing one. This may or may not have anything to do with the fact that it's insecure in a massively corrupt way. http://www.bbc.com/news/technology-38979144 ]

[dasil003]

That's so frustrating. The GDS is one of the shining beacons of government tech done right, I was very impressed with their work and team when I lived in London from 2011-2014.

I guess HMRC took one look and said "this not sufficiently bureaucratic for our needs". In general I liked the HMRC much better than the IRS, but I was sort of shocked to receive a paper cheque for my refund as it was the only time I ever saw a check in the UK. They have their ways I guess.

[GordonS]

GDS has a great blog[1] which I recommend, and have published a lot of stuff to GitHub too[2]. I never imagined the words 'government' and 'IT' could be used in the same sentence without laughing before learning about this group.

Whenever I read of yet another multi-billion pound failed IT project by SAIC or the like, I always wonder why on earth they didn't just let GDS at it.

[1]https://gdstechnology.blog.gov.uk [2]https://github.com/alphagov

[throwaway6845]

Ok, I'll take your word for it, but that said HMRC is the only way in which I ever interact with the Government online.

If GDS can't get their claws into HMRC then Government digital (lower case) is pretty broken.

[apeace]

One could argue this is actually a good security practice. It's bad to train users that their bank/whoever will be sending them links via email, because then when the user gets a phishing email, they will have no way to tell the difference.

If users can be trained to see "Login to your bank account to see the message", that's much better for their own security.

[thaumasiotes]

> It's bad to train users that their bank/whoever will be sending them links via email, because then when the user gets a phishing email, they will have no way to tell the difference.

I got an email using the PayPal template headed "Dear PayPal Customer" once. The copying was so faithful that it preserved the footer at the bottom noting "Communications from PayPal will always address you by your name, never as 'Dear Customer' or similar".

So there can still be ways to tell the difference. Point of interest: would it be more alarming to the PayPal-using public generally if their fake emails omitted that footer, or if the fake emails preserved the footer while still addressing the victim as "dear customer", as happened with mine? You, the phisher, can't avoid having some difference between your email and legitimate email, but you can choose how much and what kind.

[user5994461]

Then they go to google and click the first link... that will be a paid ad to a phishing site.

[mikeash]

Most likely not, so it's still way better than clicking links that come in your e-mail.

[pluma]

More likely: they click on the link right after that, which is part of the phishing scam.

[TorKlingberg]

I don't mind the login security, but it logs you out after only a couple of minutes of inactivity, clearing the page. Can anyone do anything tax related without spending a few minutes looking at papers or a spreadsheet?

[i336_]

> and hopefully that will be enough for Chrome to autofill it

Doubleclicking text fields or pressing the Down arrow key (with the textbox focused) sometimes produces helpful responses.

If you're just dealing with numbers, though, you only have ten possibilities for the first digit, and actually typing a character is likelier to have higher chances of success.

[gambiting]

I don't get it. It's bad that you have to log in securely to an HMRC portal? I honestly don't see what you're complaining about here.

[throwaway6845]

It's not a message that needs to be delivered securely. It is literally just "you need to fill in your tax return by the same date everyone else in Britain needs to fill in their tax return". That could have been included in the email body with no security implications.

It's basically crying wolf. Next time they have something really important to tell me, I suspect I'll just go "nah, it wasn't important last time, I can't be arsed to spend three minutes logging in" and delete it.

[robk]

Nowadays every login requires a 2fa with a sms so got to have that phone handy to login. And as a bonus juggle multiple ids if you have a business account too in addition to your personal returns. Pure crap.