Safeguard Your Income Tax E-filing Account Today

Disclaimer: Author of this article is neither an Info-Security expert nor a hacker, rather just an honest tax-payer in India, who’s Income Tax E-filing account got compromised by hacker some time back. In this article, author makes critical observation and highlights design-flaw in the Income Tax E-Filing (India) website. Furthermore, author explains how recently introduced features can help you safeguard your account. Through this article author intend to improve awareness among Indian tax-payers about vulnerability by “design”and safeguarding of their individual account on Income Tax E-filing website.

Your Account is Unsafe!

Since you are reading this article, I assume you must be a tax-payer to Income Tax Department, India and you must already be having online account on the tax filing site. Like every other tax-payers, you must be under impression that your account is safe and secure. There is no reason to doubt, because from your side, you might have already created a profile on the Income Tax E-filing site, set the "strong" password yourself, registered your personal email id which is only accessed by you and set your mobile phone number on the site. However, to your worst nightmare, you might be wrong. Your account might still be vulnerable.

However, to your worst nightmare, you might be wrong. Your account might still be vulnerable.

Let me Explain..

Like any other website on the internet, Income Tax E-filing site also allows its user to reset the password in case they have forgotten the one. However resetting password funcationaliy of Income Tax E-filing site does allow something very peculiar to its users and this makes the account easily hackable by the bad people. Shockingly, the site allows the user to completely change the critical information like registered email id, mobile phone number at the time of password reset. It essentially mean that totally new set of user details can be entered to the system at the time of password recovery. Now imagine, it’s someone else who is trying to change the password of your account (basically hacking your account), s/he needs very little data to acquire your account. The implication is that anyone with little financial details of yours, can easily hack your account and can lock you outside your own account. More shockingly, this is a well-documented procedure of changing password (along with email id and phone number) on the Income Tax site. This is a major security lapse of your Income Tax Account.

The implication is that anyone with little financial details of yours can hack your account and lock you outside your own account.

How to (basically "hack") change Email, Mobile Number and Other Details without Password?

Firstly, you can go through the User Manual “Reset Password” published on the Income Tax E-Filing Site and gather the list of data you will require to change the password. The page no. 4 clearly define the steps to change the password along with entering “New Email ID and Mobile Number”. You might be wondering by now that WHY Engineers at Income Tax Department would design such a procedure to compromise security of your account - but in reality that's how it is. In real world, your Income Tax E-Filing account is left-out on the mercy of the hackers. 

In real world, your Income Tax E-Filing account is left-out on the mercy of the hackers. 

Following is the check-list of data that you will be required to change the password of the account:

1. Permanent Account Number (PAN)
2. Email id
3. Phone number
4. Only one of the following financial details associated with the PAN:
   • Bank Account Number
   • TAN, TDS amount for recent assessment year. TAN number can again be searched on the same website, if you know name of the employer. 
   • Challan Identification Number (CIN)

After gathering the above details, just follow few simple steps as described in the said user manual (same is also depicted in this image). After entering all the details and completing the procedure, website gives confirmation on the screen and trigger an email to your New Email ID (in "To" list) and Old Email ID (in "CC" list) as below:

The email notification will come to you with a hyperlink to cancel the password change request within next 12 hours. Futher it clearly warns that "In case the request has not been cancelled within 12 hours the request for Reset Password will be processed." [I am still wondering what is so sacrosanct about "12 hours."]

"In case the request has not been cancelled within 12 hrs the request for Reset Password will be processed."

So, What are Odds for You?

In scenario when you have not only forgotten your password but also your email id as well as your mobile phone number, the above described procedure can really help you out. [I don't know how many people can "genuinely" forget all three]. However, the very same procedure can be followed by someone else to hack your account and steal away your documents for misuse. Let us examine how easy it is for the hackers/criminals to gather your data in today's digitized India.

1. Travel Visa: If you have ever applied for travel visa to any country, it is very likely that you have shared your details like 26AS, Form-16 or Payslips (including TDS detail), Bank account for last one to three year with the travel agency.
2. Loan (home, personal, vehicle or any other): Again, if you have every taken any kind of loan, your Payslips and/or other income proof are required to check your capacity to repay your loan.
3. Credit Card etc. etc.: Again any kind of financial product e.g. credit card, insurance policy etc. require you details about income. And the income proof data typically contains your TDS details as well.
4. The list can be even bigger..  includes all the instances where you have submitted your Payslips.

The point is very simple - all the data that Income Tax Website is using for authenticating the user while resetting the password, setting new email id and phone number is already available with multiple third-parties. The website is FAILING to ask at least "single" data-piece that ONLY authentic user could provide. The website is simply betting on the data that goes through multiple-hands and so can potentially be misused. At least in today's digitized India, the tax-payer really do not have any control over the said piece of data yet. Most shockingly, using this faulty authentication schema, Income Tax Website can innocently hand over the control of your account to someone else.

Most importantly, using this faulty authentication schema, Income Tax Website can innocently hand over the control of your account to someone else.

You might be thinking by now that the above mentioned "12-hours" cancellation window can help you in saving your account. Yes, it can help you but only if you were lucky enough to check your email within those 12 hours. [In my case, I checked the emails after 3-4 days and by then my account was already compromised.]

 

What to Do If Your Account is Compromised?

Firstly, you should also try to recover your account using "Reset Password". Try-out all the available procedures for resetting the password. If you are lucky enough, your account will be recovered using one of these (and without waiting for 12-hours).

Other than recovering the account, you must also report the matter to both Cyber Crime Police and Income Tax Department. You might think that it will be easy to catch the hacker as the system-logs of the web-server should have all the trace of the hacking incident. However the ground reality is different, your struggle to get your account back and to put the hacker behind the bars has just begin. Refer below few awkward remarks and technical reasons that I received from representatives of the department:

• "All the transactions are carried out following the proper procedures."
• "The applicant required to produced the original for verification. ..... appear before the undersigned and estabilish his identity..." Basically, travel to Bangalore office for pursuing the case further.
• "Why do you want to file complaint if there is not money is kept or stolen from that account."

In case you could not recover the account yourself, irrespective of the practical challenges, the only way for you is to strongly pursue your case with Cyber Crime Police. Only they can help you to get your account back.

 

How to Safeguard Your Account?

I burnt my hands with such a hacking incident happened to my account. I was lucky enough to recover my account back from the hacker. Very recently in April-2016, Income Tax Department has introduced higher security options to address such kind of misuse. However, the higher security options is still less known among the tax-payers.

Though with the default settings, your account remains highly vulnerable (as explained in this article) but user can explicitly change the account setting for higher security. Here are the tips to safeguard your Income Tax Account:

• Change login method to net-banking: This feature allows you to restrict the login to the website using usual login/password but instead you can login through net-banking. For this to activate, you need to have net-banking account with any nationalized bank.
• Change login method to OTP using Aadhar: You can also introduce additional verification step via One-Time-Password (OTP) on mobile number linked to your Aadhar Card. For this to activate, your Income Tax account is required to be linked with your Aadhar Card and further your Aadhar Card should be linked to your mobile number.
• Change password reset method to net-banking: Similar to login, you can restrict the password reset to net-banking only.
• Change password reset method to OTP using Aadhar: Similar to login, you can configure additional verification step for password reset via One-Time-Password (OTP) on mobile number linked to your Aadhar Card.

Until April 2016, there was no practical way to safeguard your account to such hacking attempts. You can only hope to avoid any potential misuse by checking your emails more frequently i.e. in less than 12 hours time. It is great that finally Income Tax Department has introduced such an higher-security option to the tax-payers. Check out the user manual of higher-security option on Income Tax website.

Since in the default-settings, Income Tax Account is vulnerable to hacking/misuse, you should immediately opt for higher-security options/settings to make your account safe and secure.

Since in the default-settings, Income Tax Account is vulnerable to hacking/misuse, you should immediately opt for higher-security options/settings to make your account safe and secure.

 Disclaimer: Author of this article is neither an Info-Security expert nor a hacker, rather just an honest tax-payer in India, who’s Income Tax E-filing account got compromised by hacker some time back. In this article author makes critical observations and highlights design-flaws in the Income Tax E-Filing (India) website. Furthermore, author explains how recently introduced features can help you safeguard your account. Through this article author intend to improve awareness among Indian tax-payers about “designed” vulnerability and safeguarding of their individual account on Income Tax E-filing website.