HMRC unable to investigate possible securitybreach

Didn't find your answer?

A recent experience with HMRC’s two-step verification process has raised some concerns for me about the way online security is being handled as the Making Tax Digital steamroller gathers momentum.

I have setup two-step verification (2SV) on my Business Tax Account with HMRC. This service is an extra layer of security so that when you log in, the system generates a SMS from 60886 that says “nnnnnn is your HMRC access code” (nnnnnn is 6 digits which change on every text).

After going away on leave last Thursday afternoon I received an HMRC 2SV text. I had filed my tax return last month and not attempted to access my HMRC for some weeks, so I was not expecting an access code.

During Friday I received seven more SMSs. At that point I thought someone was trying to break into my HMRC account, so I decided to contact HMRC.

It took more than 12 minutes to wade through the usual automated enquiry system, but when my call was answered by Margaret I encountered a security problem because I was away from my files and didn’t have my UTR or national insurance number to hand. Margaret was able to trace me from my address and date of birth, but didn’t know what to do about the SMSs and whether they were genuine or not. She was from the Tax Office and not Online Services Helpdesk, so after 26 and a half minutes she gave me the helpdesk phone number.

When I got through to them, and went through the same frustrating security loops, the agent realised there could be an issue, but had no idea what to do. After another 10min conversation, she said she would take my details and someone would call back.

When they did call back (number withheld), the lady from HMRC once again said she would need my UTR or NINO to trace me - but I was still away from the office. Since HMRC had been sending me text messages, surely they could trace me from them mobile number I was using to talk to her. She informed me that the texts were being sent by the website and she was from Online Services. She had no idea who actually ran the website, so I couldn’t speak to them and after 20mins suggested booking a call back.

After another frustrating call, I decided it wasn’t worth pursuing further because HMRC are simply incapable of sorting it out. I had spent many hours while on holiday trying to get HMRC to get to the bottom of this and decided to leave it until I got back to the office.

What struck me about the whole situation was that if I had a security problem with a bank there would be a well-publicised number you could phone where they would take the matter seriously. For example the text systems used by banks usually say, “Phone this number if you were not expecting this text”. HMRC needs a phone number purely for security issues.

I suspect the messages were being generated because a member of staff might have stumbled across the 2SV system for the firm - which is linked to my mobile phone number - and was activating the authorisation texts when they attempted to set up links for clients. But when I got back to the office, no one owned up to this.

Has anyone else had similar experiences or concerns with 2SV?

Replies (4)

Please login or register to join the discussion.

avatar
By Southwestbeancounter
18th May 2017 14:33

Wow! What a pain - we've so far avoided the two step verification process for our practice and intend to do so for as long as possible especially after the experience you had!
This just goes to prove that HMRC are fine at bringing in ridiculous rules and regulations yet when it comes to the 'crunch' they just can't cope with sorting out any issues! Very worrying and the last thing you want when you are trying to take a break from the office. It would have been good if you knew that it was a member of staff (however innocently done) as at least that would put your mind at rest!

Thanks (0)
Replying to Southwestbeancounter:
avatar
By Harrison88
18th May 2017 14:37

The experience OP had was that the security system was working as a way to stop someone accessing their account...

Thanks (0)
Replying to Harrison88:
Morph
By kevinringer
18th May 2017 14:44

...agreed, but agent 2SV is only required once every 18 months which raises the question "what's the point of 2SV for agents"?
Someone must have got past the user ID and password to get to the 2SV so it's only a matter of time before that too is cracked. My concern is HMRC has no procedure for investigating these cases and no security hotline. Checkout https://www.gov.uk/report-suspicious-emails-websites-phishing - there's no phone number, just an email address and text number. I've sent dubious emails to the email address for investigation in the past but I've never had any feedback from HMRC so have no idea whether any were investigated or whether any were risks to me or my clients.

Thanks (1)
Tornado
By Tornado
19th May 2017 09:31

Every day a new example arises of why MTD is folly.

When will they learn that robust systems need to be in place and reliable before embarking on something as far reaching as MTD.

Thanks (1)