BOP
Your Online Portal
Federal Central Tax Office
Help

Security

Important note

Fake emails are currently being sent in the name of the tax administration. The sender pretends to be, for example, ELSTER, the tax office or the Federal Central Tax Office (BZSt). In these messages, the recipient is usually asked to open an attached file that is supposed to be a tax bill or an invoice.

Both sender address and the content of the Email vary constantly. In all cases, however, an attempt is made to receive tax credentials by Email, as well as account and / or credit card information.

The tax administration only sends you notifications, but never the actual tax data or invoices in the form of an Email attachment.

Please note the following:

  • Never open attachments that you are not sure are from a trusted source.
  • The tax administration will never request information such as your tax number, bank account details, credit card numbers, PIN or the answer to your security question in an email.
  • Do not click on an embedded link in an email if you have doubts that the email comes from the fiscal authorities.

  • General tips for dealing with the Internet, as well as current warnings can be found on the websites of BSI - Federal Office for Security in Information Technology.

Important note about phishing mails - warning triangle graphic

IT security at ELSTER

The federal and state fiscal authorities are committed to their responsibility for IT security in the ELSTER process. The protection of confidential information and the availability and integrity of all data to be processed by ELSTER and their processing systems must be ensured.

 The ELSTER procedure is subject to various legal requirements for IT security. The electronic transmission of data requires a large number of statutory provisions as well as various letters from the BMF which make the proper handling of electronic data a challenging task. The most important legal regulations include:

  • Fiscal Code (AO)
  • Tax Data Collection Ordinance (StDAV)
  • Federal Data Protection Act (BDSG)
  • Bavarian Data Protection Act (BayDSG)
  • Data Protection Law North Rhine-Westphalia (DSG NRW)

The ELSTER services are provided in there own IT infrastructure, certified according to  ISO 27001on the basis of the BSI IT Grundschutz Catalogues. The certification should document both that the IT Baseline Protection according to ISO 27001 has been fully implemented for these services, provided by the Bavarian State Office for Taxation and the Data Centre of the Financial Administration of the State of North Rhine-Westphalia, and that the discussion of IT security issues has become a reality is an essential part of the philosophy of the authorities.

Security of the data

Electronic transmission takes place with the ELSTER client software via the Internet. To protect tax secrecy, the tax data is encrypted and transmitted by the user to the data centres of the federal states. For this purpose, a hybrid encryption was selected, which corresponds to the current state of security technology. The integrity of the data is ensured by a hash code.

 Security of the software

An overall statement on the security of the ELSTER procedure, in particular with regard to the confidentiality of the tax data vis-à-vis third parties in the user's environment, must take into account any security functions of the tax declarations programs used. These are usually third-party software solutions. These are synonymous for the safety and quality of the tax declaration software they distribute. In this context, the responsibility of the fiscal authorities extends only to the provision of trustworthy, tamper-resistant modules.

 Transmission paths

Electronic transmission takes place with the ELSTER clientsoftware via the Internet.

Download the Elster HTTPS Servlet certificate

SHA1 Fingerprint

CF:A3:9C:5C:B2:10:4B:D9:25:26:CC:95:16:D4:79:23:CF:2A:07:B2

SHA256 Fingerprint

19:D2:95:E4:1E:C4:F8:0B:65:7E:C2:2D:06:C6:0C:2B:4F:D8:98:F3:19:2F:74:52:11:B5:C9:BA:EA:73:79:A2

Registration

The ELSTER procedure allows the taxpayer to securely transfer his sensitive tax data to the fiscal authorities. The procedure thereby ensures the confidentiality, authenticity and integrity of the data sent. The electronic certificates used for authentication and the corresponding key pairs

are stored in the user package Personal Security Environment (PSE) Show glossary related to the term Personal Security Environment (PSE) of the Authentication method Show glossary related to the term Authentication method . As part of your registration, the authentication method has been defined depending on the selected login option (certificate file, security stick, signature card) and the associated security level.

Authentication

The different authentication methods differ in the level of security and available features. Access to the electronic certificate is secured by a password that you must set yourself. Authenticating a registered user for My ELSTER is based on a Public Key Infrastructure (PKI) Show glossary related to the term Public key infrastructure (PKI) . Owners of a signature card supported by ELSTER can register with it. In this case, the PKI of the card issuer is used. Alternatively, as part of the registration process, the user receives a key pair and an electronic certificate. These data are stored in the Personal Security Environment (PSE) Show glossary related to the term Personal Security Environment (PSE) .

Handling electronic certificates

The user is responsible for the safe handling of the certificate file, security stick or signature card and the associated password. Please note the following important information regarding the transfer or storage of the PSE:

  1. Choose a secure password. A combination of numbers and letters increases security. Please note that a distinction is made between upper and lower case.
  2. Handle your password carefully. Do not pass this on to third parties.
  3. Make a note of your password and answer to the security prompt and keep both notes in a safe place.
    The password is only known to you and cannot be renewed if lost.
  4. Never give your electronic certificate to third parties. Exceptions are described below.
  5. Signature cards may never be shared with third parties. They are always tied to one person.

More detailed information on handling the authentication means can be found here:

Passing on of certifcates

You may entrust third parties with the transmission of your data. However, you should never pass on your personal certificates to third parties, regardless of whether you, as a private person or an entrepreneur, entrust another person with the transmission of your tax data. For a data transfer by commissioned third parties depending on whether you are in possession of a personal certificate or in possession of organizational certificates, the following courses of action are recommended:

  1. Never give your personal certificate to third parties. In a transmission by third parties the actual data transmitter should always register themselves. If the data supplier has registered with My ELSTER, he can submit tax returns on your behalf. I
  2. f you are an entrepreneur, you can also register for an organization certificate. In ontrast to personal certificates, organizational certificates are not tied to individual persons but to a tax organization (e.g. company, society, association, institution). Therefore, organizational certificate can be passed on to employees of the company for data transmission. However, the transfer should be controlled and only to trustworthy persons.