I think hackers made HMRC apologize

I was all ready to defend HMRC’s online services because this year I thought I’d noticed a big improvement but…

1. if you mis-type your password three times it locks your account. Which is all well and good except that it doesn’t tell you that. It allows you to continue trying and acts as though you still haven’t got it right even if you have.

2. you can log in to one service and click on another (VAT in this case) and it will show an error strewn page (a dead end page that gives the impression of server errors). Apparently you have to log out and then in again through a different page (using the same ID and Password) and it works.

3. Worst of all, when you ask the online helpdesk for help they act as though the problems are not problems and are perfectly normal. When you ask them to highlight them they then tell you they will without asking for URL’s or further information giving me the impression that it will go no further.

I know it is complex and difficult to get right first time but WIBBI if they could fix a few small things (like no. 1) and provide some impression they are taking notice and fixing it.

I’m glad to hear from someone else who actually uses these services. Some time ago, I sat next to a retired “senior civil servant” who had a sinecure “consultancy” as a “gateway reviewer” of government IT projects.

Amazingly, he’d never actually tried any of the government’s online services.

Presumably – as in his working life – he relied entirely on briefings from minions. (Now, why do so many projects fail?)
—–

Yes, I’ve been caught by that HMRC login problem: Some time ago, the then “IR” changed its systems and issued new IDs & passwords; Later, I couldn’t remember which were the old details and which were current; I tried one set – it didn’t work: I tried the other – it didn’t work either!

Unless *they* have changed it, the more times you try, the longer it locks your accounts. Eventually, left to itself, it unlocks your account. No error messages indicate what’s happening.

Naturally, none of this is made clear to us frantic users!

I prefer these HMRC services to their paper equivalents, but they can be VERY frustrating. Also WIBBI they were designed for and tested by non-specialists.

IN defence of HMRC, the password issue isn’t of their doing, it’s ‘feature’ of Government Gateway. This for security locks an account (for 3 hours if you want to know) after three failed login attempts. More failures do no increase the length of the lock-out but will restart the clock…so don’t go and get it wrong a fourth time 2hr 50mins after locking-out!

Why don’t HMRC tell you what’s going on? Because Gateway don’t tell them. The HMRC systems have to ask GW whether you login details are correct and they only get back, Yes or No, nothing else. Which is why you’re left there floundering.

As to the multiple logins, that is an issue that is being resolved but the joining of two departments with two infrastructures connected to two different sets of backend systems in different parts of the country isn’t quite as simple as it might seem. But dead-end pages of lots of apparant server errors are sadly just poor execution…at least you ought to get a neat redirection to a second login page.

Thanks, very clear.

However, why can’t this information be shown in the “help” files on the HMRC web-pages, or even on the letter when they post a new password?

Also, HMRC is presumably a major “customer” of the Government Gateway; The Gateway is occasionally “improved”; Could HMRC propose improved communication between the Gateway and its “customers'” services?

I seem to remember the “Gateway” winning awards and being offered to other governments: Whatever its good points, improvements are still needed.

Valid points, however…

Telling too much about how a security system works is ‘deemed’ to compromise security as it gives a hacker more information about what’s going on and so how to get around defences. Of course, it also means legitimate user’s are equally left in the dark, but that’s how the security thinking goes.

The password letter in fact comes from Gateway, not HMRC (or any other Department) so again it’s back to the Gateway security thinking.

And yes, HMRC are *the* major user of Gateway and one of the major funding sources, however, they don’t necessarily get what they want and any change to Gateway costs HMRC money. So do they invest in new or improved services or in fixing Gateway? Added to which precisely because Gateway is cross-Government, any change, especially any change deemed to alter security, has to be agreed by all parties. It’s a nightmare!

I was also thinking after my last post about your filename problems. I suspect (but don’t know for sure) that your problems lie with Gateway again and not HMRC itself (but I could be wrong). Ex-IR documents are sent to HMRC via the Gateway ‘Transaction Engine’ and this is an XML messaging service. The ampersand character (&) is a reserved character in XML and the validation will I’m sure exclude spaces and ampersands.

So I quite understand a filename like “p&l2006-07.pdf” and indeed would do something similar myself, but my guess is it’s Gateway (again) that is the block before the file ever gets to HMRC.

So I understand space and & being problems although I don’t understand dash (-) and underscrore (_). I’d have thought they would, but clearly not from your experience.

Of course, just because I understand the technical reason for these rejections doesn’t mean I don’t completely sympathise with the experiences of users trying to do something which seems totally reasonable. I guess it’s down to the information provided and the ‘tech packs’. Really the online filing instructions need to be very explicit about filenaming requirements whatever the reason for them to stop people banging their head against and unseen and not understood wall.

Thanks, again very clear.

I do hope that this discussion, and my comments in the HMRC’s feedback forms, filter back to appropriate HMRC and Gateway staff.

We all want the Government’s online services to work well; to make our interactions more convenient and efficient.

These services should be designed so that non-technical, non-specialist people can use them once a year, without encountering problems. These days, most users will be accustomed to the flexibility of MS Windows’ file naming rules.

Last year, I’m fairly sure that this HMRC service happily accepted my file called “P&L05Final.pdf” so something must have changed.

(That year, the main problem was that Open Office’s PDF export feature converted all numbers into Arabic – luckily, I checked the PDFs before uploading them! Open Office has never done this again, before or since.)
—

“Security” always comes at a cost, including reduced reliability & usability. These days, “security through obscurity” is not usually rated highly – especially where such “secrets” are so easily uncovered and publicised.
—

This forum uses XML. It’s also “booby-trapped” with automatic “smilies”!
—

There’s talk of combining the Companies House accounts filing process, with the HMRC’s online Corporation Tax return process; sadly by advancing the filing deadlines!

[url=http://www.idealgovernment.com/index.php/blog/comments/companies_house_filing_accounts_online_2007/]Companies House uses a downloadable PDF form[/url] which you complete and then upload – apparently separate from “The Gateway”: Different process, different problems.

Perhaps uncertainty about the future is delaying the fixing of current problems?

Everything you say is fair. A service isn’t a service unless it can be used. I may also be wrong about the ampersand…but generally systems don’t like filenames with spaces as it causes confusion over the deliniation of the name and even Windows won’t allow things like backslash in a filename as it confuses that with its own directoriy marker.

I agree about security via obscurity but this isn’t quite what Gateway is doing…it’s trying to be less obvious to someone trying a brute force attack, but personally I agree with you, the ‘rules’ should be explained to users and services such as HMRC’s should get back a response from Gateway that would allow them to distinguish an account suspension from simply a wrong password. I agree it’s poor and have riased this in the past.

The Companies House upload is probably via web service. HMRC through are wedded to the idea of sending all documents via Transaction Engine. I’ll not go into the reasons, but if it were me, I’d use web services and so have greater control over things like filenaming convensions, problems with ‘high characters’ in uploads (like £) etc., but it’s not me so it is as it is.

Yes, there are also other pros and cons:

The HMRC file upload service does not require the company’s accounts to be structured in a particular way – provided that they comply with accounting standards; whereas with the Companies House process, you have to re-type all the figures into the Companies House pdf form: This produces a standardized result, but requires (slightly) more work when filing. (Especially if you’re caught by problems with rounding errors in their auto calculations!)

Apparently, there are over 4.3 million companies in the UK which have less than 9 employees. I’d expect (and hope) that the HMRC would design its online services to help automate dealings with this large number of companies; perhaps providing a different service for the larger companies which will always use specialist accountants.

I’ve no idea how many small companies actually deal direct with HMRC rather than through specialists: Perhaps, I’m an exception?

It was always nice to queue in the Post Office at lunch time, to pay large cheques for corporation tax. (The fee helps keep the Post Office open.)

Finally, for a truly bad online experience: [url=http://www.idealgovernment.com/index.php/blog/loyalty_card_causes_disloyalty/ ]Registering my new petrol “loyalty card”[/url] was the worst, by far. I posted that to show that the “private sector” doesn’t always get it right!

I think it depends on what you mean by; “deal direct with HMRC”. Remember there are now many tax regimes that will require you (or your company) to interact with HMRC; VAT, PAYE/NIC and CT at a minimum.

I personally have always done my VAT and PAYE direct (and since launched, electronically) and pay the CT (electronically) although the actual CT Return and calculation of tax due is done by the company accountants off the back of the company accounts.

HMRC have been trying to make life easier for the high volume small businesses you mention. There has been special services for ‘Umbrella’ companies and schemes to help agents (read: accountants) to file electronically for their clients, but then Governments acts like the recent MSC legislation come in and wipe out much of this effort in a single act.

I understand the MSC regulations for instance caused an enormous surge in new company registrations putting strain on Companies House and HMRC…and of course ultimately resulting in more small businesses for HMRC to interact with, actually driving up costs. But then this is politics we’re getting into, not systems design 🙂

A lot of these dreary tasks could and should be automated. We shouldn’t need an army of accountants, just to interpret the Treasury’s latest wheeze.

Surely, the old manual PAYE cards and paper PAYE & NI tax tables should be consigned to a museum, along with the tables for SSP, SMP, SPP, SAP, etc, etc.?
—

When I started in manufacturing industry, we learnt to control “overheads” by increasing the proportion of people who were doing “productive” work: Work which really added value to our products.

I’d like all our political parties to think how they could help reduce the country’s “overheads” and help the country to become more “productive.”

Half a year on…

I thought I’d try this online self-assessment lark.

What a usability nightmare – nightmarish PINs, UIDs, passwords. Case-sensitive here, possibly not there. Totally unclear whether I’m using the Gateway or HMRC. By comparison my online banking login is a picnic – and as for all the other online services that I’ve managed perfectly securely for a decade or more…

Looks like I’ve now broken the hidden three-strikes rule above… aargh. Security thru obscurity….?! I only know about it cos I just read it here.

When I heard William Heath and Tom Steinberg at last week’s Gov 2.0 saying how rotten these things are, I really had no idea just how bad they really are!

And they’re ugly too.

Looks like it’s stamp-licking time. (Hey, they’re self-adhesive now – how’s that for usability improvements!?)