Safeguard Your Income Tax E-filing Account Today
Disclaimer: Author of this article is neither an Info-Security expert nor a hacker, rather just an honest tax-payer in India, who’s Income Tax E-filing account got compromised by hacker some time back. In this article, author makes critical observation and highlights design-flaw in the Income Tax E-Filing (India) website. Furthermore, author explains how recently introduced features can help you safeguard your account. Through this article author intend to improve awareness among Indian tax-payers about vulnerability by “design”and safeguarding of their individual account on Income Tax E-filing website.
Your Account is Unsafe!
Since you are reading this article, I assume you must be a tax-payer to Income Tax Department, India and you must already be having online account on the tax filing site. Like every other tax-payers, you must be under impression that your account is safe and secure. There is no reason to doubt, because from your side, you might have already created a profile on the Income Tax E-filing site, set the "strong" password yourself, registered your personal email id which is only accessed by you and set your mobile phone number on the site. However, to your worst nightmare, you might be wrong. Your account might still be vulnerable.
However, to your worst nightmare, you might be wrong. Your account might still be vulnerable.
Let me Explain..
Like any other website on the internet, Income Tax E-filing site also allows its user to reset the password in case they have forgotten the one. However resetting password funcationaliy of Income Tax E-filing site does allow something very peculiar to its users and this makes the account easily hackable by the bad people. Shockingly, the site allows the user to completely change the critical information like registered email id, mobile phone number at the time of password reset. It essentially mean that totally new set of user details can be entered to the system at the time of password recovery. Now imagine, it’s someone else who is trying to change the password of your account (basically hacking your account), s/he needs very little data to acquire your account. The implication is that anyone with little financial details of yours,
can easily hack your account and can lock you outside your own account. More shockingly, this is a well-documented procedure of changing password (along with email id and phone number) on the Income Tax site. This is a major security lapse of your Income Tax Account.
The implication is that anyone with little financial details of yours can hack your account and lock you outside your own account.
How to (basically "hack") change Email, Mobile Number and Other Details without Password?
Firstly, you can go through the User Manual “Reset Password” published on the Income Tax E-Filing Site and gather the list of data you will require to change the password. The page no. 4 clearly define the steps to change the password along with entering “New Email ID and Mobile Number”. You might be wondering by now that WHY Engineers at Income Tax Department would design such a procedure to compromise security of your account - but in reality that's how it is. In real world, your Income Tax E-Filing account is left-out on the mercy of the hackers.
Following is the check-list of data that you will be required to change the password of the account:
The email notification will come to you with a hyperlink to cancel the password change request within next 12 hours. Futher it clearly warns that "In case the request has not been cancelled within 12 hours the request for Reset Password will be processed." [I am still wondering what is so sacrosanct about "12 hours."]
In real world, your Income Tax E-Filing account is left-out on the mercy of the hackers.
Following is the check-list of data that you will be required to change the password of the account:
- Permanent Account Number (PAN)
- Email id
- Phone number
-
Only one of the following financial details associated with the PAN:
- Bank Account Number
- TAN, TDS amount for recent assessment year. TAN number can again be searched on the same website, if you know name of the employer.
- Challan Identification Number (CIN)
The email notification will come to you with a hyperlink to cancel the password change request within next 12 hours. Futher it clearly warns that "In case the request has not been cancelled within 12 hours the request for Reset Password will be processed." [I am still wondering what is so sacrosanct about "12 hours."]
"In case the request has not been cancelled within 12 hrs the request for Reset Password will be processed."
So, What are Odds for You?
In scenario when you have not only forgotten your password but also your email id as well as your mobile phone number, the above described procedure can really help you out. [I don't know how many people can "genuinely" forget all three]. However, the very same procedure can be followed by someone else to hack your account and steal away your documents for misuse. Let us examine how easy it is for the hackers/criminals to gather your data in today's digitized India.
- Travel Visa: If you have ever applied for travel visa to any country, it is very likely that you have shared your details like 26AS, Form-16 or Payslips (including TDS detail), Bank account for last one to three year with the travel agency.
- Loan (home, personal, vehicle or any other): Again, if you have every taken any kind of loan, your Payslips and/or other income proof are required to check your capacity to repay your loan.
- Credit Card etc. etc.: Again any kind of financial product e.g. credit card, insurance policy etc. require you details about income. And the income proof data typically contains your TDS details as well.
- The list can be even bigger.. includes all the instances where you have submitted your Payslips.
Most importantly, using this faulty authentication schema, Income Tax Website can innocently hand over the control of your account to someone else.You might be thinking by now that the above mentioned "12-hours" cancellation window can help you in saving your account. Yes, it can help you but only if you were lucky enough to check your email within those 12 hours. [In my case, I checked the emails after 3-4 days and by then my account was already compromised.]
What to Do If Your Account is Compromised?
Firstly, you should also try to recover your account using "Reset Password". Try-out all the available procedures for resetting the password. If you are lucky enough, your account will be recovered using one of these (and without waiting for 12-hours).
Other than recovering the account, you must also report the matter to both Cyber Crime Police and Income Tax Department. You might think that it will be easy to catch the hacker as the system-logs of the web-server should have all the trace of the hacking incident. However the ground reality is different, your struggle to get your account back and to put the hacker behind the bars has just begin. Refer below few awkward remarks and technical reasons that I received from representatives of the department:
Other than recovering the account, you must also report the matter to both Cyber Crime Police and Income Tax Department. You might think that it will be easy to catch the hacker as the system-logs of the web-server should have all the trace of the hacking incident. However the ground reality is different, your struggle to get your account back and to put the hacker behind the bars has just begin. Refer below few awkward remarks and technical reasons that I received from representatives of the department:
- "All the transactions are carried out following the proper procedures."
- "The applicant required to produced the original for verification. ..... appear before the undersigned and estabilish his identity..." Basically, travel to Bangalore office for pursuing the case further.
- "Why do you want to file complaint if there is not money is kept or stolen from that account."
How to Safeguard Your Account?
I burnt my hands with such a hacking incident happened to my account. I was lucky enough to recover my account back from the hacker. Very recently in April-2016, Income Tax Department has introduced higher security options to address such kind of misuse. However, the higher security options is still less known among the tax-payers.
Though with the default settings, your account remains highly vulnerable (as explained in this article) but user can explicitly change the account setting for higher security. Here are the tips to safeguard your Income Tax Account:
Since in the default-settings, Income Tax Account is vulnerable to hacking/misuse, you should immediately opt for higher-security options/settings to make your account safe and secure.
Disclaimer: Author of this article is neither an Info-Security expert nor a hacker, rather just an honest tax-payer in India, who’s Income Tax E-filing account got compromised by hacker some time back. In this article author makes critical observations and highlights design-flaws in the Income Tax E-Filing (India) website. Furthermore, author explains how recently introduced features can help you safeguard your account. Through this article author intend to improve awareness among Indian tax-payers about “designed” vulnerability and safeguarding of their individual account on Income Tax E-filing website.
Though with the default settings, your account remains highly vulnerable (as explained in this article) but user can explicitly change the account setting for higher security. Here are the tips to safeguard your Income Tax Account:
- Change login method to net-banking: This feature allows you to restrict the login to the website using usual login/password but instead you can login through net-banking. For this to activate, you need to have net-banking account with any nationalized bank.
- Change login method to OTP using Aadhar: You can also introduce additional verification step via One-Time-Password (OTP) on mobile number linked to your Aadhar Card. For this to activate, your Income Tax account is required to be linked with your Aadhar Card and further your Aadhar Card should be linked to your mobile number.
- Change password reset method to net-banking: Similar to login, you can restrict the password reset to net-banking only.
- Change password reset method to OTP using Aadhar: Similar to login, you can configure additional verification step for password reset via One-Time-Password (OTP) on mobile number linked to your Aadhar Card.
Since in the default-settings, Income Tax Account is vulnerable to hacking/misuse, you should immediately opt for higher-security options/settings to make your account safe and secure.
Since in the default-settings, Income Tax Account is vulnerable to hacking/misuse, you should immediately opt for higher-security options/settings to make your account safe and secure.
Disclaimer: Author of this article is neither an Info-Security expert nor a hacker, rather just an honest tax-payer in India, who’s Income Tax E-filing account got compromised by hacker some time back. In this article author makes critical observations and highlights design-flaws in the Income Tax E-Filing (India) website. Furthermore, author explains how recently introduced features can help you safeguard your account. Through this article author intend to improve awareness among Indian tax-payers about “designed” vulnerability and safeguarding of their individual account on Income Tax E-filing website.
Safeguard Your Income Tax E-filing Account Today
Reviewed by Sourabh Soni
on
Saturday, May 07, 2016
Rating:
Thank you for this valuable information, I would like to suggest best accountant in Toronto. Xu & Xie CPA is a full-service accounting and financial advisory firm in Canada . They have an experienced team for cloud accounting, taxation, valuation, and assurance.
ReplyDeleteOne easy way to get a jump on paying your next year's taxes is to apply your previous year's tax refund to your next year's taxes.
ReplyDeleteinheritance tax planners in Yorkshire
I recently came across your blog and have been reading along. I thought I would leave my first comment. I don't know what to say except that I have enjoyed reading. Nice blog. I will keep visiting this blog very often. online tax pros
ReplyDeleteLike!! Really appreciate you sharing this blog post. Keep writing. Know more: Income tax classes
ReplyDeleteThanks for Sharing a useful information. Reliable Melbourne Accountant is one of the leading Tax Return Accountant in Australia, offer all kind of bookkeeping and accounting services to small to large business owner
ReplyDeleteThe ITR-3 download process commence with a visit to the Government's Income Tax Department website;Income Tax Department site. Commute Vakilsearch site to file a itr 3 form
ReplyDeleteThanks for sharing this post. To know more about corporate tax please click here : corporate tax
ReplyDeleteNice Article. Thanks for sharing this post. If you looking or interested siam professional certification cost visit our website
ReplyDeletesiam professional certification cost
prince2 agile foundation course
ReplyDeleteprince2 training
itil v4 managing professional
safe agilist certification chennai
devops sre course
https://www.knowlathon.com/
ReplyDelete