NEW IRB treatment

[hkpoh]

Recently I just went to Wang U to shop some stuff. Accidently there was a IRB counter prepared at one side of the corner, so me and my girl friend went to check for a good news from IRB for us, employees.

From the IRB female officer, we got to know that, IRB going to change their system from manual Borang B to e-borang B, where everyone of us can submit our application through online, however we need to pay RM6 - RM7 per year for being a user and it a compulsary for everyone of us after 3 years time. Guess who is the benificial? Digi Cert.

Assuming we have 3 million (which I doubt will be more) user and everyone of us paying tax plus the RM6 fees for e-borang, how much will digi cert is making every year, which these money is buta-buta money and we have to pay for it.

For me, it's not fair and if government wanna change their policy, please absorb it, not us.

[trex92]

i dun think the officer gave correct info on e-borang. The submission of income tax forms would never be able to be 100% based on online submission as malaysia would never be able to achieve 100% internet penetration (and some more 3 year's time?)and as such there would always be people who do not have internet access and hence cannot do online submission. Online submission would just be an optional method and hardcopy submission would still be available.

[hkpoh]

nope, IRB is moving towards this era, IRB is not cutting any employees, but train them as auditor to check on our submition. Either way, they are "forcing" us to accept it. 3 years from now, we have a choice of manual or e-borang, but if not 3 years, then it would be 5 years.

While I was there, almost 50 people already signup on that because with the signup, you do not need to pay for 3 years time, but after 3 years, new authentication code will be send to you as a bill and you need to pay for it. Just like Indah Water.

[HTH]

what I don't understand is this.
Before 2005, the IRB has been educating us on how to do the form and calculation ourselves. I can still remember the blue form Borang B and was getting used to it. Then came 2005, when we are supposed to do it on our own, and they decided to change everything! And everyone was given the thick book (buku panduan) on how to fill up the form.

Now they want to change again ah?

[hkpoh]

yeah.... u remember the blue thick book? now only few piece of papers and it's all done. 1st click this, 2nd click that, 3rd submit and u r done with the submition.

I remembered I asked the lady whether do we get any acknowladgemnt about the borang B, and she smiled to me and say "you will get a online acknow, and please print it because it's only appear once, after that can't be trace back", so what are we getting into now..... trouble and more blood sucking.

[kwchang]

I have not seen this e-borang but if it is an electronic form, it should be able to check on the input logic on the fly and inform us if we made any mistakes like forgetting to fill a particular area. Last year, I used their downloadable spreadsheet to enter my returns and found out that I made a mistake - that was very useful because I would not have detected the mistake myself.

Therefore, an electronic form (if well designed) should eliminate or at least minimise errors when filling the income tax returns.

The downside is that it will be a major headache for those who hate computers or had never touched one in their daily lives.

[VeeJay]

The downside is that it will be a major headache for those who hate computers or had never touched one in their daily lives.

That is when you employ a thirt party to do it...more business, right?!

[hkpoh]

yes it is. no more long q in IRB

[lonewolf8]

The downside is that it will be a major headache for those who hate computers or had never touched one in their daily lives.

I have asked about this issue during the registration. The IRD told me that they encouraged people to use the e-borang. If required, taxpayer can go to IRD department to request the IRD personnel to help to fill up the e-borang.

[totoro]

i went to IRD to get my digital cert last week...

one thing i noticed... most not tech savvy...

i got my cert generated then they will ask you to save it to a diskette! or later they suggested thumbdrive (at least a bit update), then later... i just emailed it to my account.

thing is... i also saw a lot of previous generated certs lying around.

but all in all.. good experience... everything went smoothly. u can kautim in 5 minutes to get the cert.

[chin_wan]

totoro, did they just email you just the cert or does it come with your private key? If they email your private key, that's a huge security risk.

[jand]

i went to IRD to get my digital cert last week...

one thing i noticed... most not tech savvy...

i got my cert generated then they will ask you to save it to a diskette! or later they suggested thumbdrive (at least a bit update), then later... i just emailed it to my account.

thing is... i also saw a lot of previous generated certs lying around.

but all in all.. good experience... everything went smoothly. u can kautim in 5 minutes to get the cert.

there is something wrong with this process. this just shows that the identification details for the cert is entered by a middle man and there's no Identity verification AND authentication.

Simply put, the primary key (in database speak) for this cert is your IC number. And this is verified only by means of visually looking at your IC by the middle man. The potential problem from this is Identity theft. Some smart fella in IRB could have 'mistakenly' generated a cert for you and 'hilang' it to who knows where.

Secondly, there's no authentication for that digital cert. A digital cert consists of 2 parts: the public key (identity) and the private key (authentication).
The public key is like your face where you take photos of yourself and distribute it friends so they can associate your face to your name BUT the private key is your body's DNA.
What's happening here is that you didn't password protect your private key that means the middle man here can take your public+private key pair and store it somewhere for later 'use'.

And to make matters worse, they're not removing the generated certs from their workstation...

This digital cert should not be generated by IRB and it's more likely under the purview of JPN as it concerns identity.

Digital certs are a good way to go but the way it is implemented, it looks like they didn't look through the application and authentication process from a security standpoint very thoroughly.
There are many complications with implementing a national digital cert in terms of verification and maintenance/administration which I can truthfully say beyond me at the moment.

With the current half past six process, it looks safer to use the hardcopy rather than the softcopy. Safer only in terms that it'll require more effort to duplicate your identity (handwriting/signature compared to a 3rd party handling your digital cert).

[totoro]

totoro, did they just email you just the cert or does it come with your private key? If they email your private key, that's a huge security risk.

no, i told them my laptop no floppy diskette drive.. so they suggest thumbdrive, but i forgot to bring. in the end, i opened my email account (from their laptops there) and emailed my cert (stored as a file, password protected) to myself.

[totoro]

there is something wrong with this process. this just shows that the identification details for the cert is entered by a middle man and there's no Identity verification AND authentication.

Simply put, the primary key (in database speak) for this cert is your IC number. And this is verified only by means of visually looking at your IC by the middle man. The potential problem from this is Identity theft. Some smart fella in IRB could have 'mistakenly' generated a cert for you and 'hilang' it to who knows where.

Secondly, there's no authentication for that digital cert. A digital cert consists of 2 parts: the public key (identity) and the private key (authentication).
The public key is like your face where you take photos of yourself and distribute it friends so they can associate your face to your name BUT the private key is your body's DNA.
What's happening here is that you didn't password protect your private key that means the middle man here can take your public+private key pair and store it somewhere for later 'use'.

And to make matters worse, they're not removing the generated certs from their workstation...

This digital cert should not be generated by IRB and it's more likely under the purview of JPN as it concerns identity.

Digital certs are a good way to go but the way it is implemented, it looks like they didn't look through the application and authentication process from a security standpoint very thoroughly.
There are many complications with implementing a national digital cert in terms of verification and maintenance/administration which I can truthfully say beyond me at the moment.

With the current half past six process, it looks safer to use the hardcopy rather than the softcopy. Safer only in terms that it'll require more effort to duplicate your identity (handwriting/signature compared to a 3rd party handling your digital cert).

actually you need to enter a 16-digit PIN number associated with ur slip code.

they pass everyone a slip (like ur salary slip or PIN slip), which is sealed, and you unseal it yourself, and enter the code to generate your cert. That's part of your private key.

and yea, they do advise you to set a password for your cert.