Help
ISO 27001 - Security at mein ELSTER
The federal and state tax authorities acknowledge their responsibility for information technology (IT) security in the ELSTER procedure. The protection of confidential information and the guarantee of the availability and integrity of all data to be processed within the framework of ELSTER and its processing systems must be ensured.
The ELSTER procedure is subject to various legal requirements in terms of IT security. When transmitting data electronically, a large number of legal regulations and various letters from the Federal Ministry of Finance must be observed, which make the proper handling of electronic data a challenging task. The most important legal regulations include
- Fiscal Code (AO)
- Tax Data Transmission Ordinance (StDÜV)
- Tax Data Retrieval Ordinance (StDAV)
- Federal Data Protection Act (BDSG)
- Bavarian Data Protection Act (BayDSG)
- Data Protection Act of North Rhine-Westphalia (DSG NRW)
The services of ELSTER are provided in an in-house IT infrastructure certified in accordance with ISO 27001 on the basis of the IT baseline protection compendium of the Federal Office for Information Security. The certification is intended to document that the IT baseline protection according to ISO 27001 has been fully implemented for these services provided by the Bavarian State Tax Office and that dealing with IT security issues is an essential part of the tax administration's objectives.
Security analysis of JavaScript components by Fraunhofer AISEC
Between April and July 2023, Fraunhofer AISEC carried out a security analysis of the online portal Mein ELSTER on behalf of the Bavarian State Tax Office, ICT Department. A test environment was used to carry out the analysis. The test began on 26.04.2023 and ended on 14.07.2023. Version 56.1.0-rc001 of the Mein ELSTER portal and version 56.0.2 of the MeinElster+ app were tested.
Various processes of Mein ELSTER and the MeinELSTER+ app were examined for vulnerabilities. The focus was placed on the following processes:
- Registration (without using the nPA) on the portal
- Login: Challenge-response authentication with the ELSTER certificate
- Decryption of mailbox messages and drafts
- XML signature with and without retrieval code
- Changing the certificate PIN
- Certificate renewal
- Document upload process in the web application (OCR, marking of values)
- Client-side implementation of the chat in the web application
- Linking the meinElster+ app with the user account via QR code
- Document upload process in the app (OCR, transport channel)
- Support form in the app (authenticated / non-authenticated)
- Client-side implementation of the chat in the app
This approach resulted in the main objectives of the safety review:
- Examination of the interfaces between the Mein ELSTER portal and the MeinELSTER+ app for security vulnerabilities
- Detection of serious gaps in the use of cryptographic functions by the Mein ELSTER portal or the MeinELSTER+ app
- General review of the overall solution for further potential weaknesses
The criticality of the findings was assessed using a 5-point scale: Information, Low, Medium, High and Critical. The findings were categorized as follows:
- Critical findings represent concrete weaknesses that allow the system to be taken over completely. No or only minor requirements are necessary for this.
- Findings in the High category are vulnerabilities that are subject to higher requirements and/or have a lower impact, e.g. the takeover of an account instead of the entire system.
- Medium and Low findings indicate a susceptibility that may increase the attack surface of higher categorized findings.
- Findings in the Information category provide information on improving the maintainability of the source text.
In total, one finding classified as high, two classified as medium and four classified as low were identified during the course of the project. The vulnerability classified as high only affected Software dependencies and was eliminated shortly after the end of the project. The remaining findings do not represent critical or high security risks. However, there are opportunities to simplify processes in several places, which can increase the maintainability of the Codes in the long term and help to minimize security risks.
Basic knowledge
Dangers from the Internet are increasing every day. Developers of Internet software, such as Mein ELSTER, are in a constant race against Hackers who are constantly finding new ways to attack in order to spy on or manipulate electronic information communicated via the Internet. Usual dangers from Hacker are here for example Hijacking, Masquerading and Phishing. When using Mein ELSTER, ensuring security is the top priority for the tax authorities.
Your connection to Mein ELSTER is electronically encrypted. This prevents unauthorized third parties from viewing the transmission of information over the Internet between your computer and Mein ELSTER.
My ELSTER ultimately offers you the following options for secure use of its personalized services via this connection:
Registration:
For security reasons, registration for Mein ELSTER takes place in several steps. However, it only needs to be carried out once. When registering, you must choose one of the Login options: certificate file, security stick or signature card. The Login options differ in terms of the security level and the functions available. You can find more information on this on the registration pages.After registration, different personalized services are available to you depending on the type of Logins and the associated security level. For security reasons, the personalized Login is only available to registered users. Non-registered users can only access the public area of ELSTER.
Login:
You must create a user account before using Mein ELSTER. As part of your registration, depending on the Login option selected and the associated security level, one of the following is required Authentication methods have been defined:- Certificate file:
The certificate file is an individually protected file that is saved on your computer in a special security environment and contains your personal keys and certificates. You can save this file on your computer (your hard disk) or an external storage medium (e.g. USB Memory-Stick). Security stick:
The security stick is an individually protected device that can be connected to the USB port of your computer and contains a Cryptochip and contains your personal Crypto funds stores. The appearance of the security stick is similar to a USB memory stick. The functions of the integrated crypto chip correspond to those of a chip card in terms of hardware and software. The security stick can be purchased separately: to the ShopSignature card:
The certificate required for ELSTER is located on a signature card chip (Cryptochip), a small microprocessor that can be used to access the stored data (certificate). The detour via the microprocessor makes it possible to protect the data on the card from unauthorized access using cryptographic procedures. This ensures maximum security: Phishing and other attacks on the certificate are impossible. A card reader is required, which must be purchased in the same way as the signature card.
The financial authorities require a minimum level of security when using signature cards, which is specified in the ELSTER Policy can be read here. The currently supported cards can be viewed under "Security".
- Certificate file:
Delete account:
Here you have the option of permanently deleting your personal access to Mein ELSTER. All data in your user account will be irretrievably deleted. To do this, you will need the e-mail address stored for your user account, the user name of your user account and the answer to your personal security query, which you specified yourself during registration.If you no longer know the user name of your user account, you can have information about all user accounts registered under an e-mail address sent to you. To do this, click on "Send user name".
You do not need to log in to delete your user account.
Use this function if you lose your user account. certificate or if you suspect that someone has gained unauthorized access to your certificate file, your security stick or your signature card.
Please note that simply changing the password of the certificate file is not sufficient, especially if unauthorized copying of the certificate file is suspected.
Your Browsers are the gateway to the Internet. It allows you to explore websites, search for information and download files from your computer. Whether Internet Explorer, Mozilla Firefox or Google Chrome, new security holes are constantly being discovered in all Internet browsers. So check your Browsers regularly and update the Software with security updates. All common Browsers also have security mechanisms that are designed to prevent, for example Computer viruses and Trojans can change, delete or read files on your computer. Further information on dangers and security measures when using your Browsers can be found, for example, on the following website of the Federal Office for Information Security:
Fraudsters use so-called Phishing e-mails to lure you to fake websites or ask you to provide access information for Internet applications. The fraudsters use the data obtained in this way to try to harm users.
Please note: The tax authorities will never send you e-mails containing payment instructions or instructions for action that demand the surrender of security-relevant data such as tax data, personal password, personal certificate, etc. Never give out your secret access data for Mein ELSTER - neither by telephone nor by e-mail. Therefore, ignore emails from supposed senders from the tax authorities asking you to disclose confidential data.
If you accidentally visit a dubious website and disclose your data, contact the tax authorities immediately and delete your My ELSTER user account if necessary.
Registration
Registration for Mein ELSTER begins with the collection of your personal data. This includes, for example, your name, user name of your user account, e-mail address and personal identification number or organization tax number. This data is used by the tax authorities to verify that your electronic identity matches your person. For security reasons, the exchange of data between you and the tax authorities will be necessary for proof of identity. Registration consists of several steps. The tax authorities must know exactly that you are the person you are electronically impersonating in order to prevent electronic misuse of your personal access to Mein ELSTER. Once you have successfully registered, the services of Mein ELSTER are available to you.
Mein ELSTER offers you different ways to log in, i.e. to provide proof of your identity. These methods differ in terms of their security requirements, acquisition costs, procurement costs and ultimately their validity.
Depending on the security of the different logins, Mein ELSTER offers you three Login options with different services. This information can be found on the page Type of registration and type of Logins clearly presented.
To prevent anyone other than yourself from registering with Mein ELSTER, you must enter a password as part of the registration process. Authentication acquire a means of authentication. The means of authentication can be one of the following:
- Certificate file
- Security stick
- Signature card
In future, you will be able to use Mein ELSTER to quickly and easily manage your electronic identity prove your identity. Once registration has been completed, access to your personalized services is only possible via the selected Authentication means possible.
When using a certificate file, the security of your personal access to Mein ELSTER is also heavily dependent on the security of the computer used. This security is under your personal control and is subject to risks from the Internet (e.g. Hijacking, Masquerading and Phishing). For example, a certificate file on your computer can be copied as often as you like and may fall into the wrong hands through carelessness. However, since copying can also take place unnoticed (e.g. by means of Computer viruses or Trojans), a certificate file entails risks for you that you should take into account. We therefore recommend that you take security measures to limit threats from the Internet. Measures include, for example, the installation of a Virus scanners one Personal Firewalls or the Security check of your computer configuration. Information on dangers and security measures can be found at the Federal Office for Information Security or at "Deutschland sicher im Netz e. V.":
In contrast to the Certificate file which is stored on your computer's hard disk, your keys are stored on the security stick or signature card for authentication outside your computer's security environment. The keys stored in this way private key cannot be read. In addition, both the security stick and the signature card are automatically blocked after a few failed accesses - usually three - and must be unlocked again. The likelihood of someone trying to gain access to your ZÜ by trying out passwords is very high. Certificate is therefore very low. Sensitive cryptographic operations with your private keys can be carried out within a security stick or a signature card and do not depend on the security environment of your computer, which is characterized by dangers from the Internet. In addition, the private keys cannot be read from the security stick. This means that the security stick and the signature card also meet higher security requirements. If you are uncertain about the security of the computer you are using or if you are unable to implement the proposed security measures for the secure use of a certificate file (e.g. in an Internet café), we recommend that you register with a security stick or signature card.
Delete account
Here you have the option of permanently blocking your access (Login) to Mein ELSTER. This will irretrievably delete your data in Mein ELSTER. Tax returns that have already been submitted are not affected. On the one hand, you can use the function if you no longer need your access. On the other hand, this function is available to you for security reasons if your Authentication(certificate file, security stick or signature card) has accidentally fallen into the wrong hands or you have lost it. In this case, you should delete your My ELSTER user account immediately. In this case, there is an increased risk that an unauthorized person could gain access to your personalized services.
To delete the user account, you need personal data (e-mail and e-mail address). User name of the user account) and the answer to the security question that you selected and answered when registering with Mein ELSTER. This means that only you can initiate the deletion or blocking, as only you have all the personal data and can answer the security question.
Please first enter the user name of the user account and your e-mail address and then click on "Next".
If you no longer know the user name of your user account, you can have information about all user accounts registered under one e-mail address sent to you. To do this, click on "Send user name(s)".
Note on deleting the user account for the certificate file and security stick:
If you carry out the deletion process, your ELSTER certificate and your data will be blocked or deleted immediately and access (Login) will be irrevocably prevented. It will then no longer be possible to use your ELSTER certificate for authentication for electronic tax returns (ELSTER), e.g. with ElsterFormular. Your electronic identity will be stored for a period of 10 years in accordance with the assessment period pursuant to Section 169 AO and will only then be permanently deleted.
Note on deleting the user account with signature card:
If you carry out the deletion process, your data will be deleted or blocked immediately and access (Login) for this user account will be irrevocably prevented. Your electronic identity will be stored for a period of 10 years in accordance with the assessment period pursuant to Section 169 AO and will only be permanently deleted after this period. It will then no longer be possible to use your signature card for authentication for electronic tax returns (ELSTER), e.g. with ElsterFormular. Your signature card (certificate) will remain valid. You can register again with your signature card and open a new user account. If you also want to block your signature card for authentication, you must contact the issuer of your signature card.
You have successfully identified yourself to Mein ELSTER. If you allow the blocking by entering your answer to the assigned security query, your personal access will be blocked immediately. If an unauthorized person wanted to block one of your accesses, they would have to know the e-mail address you used, your user name and the answer to your personal security query, which is unlikely. Furthermore, there is no particular motivation for unauthorized persons to block a personal access option. The motivation would be for unauthorized persons or Hacker rather in preserving your personal data subject to tax secrecy, which with Mein ELSTER is reliably protected by security technologies in the areas of Authentication and Encryption is secured.
Transfer of organization certificates to third parties
Entrepreneurs who entrust their employees with the transmission of tax data have the option of registering for an organization certificate. As an entrepreneur, you should only pass on your organization certificates to trustworthy employees and observe the following for security reasons:
- You have the option of registering with Mein ELSTER yourself. This allows you to determine your personal password, e-mail address and the answer to the security question yourself. You then always have the option of deciding whether you want to delete the organization's user account or log into the user account yourself for verification purposes. Under no circumstances should you pass on the answer to the security question, as this is required to delete the account.
- If you want to give your employee the option of determining the password themselves, then only carry out the first registration step yourself and leave the second registration step to your employee. You then have no knowledge of the password and are not in possession of the certificate, but could still delete the user account at any time (e.g. if the employee leaves the company). Here too, you should never pass on the answer to the security query to third parties.
If you register with a certificate file, this is stored on your hard disk. You should note that this could be copied unnoticed. We therefore recommend that you register with a security stick. This is protected by its own Cryptochip protected with complex hard-wired security functions. Security-relevant data cannot be read or copied directly, as it is only available to the processor and cannot be copied as a file. You can also store the security stick safely when you don't need it. You can physically remove it from employees who have left the company. However, if you have registered with your personal signature card, you must never pass it on to third parties.
Data security in Mein ELSTER
Once you have logged in to Mein ELSTER, you have access to the corresponding personalized services. The authentication method used as part of your Logins (certificate file, security stick or signature card) and the security technology provided by Mein ELSTER ensure that only you can use these personalized services. You can reliably assume that you are really communicating with Mein ELSTER (SSL certificate) and that no unauthorized person has access to your communication (Encryption). Tax confidentiality is guaranteed. Likewise, Mein ELSTER can reliably assume that you are the person who has established a communication connection to Mein ELSTER and that all communicated data was created by you (Authentication).
For additional security, you can check the following details on the home page of the private area after Login: User name of user account, time of last Logins, time when your certificate becomes invalid.
You will find feedback from the tax authorities in your inbox in Mein ELSTER. These result from your requests for services or have been sent to you by the tax authorities for information purposes. To ensure that no unauthorized person can gain access to this data for reasons of tax confidentiality, it must be confirmed with your public key have been encrypted. Your public key is available to the tax authorities in a file provided by mein ELSTER Trustcenter exhibited Certificate before.
You must authenticate yourself to ELSTER for some functions. For authentication, you will again need your certificate (certificate file, security stick or signature card) and the corresponding password.
For certificate files and security sticks, you must enter your password before clicking on Submit if you have deactivated password Caching. When using a signature card, the authentication process is triggered in the corresponding input masks via a button and then leads to a password prompt.
On this page you have the option of changing your password if, for example, you suspect that an unauthorized person has spied out your password. If an unauthorized person knows your password, your security is fundamentally based only on your possession of the certificate file, security stick or signature card and no longer on your knowledge of the "password". You are then subject to an increased security risk when communicating with Mein ELSTER unless you change your password. It is not possible to change the PIN of your signature card in Mein ELSTER. It can only be done via the card hardware or card software you are using.
If you wish to leave your private area, we recommend that you click on the "Logout" button. There is a small residual risk that your connection to Mein ELSTER will remain open on the Internet and may be compromised by Hackers can be taken over if you simply select another Internet page or close the Internet browser (dangers Hijacking and Masquerading).
In principle, you should always perform a "Logout" on the Internet if you require a "Login" to an Internet application!
Fraudsters use so-called Phishing e-mails to lure you to fake websites or ask you to provide access information for Internet applications. The fraudsters use the data obtained in this way to try to harm users.
Please note: The tax authorities will never send you e-mails containing payment instructions or instructions for action that demand the surrender of security-relevant data such as tax data, PIN, personal certificate, etc. Never give out your secret access data for Mein ELSTER - neither by telephone nor by e-mail. Therefore, ignore emails from supposed senders from the tax authorities asking you to disclose confidential data.
If you accidentally visit a dubious website and disclose your data, contact the tax authorities immediately and delete your My ELSTER user account if necessary.