This is scary. If I know a little about you, I can hack
into your Income Tax account. What is scarier is that this process
doesn't even require the skills of a hacker.
Here's how I hacked into a friend's account (with her permission, of course):
On
the incometaxindiaefiling.gov.in home page, I went to the log in page
and then clicked on the 'Forgot Password' link. There I inserted her PAN
(Permanent Account Number), she didn't provide me with this. Since PAN
is not confidential, it wasn't very difficult for me to find that
mentioned in a document I had access to.
The
next hurdle was to guess her secret question and the answer to it.
There were four options to choose from: What is your pet name; What is
your mother's maiden name; What is your first school name; and What is
you favourite time pass. I took me four tries to crack it and I found
the answer in one of her online profiles. There also doesn't seem to be
any barrier on the number of retries. And the website also let me reset
her password then and there.
Unauthorised
access to your account can also happen if someone has access to your
e-filing acknowledgement number from any previous e-filing.
Now
I had access to all her tax information and other details and I could
also lock her out of her account as I could change the email ID, phone
number and also reset the secret question.
This
is a serious security lapse on the part of the Directorate of Income
Tax (Systems) that operates the website and it potentially puts the tax
information of millions of Indian tax payers at risk.
What the Income Tax Department should have done
A
standard security practice on the better websites around is
multi-tiered checks for password recovery. When a user wants to retrieve
his password he should be asked to enter his PAN and answer the secret
question. Then a password recovery link is sent to the registered email
ID and a code sent as a text message to the registered mobile number.
Now
the user has to click on the link in his email and in the page that
opens inserts the code mentioned in the text message to recover/reset
his password. This ensures that for someone to hack into the account,
the hacker will need access to the user's phone as well as his email.
Something, that in most circumstances, is unlikely. Also there should be
an option for the user to insert his own question instead of the
standard four that the website has on offer.
What the Income Tax Department did partially right
As
soon as a request for password change is processed the Income Tax
Department sends an email to the registered email ID notifying the user
that his password has been changed. This at least keeps the users in the
know about what has happened. But this doesn't prevent the unauthorised
access. The user, in order to regain access to his account has to send
an email to ask@incometaxindia.gov.in. This I believe is a long drawn
process.
What you as a user should do immediately
While
the Income Tax Department fixes this flaw (I am informing them about
this) you should log in to your incometaxindiaefiling.gov.in account and
then from the 'My Account' link on the top navigation go to the 'Update
Secret Question/Answer' and choose a question with an answer that no
one else but you will be able to answer.
Don't
worry if your answer isn't the actual answer to your question, but
remember to remember the answer. Knowing the level of security that our
government agencies have in place to protect your personal data also
keep your fingers crossed.