aka Somu aka Chaiwallah
is an internet addict. His wife and family suspect that he is secretly married to his laptop. The electric shock that he got while trying to fix a neighbour's TV set as a kid, perhaps ignited his interest in everything tech. A do-it-yourself guy, he doesn't believe in hiring electricians, plumbers or carpenters. But often ends paying the professionals more to fix his botched jobs. Somu secretly wishes he knew how to code better and also grumbles a lot.
He also tweets a bit as @soumyadip
and you can find him on Facebook here
This is scary. If I know a little about you, I can hack into your Income Tax account. What is scarier is that this process doesn't even require the skills of a hacker.
Here's how I hacked into a friend's account (with her permission, of course):
On the incometaxindiaefiling.gov.in home page, I went to the log in page and then clicked on the 'Forgot Password' link. There I inserted her PAN (Permanent Account Number), she didn't provide me with this. Since PAN is not confidential, it wasn't very difficult for me to find that mentioned in a document I had access to.
The next hurdle was to guess her secret question and the answer to it. There were four options to choose from: What is your pet name; What is your mother's maiden name; What is your first school name; and What is you favourite time pass. I took me four tries to crack it and I found the answer in one of her online profiles. There also doesn't seem to be any barrier on the number of retries. And the website also let me reset her password then and there.
Unauthorised access to your account can also happen if someone has access to your e-filing acknowledgement number from any previous e-filing.
Now I had access to all her tax information and other details and I could also lock her out of her account as I could change the email ID, phone number and also reset the secret question.
This is a serious security lapse on the part of the Directorate of Income Tax (Systems) that operates the website and it potentially puts the tax information of millions of Indian tax payers at risk.
What the Income Tax Department should have done
A standard security practice on the better websites around is multi-tiered checks for password recovery. When a user wants to retrieve his password he should be asked to enter his PAN and answer the secret question. Then a password recovery link is sent to the registered email ID and a code sent as a text message to the registered mobile number.
Now the user has to click on the link in his email and in the page that opens inserts the code mentioned in the text message to recover/reset his password. This ensures that for someone to hack into the account, the hacker will need access to the user's phone as well as his email. Something, that in most circumstances, is unlikely. Also there should be an option for the user to insert his own question instead of the standard four that the website has on offer.
What the Income Tax Department did partially right
As soon as a request for password change is processed the Income Tax Department sends an email to the registered email ID notifying the user that his password has been changed. This at least keeps the users in the know about what has happened. But this doesn't prevent the unauthorised access. The user, in order to regain access to his account has to send an email to firstname.lastname@example.org. This I believe is a long drawn process.
What you as a user should do immediately
While the Income Tax Department fixes this flaw (I am informing them about this) you should log in to your incometaxindiaefiling.gov.in account and then from the 'My Account' link on the top navigation go to the 'Update Secret Question/Answer' and choose a question with an answer that no one else but you will be able to answer.
Don't worry if your answer isn't the actual answer to your question, but remember to remember the answer. Knowing the level of security that our government agencies have in place to protect your personal data also keep your fingers crossed.
(Follow @soumyadip on Twitter)