We reported alleged flaws to Income Tax Department and Central Information Commission- How I can hack into your Income Tax account by Soumyadip Chaudhury at ibnlive.in.com on 19.7.2011 – HRT Inter-media

Central Information Commission (CIC)

Your Complaint has been lodged successfully.

Complaint Number: RC/UG/11/115627psp

Income Tax Department Website reply-

——— Forwarded message ———-
From: Income Tax Department <webmaster@incometaxindia.gov.in>
Date: Tue, Jul 19, 2011 at 4:34 PM
Subject: Itax Feedback Response
To: aiims.ashu@gmail.comDear Human rescue team
Date :7/19/2011

Dear Sir/Madam,

The Income Tax Department appreciate your feedback, on its national website. We have taken note of your suggestions. It will help us to serve you better.

Income Tax Department.
New Delhi

And the actual  complaint was: 

Please review this media report for alleged flaws in online tax account and direct respected authority for reformation of the concerned information system-

How I can hack into your Income Tax account by Soumyadip Chaudhury at ibnlive.in.com on 19.7.2011

This is scary. If I know a little about you, I can hack into your Income Tax account. What is scarier is that this process doesn’t even require the skills of a hacker. Here’s how I hacked into a friend’s account (with her permission, of course): On the incometaxindiaefiling.gov.in home page, I went to the log in page and then clicked on the ‘Forgot Password’ link. There I inserted her PAN (Permanent Account Number), she didn’t provide me with this. Since PAN is not confidential, it wasn’t very difficult for me to find that mentioned in a document I had access to. The next hurdle was to guess her secret question and the answer to it. There were four options to choose from: What is your pet name; What is your mother’s maiden name; What is your first school name; and What is you favourite time pass. I took me four tries to crack it and I found the answer in one of her online profiles. There also doesn’t seem to be any barrier on the number of retries. And the website also let me reset her password then and there.

Unauthorised access to your account can also happen if someone has access to your e-filing acknowledgement number from any previous e-filing. Now I had access to all her tax information and other details and I could also lock her out of her account as I could change the email ID, phone number and also reset the secret question. This is a serious security lapse on the part of the Directorate of Income Tax (Systems) that operates the website and it potentially puts the tax information of millions of Indian tax payers at risk. What the Income Tax Department should have done. A standard security practice on the better websites around is multi-tiered checks for password recovery. When a user wants to retrieve his password he should be asked to enter his PAN and answer the secret question. Then a password recovery link is sent to the registered email ID and a code sent as a text message to the registered mobile number. Now the user has to click on the link in his email and in the page that opens inserts the code mentioned in the text message to recover/reset his password. This ensures that for someone to hack into the account, the hacker will need access to the user’s phone as well as his email. Something, that in most circumstances, is unlikely. Also there should be an option for the user to insert his own question instead of the standard four that the website has on offer.

What the Income Tax Department did partially right. As soon as a request for password change is processed the Income Tax Department sends an email to the registered email ID notifying the user that his password has been changed. This at least keeps the users in the know about what has happened. But this doesn’t prevent the unauthorised access. The user, in order to regain access to his account has to send an email to ask. This I believe is a long drawn process. What you as a user should do immediately. While the Income Tax Department fixes this flaw (I am informing them about this) you should log in to your incometaxindiaefiling.gov.in account and then from the ‘My Account’ link on the top navigation go to the ‘Update Secret Question/Answer’ and choose a question with an answer that no one else but you will be able to answer. Don’t worry if your answer isn’t the actual answer to your question, but remember to remember the answer. Knowing the level of security that our government agencies have in place to protect your personal data also keep your fingers crossed


We honored your feedback!

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: