Hilfe
ISO-27001 – Elster safety
The federal and state fiscal authorities are committed to their responsibility for IT security in the ELSTER procedure. The protection of confidential information and the availability and integrity of all data to be processed by ELSTER and its processing systems must be ensured.
The ELSTER procedure is subject to various legal requirements for IT security. The electronic transmission of data must comply with a large number of statutory provisions as well as various letters from the Federal Ministry of Finance which make the proper handling of electronic data a challenging task. The most important legal regulations include:
- Tax Code (AO)
- Tax Data Transfer Ordinance (StDÜV)
- Tax Data Collection Ordinance (StDAV)
- Federal Data Protection Act (BDSG)
- Bavarian Data Protection Act (BayDSG)
- Data Protection Law North Rhine-Westphalia (DSG NRW)
The services of ELSTER are provided in a personalised IT infrastructure certified according to ISO 27001 on the basis of the IT-Grundschutz Catalogs of the Federal Office for Information Security. The certification is intended to document that the IT-Grundschutz in accordance with ISO 27001 has been fully implemented for these services provided by the Bavarian State Office for Taxation and the Data Centre of the Financial Administration of the State of North Rhine-Westphalia and that the discussion of IT security issues is an essential part of the objectives of the fiscal authorities.
Basic knowledge
The dangers of the Internet are increasing daily. Developers of Internet software, such as My BOP, are in a constant race with hackers who are finding new ways of attacking to steal or manipulate electronic information communicated over the Internet. Usual dangers from hackers include for example hijacking, masquerading and phishing. When using My BOP, ensuring security is the top priority for the fiscal authorities.
Your connection to My BOP is electronically encrypted. This prevents unauthorized third parties from viewing the transmission of information over the Internet between your computer and My BOP.
My BOP ultimately offers you the following options for the secure use of your personalized services:
- Registration:
For security reasons, registration for My BOP is done in several steps. However, it only has to be done once. When registering you must opt for a login option. The logion options differ by the security level and accordingly also by the available functions. More information can be found on the registration pages.
Once registered, you will have access to a variety of personalized services, depending on the type of login and associated security level. A personalized login is only possible for registered users. Unregistered users can only access the public area of My BOP. Login:
You must register before using your personal My BOP functionalities. As part of your registration, depending on the login option selected and associated security level, one of the following methods of authentication has been established:- certificate file:
The certificate file is an individually protected file that is stored on your computer in a special security environment and contains your personal keys and certificates. You can save this file to your computer (your hard drive) or to an external storage device (e.g. floppy disk, ZIP drive or USB memory stick). security stick:
The security stick is an individually protected device which can be connected to the USB port of your computer and includes a Crypto chip and there saves your personal crypto means. The appearance of the security stick is similar to a USB memory stick. The functions of the integrated crypto chip correspond in hardware and software to those of a chip card. The security stick can be purchased separately: to the shop »»»Signature card:
The certificate required for ELSTER is found on a signature card chip (Crypto chip), a small microprocessor through which one can access the stored data (certificate). The detour via the microprocessor makes it possible to protect the data on the card from unauthorized access via cryptographic methods. This ensures maximum safety: Dangers from phishing and other attacks on the certificate are therefore excluded. A card reader is needed, which must be purchased for authentication as well as the signature card.
The fiscal authorities require a minimum level of security when using signature cards for authentication which can be read in the ELSTER Policy details. The currently supported cards can be viewed under "Security".
- certificate file:
- Deleting an account:
Here you have the option of permanently deleting your personal access to My BOP. All your user account data will be irretrievably deleted. To do this, you need the Email address stored for your user account, the short name of your user account and the answer to your personal security question, which was defined by you as part of the registration process.
If you no longer know the short name of your user account, you can receive information about all user accounts registered under an Email address. Click on "Send short names".
You do not have to sign up to delete your user account.
Use this function if you have lost your certificate or if you suspect that someone has obtained unauthorized access to your certificate, security stick or signature card.
Your browser is the gateway to the Internet. It lets you explore web pages, search for information, and download files. Whether Internet Explorer, Google Chrome, Mozilla Firefox or Opera: With all Internet browsers, new security holes are always discovered. Check your Internet browser regularly and update the software with security updates. In all popular Internet browsers security mechanisms are also provided, which should prevent, for example computer viruses and trojans which can modify, delete or read files on your computer. Further information on dangers and security measures when using your Internet browser can be found, for example, on the following Internet site of the Federal Office for Information Security:
Using so-called phishing Emails, scammers attract people to fake websites or ask you to provide information about access information to Internet applications. With the data thus obtained, the fraudsters try to harm the users.
Please note: The fiscal authorities will never send you Emails that contain payment instructions or instructions that prevent the release of security-related data, such as: As tax data, personal identification number (PIN), personal certificate, etc. Never - provide information about your secret access data to My BOP via telephone or Email -. Therefore, ignore Emails from alleged senders from the fiscal authorities who ask you to disclose sensitive information.
If you accidentally visit a dubious website and divulge your data, contact the fiscal authorities immediately and delete your user account at My BOP.
Registration
Registration for My BOP begins with the collection of your personal data. These are, for example, name, short name of your account, BZSt number and -mail address. On the basis of this data, an examination of correlation between your electronic identity with your person is provided for the fiscal authorities. For security reasons, the exchange of data between you and the fiscal authorities will be necessary. The registration consists of several steps. The fiscal authorities must know that you are the person you are electronically claiming to be in order to prevent the electronic misuse of your personal access to My BOP. After successful registration, the services of My BOP are at your disposal.
My BOP offers you different ways to sign up, i.e. provide evidence of your identity. These paths differ in their level of security, in their implementation costs, in the procurement effort and ultimately in their validity.
Depending on the security of the different applications, My BOP offers you three login options with different services. The details of the three user packages are presented to you as soon as you visit the registration area in My BOP.
In order to rule out that someone other than yourself logs into My BOP, as part of the registration process you have to acquire an authentication means. The authentication means can be one of the following:
- certificate file
- security stick
- signature card
In future, you will be able to use My BOP to log in quickly and without any doubt, prove your electronic identity. Once registration is complete, access to your personalized services will only be possible through the My BOP login option authentication.
When using a certificate file the security of your personal access to My BOP is also highly dependent on the security of the computer used. This security is your personal sovereignty and is thus exposed to Internet based threats (for example hijacking, masquerading und phishing) . For example, a certificate file located on your computer can be copied by you as often as you like and, if necessary, inadvertently get into the wrong hands. Since copying can also be done unnoticed (for example, through computer viruses or Trojans that have infiltrated), a certificate file carries risks for you to consider. We therefore recommend that you take security measures to limit the threats from the Internet. Measures to be considered can include for example the installation of a virus scanner, a Personal Firewall or security check. Information on dangers and security measures is available from the Federal Office for Information Security or "Deutschland sicher im Netz eV":
In contrast to a certificate file stored on your computer's hard drive, your keys are located on the security stick or signature card outside the security environment of your computer. The thus saved private key cannot be read. In addition, both the security stick and the signature card automatically lock and must be re-enabled after a few failed attempts to access - usually three. The likelihood of someone gaining access to your certificate by trying passwords, is thus very low. Sensitive cryptographic operations with your private keys can be performed within a security stick or signature card and are not dependent on the Internet security environment of your computer. In addition, the private keys cannot be read from the security stick. Thus, security sticks and signature cards also meet higher security requirements. If you see any uncertainty in the security of the computer you are using, or if you cannot implement the proposed security measures for the safe use of a certificate file (for example, in an Internet café), we recommend that you choose to register with security stick or signature card.
Deleting an account
Here you have the option of having your access to My BOP permanently blocked. Your entire data in My BOP will be irretrievably deleted. Tax returns that are already submitted are not affected. On the one hand, you can use the feature when you no longer need your access. On the other hand, this function is available for security purposes, if your authentication means(certificate file, security stick or signature card) accidentally got into the wrong hands or you lost it. In this case, you should immediately block your corresponding personal access to My BOP. In this case, there is an increased risk that an unauthorized person may gain access to your personalized services.
To block, you need personal data (Email and short name) and your personal answer to the security question that you selected and answered when registering for your personal access. This will allow only you to block it, since ideally only you have all the personal information and can answer the selected question. Only if you are authenticated by My BOP about the personal data and answer your question can your personal access be blocked. The principle of authentication for the blocking feature is a common practice for authenticating people over the telephone (for example, often practiced by call centres) when a password or other security device has been forgotten.
First please enter your personal name as your short name and your Email address for your identification and then click on "Next".
If you no longer know the short name of your account, you can receive information about all user accounts registered under a certain Email address. Click on "Send short name".
Here you have the option of having your access to My BOP permanently blocked. Your entire data in My BOP will be irretrievably deleted. Tax returns that are already submitted not affected.
In the private area of My BOP, click on "Delete account". Allow the blocking by entering your answer to the assigned security question. After that, the blocking of your personal access will be carried out immediately.
If an unauthorized person wants to block one of your accesses, he / she would need to know your assigned Email address, your short name and the answer to your personal security question, which is unlikely. In addition, there is no particular motivation for unauthorized persons to block personal access. Those motivated to gain access would be hackers who would try to obtain your personal data regarding tax secrecy, which is reliably secured at My BOP through security techniques such as authentication and encryption.