Security

Important note

Fake emails are currently being sent in the name of the tax authorities. The sender is, for example, ELSTER, the tax office or the Federal Central Tax Office (BZSt). In these messages, the recipient is usually asked to open an attached file that is supposedly a tax assessment notice or an invoice.

Both the sender's address and the content of the e-mail vary constantly. In all cases, however, attempts are made to obtain login data and account and/or credit card information from taxpayers by e-mail.

The tax administration only sends you notifications, but never the actual tax data or invoices in the form of an e-mail attachment.

Please note the following:

  • Never open attachments that you are not sure come from a trustworthy source.
  • The tax administration will never request information such as your tax number, account details, credit card numbers, PIN or the answer to your security question in an e-mail.
  • Do not click on an embedded link in an e-mail if you have any doubts that the e-mail originates from the tax authorities.
  • General tips for using the Internet and current warnings can be found on the website of the BSI - Federal Office for Information Security.

Important note on phishing e-mails - graphic warning triangle

IT security with ELSTER

The federal and state tax authorities acknowledge their responsibility for IT security in the ELSTER procedure. The protection of confidential information and the guarantee of the availability and integrity of all data to be processed within the framework of ELSTER and its processing systems must be ensured.

The ELSTER procedure is subject to various legal requirements in terms of IT security. When transmitting data electronically, a large number of legal regulations and various letters from the BMF must be observed, which make the proper handling of electronic data a challenging task. The most important legal regulations include

  • Fiscal Code (AO)
  • Tax Data Retrieval Ordinance (StDAV)
  • Federal Data Protection Act (BDSG)
  • Bavarian Data Protection Act (BayDSG)
  • Data Protection Act of North Rhine-Westphalia (DSG NRW)

The ELSTER services are provided in a ISO 27001 based on the BSI's IT baseline protection catalogs. The certification is intended to document both that IT baseline protection in accordance with ISO 27001 has been fully implemented for these services provided by the Bavarian State Tax Office and the computer center of the financial administration of the state of North Rhine-Westphalia and that dealing with IT security issues is an essential part of the authorities' philosophy.

Data security

With the ELSTER client software, electronic transmission takes place via the Internet. To protect tax confidentiality, the tax data is transmitted in encrypted form from the user to the data centers of the federal states. Hybrid encryption was chosen for this purpose, which corresponds to the current state of security technology. The integrity of the data is guaranteed via a Hash code.

Software security

An overall statement on the security of the ELSTER procedure, in particular with regard to the confidentiality of tax data vis-à-vis third parties in the user's environment, must take into account any security functions of the tax return programs used. These are usually software solutionsfrom third-party providers. Their name stands for the security and quality of the tax return software they sell. In this context, the responsibility of the tax authorities only extends to the provision of trustworthy, tamper-proof modules.

Transmission paths

With the ELSTER client software, electronic transmission takes place via the Internet.
Download the Elster HTTPS servlet certificate

SHA1 fingerprint

CF:A3:9C:5C:B2:10:4B:D9:25:26:CC:95:16:D4:79:23:CF:2A:07:B2

SHA256 Fingerprint

19:D2:95:E4:1E:C4:F8:0B:65:7E:C2:2D:06:C6:0C:2B:4F:D8:98:F3:19:2F:74:52:11:B5:C9:BA:EA:73:79:A2

Registration

The ELSTER procedure enables taxpayers to securely transmit their sensitive tax data to the tax authorities. The procedure ensures the confidentiality, authenticity and integrity of the data sent. The electronic certificates used for authentication and the associated key pairs are stored in the Personal Security Environment (PSE)corresponding to the user package. Glossary for Show personal security environment (PSE) of the means of authentication Glossary for Show means of authentication . As part of your registration, the authentication method has been defined depending on the selected Login option (certificate file, security stick, signature card) and the associated security level.

Authentication

The various authentication methods differ in terms of the security level and the available functions. Access to the electronic certificate is secured by a password that you must set yourself.
The authentication of a registered user against Mein ELSTER is based on a Public-Key-Infrastructure (PKI) Show glossary for Public-Key-Infrastructure (PKI). Owners of a signature card supported by ELSTER can register with this card. In this case, the PKI of the card issuer is used. Alternatively, the user receives a key pair and an electronic certificate as part of the registration process. This data is stored in the so-called Personal Security Environment (PSE ) Show glossary for Personal Security Environment (PSE ).

Dealing with electronic certificates

The user is responsible for the secure handling of the certificate file, security stick or signature card and the corresponding password. Please note the following important information regarding the transfer or storage of the PSE:

  1. Choose a secure password. A combination of numbers and letters increases security. Please note that a distinction is made between upper and lower case letters.
  2. Be careful with your password. Do not pass it on to third parties.
  3. Make a note of your password and your answer to the security prompt and keep both pieces of information in a safe place.
    The password is only known to you and, if lost, can only be retrieved via the Access renewal a new certificate with a new password must be issued.

  4. Never give your electronic certificate to third parties. Exceptions are described below.
  5. Signature cards must never be passed on to third parties. They are always bound to one person.

You can find more detailed information on how to use the authentication means here:

Transfer of certificates

You can commission third parties to transfer your data. However, you should never pass on your personal certificates to third parties, regardless of whether you are a private individual or an entrepreneur and commission another person to transfer your tax data. Depending on whether you are in possession of a personal certificate or organizational certificates, the following options are recommended for data transmission by commissioned third parties:

  1. Never pass on your personal certificate to third parties. In the case of transmission by third parties, the actual data transmitter should always register itself. If the data provider has registered with Mein ELSTER, they can transmit tax returns on your behalf.
  2. If you are an entrepreneur, you can also register for an organization certificate. In contrast to personal certificates, organization certificates are not linked to individual persons, but to an organization under tax law (e.g. company, society, association, institution). Therefore, organization certificates can be passed on to employees of the company for data transmission. However, the transfer should be controlled and only be made to trustworthy persons.