This is scary. If I know a little about you, I can hack into your Income Tax account. What is scarier is that this process doesn't even require the skills of a hacker.
Here's how I hacked into a friend's account (with her permission, of course):
On the incometaxindiaefiling.gov.in home page, I went to the log in page and then clicked on the 'Forgot Password' link. There I inserted her PAN (Permanent Account Number), she didn't provide me with this. Since PAN is not confidential, it wasn't very difficult for me to find that mentioned in a document I had access to.
The next hurdle was to guess her secret question and the answer to it. There were four options to choose from: What is your pet name; What is your mother's maiden name; What is your first school name; and What is you favourite time pass. I took me four tries to crack it and I found the answer in one of her online profiles. There also doesn't seem to be any barrier on the number of retries. And the website also let me reset her password then and there.
How Income Tax accounts can be hacked
Unauthorised access to your account can also happen if someone has access to your e-filing acknowledgement number from any previous e-filing.
Now I had access to all her tax information and other details and I could also lock her out of her account as I could change the email ID, phone number and also reset the secret question.
This is a serious security lapse on the part of the Directorate of Income Tax (Systems) that operates the website and it potentially puts the tax information of millions of Indian tax payers at risk.
What the Income Tax Department should have done
A standard security practice on the better websites around is multi-tiered checks for password recovery. When a user wants to retrieve his password he should be asked to enter his PAN and answer the secret question. Then a password recovery link is sent to the registered email ID and a code sent as a text message to the registered mobile number.
Now the user has to click on the link in his email and in the page that opens inserts the code mentioned in the text message to recover/reset his password. This ensures that for someone to hack into the account, the hacker will need access to the user's phone as well as his email. Something, that in most circumstances, is unlikely. Also there should be an option for the user to insert his own question instead of the standard four that the website has on offer.
What the Income Tax Department did partially right
As soon as a request for password change is processed the Income Tax Department sends an email to the registered email ID notifying the user that his password has been changed. This at least keeps the users in the know about what has happened. But this doesn't prevent the unauthorised access. The user, in order to regain access to his account has to send an email to ask@incometaxindia.gov.in. This I believe is a long drawn process.
What you as a user should do immediately
While the Income Tax Department fixes this flaw (I am informing them about this) you should log in to your incometaxindiaefiling.gov.in account and then from the 'My Account' link on the top navigation go to the 'Update Secret Question/Answer' and choose a question with an answer that no one else but you will be able to answer.
Don't worry if your answer isn't the actual answer to your question, but remember to remember the answer. Knowing the level of security that our government agencies have in place to protect your personal data also keep your fingers crossed.
Source:
http://ibnlive.in.com/blogs/soumyadipchoudhury/2805/62540/blog-how-i-can-hack-into-your-income-tax-account.html
Tuesday, July 19, 2011
Tuesday, July 12, 2011
Are you safe on the Web?
Morganton, NC --
Hackers recently took down Sony’s PlayStation network and forced a security breach at Citigroup. These incidents aren’t alone. The Identity Theft Resource Center reports that as of last month there have been 216 security breaches this year.
But computer and Internet users shouldn’t be turned off about using the web to purchase or manage their finances, local computer experts said.
They say you can take reasonable steps to keep yourself and your personal information safe.
“Don’t be paranoid,” said Ronnie Harmon, president of Burke Onsite Computer Solutions, “but be suspicious.”
“There is no program or device in existence that is going to protect a computer from anything and everything all the time,” Harmon said. “The best way to protect yourself and your computer is to use plain common sense and be mindful of what you’re doing.”
He advises people to think reasonably about the risks involved. It is unlikely that hackers would target individuals, Harmon said. In the last 10 years, he’s only seen one company in Burke County get hacked.
However, with the increasing popularity of applications on social networking sites such as flash games, hackers have a new avenue for spreading viruses.
Richard Jones, owner of Discerner Computers, said web users should make sure they have an up-to-date firewall, operating system and web browser.
Most operating systems come with an embedded firewall, but sometimes programs disable the firewall without the user’s knowledge, Harmon said, so users should periodically check the firewall settings.
Third-party firewall applications also are available commercially, Jones and Harmon pointed out, and some could provide additional protection.
Jones said that if your computer’s operating system is five or more years older, it’s probably more likely to succumb to hackers’ tricks, because of the number of vulnerabilities exposed over years. But keeping current with updates will help.
Harmon said installing an antivirus program is useful, too, but no existing program will completely protect someone from all computer viruses or malicious software. The problem is that the people writing antivirus definitions can’t keep up with the people writing viruses, he said. This is a case where less is more, Harmon added. He said a computer only needs one antivirus program, not two.
When using a wireless connection, make sure the wireless device is using WPA (Wi-Fi Protected Access) security, Harmon said. WEP (Wired Equivalent Privacy) security has been compromised and is not recommended.
Perhaps the simplest thing to do is to turn off your computer when you won’t be using it for an extended amount of time, Harmon said. Most users have a broadband connection, which stays connected even if you’re not actively using the Internet.
When you’re online, there are a few simple things you can do, too.
Jones said you should make sure the status bar of the web browser is visible. Watch that the status and address bars match to ensure you’re going to the correct website.
When you’re in a secured area, check the web address for “https,” Jones said. That additional “s” indicates the hypertext transfer protocol (http) is secured with an SSL certificate. Harmon said securing a site isn’t free, and some sites don’t invest in the running on secure servers.
Make sure you always sign out when using online banking or secure sites that require a user name and password, Harmon said. You should change passwords periodically, too. And avoid doing personal banking or sensitive data transfers at public wireless access points.
As for email and Internet shopping, Harmon said users should only open emails from trusted senders and use shopping sites that you know are secure. One easy way to tell is by looking for a locked padlock in the right hand corner of the address bar, Harmon said.
Users shouldn’t buy from pop-up ads or use email links to get to a shopping site, Harmon said. He recommends entering the shopping site manually into the browser. Phishing is a common hacker tactic via email that tricks users into giving personal information to a non-trustworthy source, he explained. It usually involves scare tactics lead users to a fake Internet site that looks like a trusted popular site.
What about downloading music? Harmon said his business does not recommend peer to peer-to-peer file sharing because 75 percent of files contain viruses.
Aaron Goossens, a Burke Onsite shop technician, said the most common problems he sees are Facebook gaming issues, along with viruses from large websites like Yahoo or MSN.
Be sure to check the privacy policy on any site that asks you for personal information, Harmon said. Will the site sell your email address? And check your security settings often.
Never post anything to a social networking site that “you wouldn’t put on a billboard on the road,” Harmon said. “It’s your reputation online.”
In particular, that means don’t post personal information like your birthdate, Social Security number or, Harmon noted, when you’ll be going out of town.
Using an Internet filter is a good option; it’s easy to set up and it adds a layer of protection, Harmon said. A filter can be used to block types of websites such as gambling or social networks. It is a popular option for schools and offices.
Jones said that if you’re confused about what programs to use, call a local computer store and ask the employees what antivirus, firewall and security software programs they use.
http://www2.morganton.com/news/2011/jul/11/are-you-safe-web-ar-1198677/
Hackers recently took down Sony’s PlayStation network and forced a security breach at Citigroup. These incidents aren’t alone. The Identity Theft Resource Center reports that as of last month there have been 216 security breaches this year.
But computer and Internet users shouldn’t be turned off about using the web to purchase or manage their finances, local computer experts said.
They say you can take reasonable steps to keep yourself and your personal information safe.
“Don’t be paranoid,” said Ronnie Harmon, president of Burke Onsite Computer Solutions, “but be suspicious.”
“There is no program or device in existence that is going to protect a computer from anything and everything all the time,” Harmon said. “The best way to protect yourself and your computer is to use plain common sense and be mindful of what you’re doing.”
He advises people to think reasonably about the risks involved. It is unlikely that hackers would target individuals, Harmon said. In the last 10 years, he’s only seen one company in Burke County get hacked.
However, with the increasing popularity of applications on social networking sites such as flash games, hackers have a new avenue for spreading viruses.
Richard Jones, owner of Discerner Computers, said web users should make sure they have an up-to-date firewall, operating system and web browser.
Most operating systems come with an embedded firewall, but sometimes programs disable the firewall without the user’s knowledge, Harmon said, so users should periodically check the firewall settings.
Third-party firewall applications also are available commercially, Jones and Harmon pointed out, and some could provide additional protection.
Jones said that if your computer’s operating system is five or more years older, it’s probably more likely to succumb to hackers’ tricks, because of the number of vulnerabilities exposed over years. But keeping current with updates will help.
Harmon said installing an antivirus program is useful, too, but no existing program will completely protect someone from all computer viruses or malicious software. The problem is that the people writing antivirus definitions can’t keep up with the people writing viruses, he said. This is a case where less is more, Harmon added. He said a computer only needs one antivirus program, not two.
When using a wireless connection, make sure the wireless device is using WPA (Wi-Fi Protected Access) security, Harmon said. WEP (Wired Equivalent Privacy) security has been compromised and is not recommended.
Perhaps the simplest thing to do is to turn off your computer when you won’t be using it for an extended amount of time, Harmon said. Most users have a broadband connection, which stays connected even if you’re not actively using the Internet.
When you’re online, there are a few simple things you can do, too.
Jones said you should make sure the status bar of the web browser is visible. Watch that the status and address bars match to ensure you’re going to the correct website.
When you’re in a secured area, check the web address for “https,” Jones said. That additional “s” indicates the hypertext transfer protocol (http) is secured with an SSL certificate. Harmon said securing a site isn’t free, and some sites don’t invest in the running on secure servers.
Make sure you always sign out when using online banking or secure sites that require a user name and password, Harmon said. You should change passwords periodically, too. And avoid doing personal banking or sensitive data transfers at public wireless access points.
As for email and Internet shopping, Harmon said users should only open emails from trusted senders and use shopping sites that you know are secure. One easy way to tell is by looking for a locked padlock in the right hand corner of the address bar, Harmon said.
Users shouldn’t buy from pop-up ads or use email links to get to a shopping site, Harmon said. He recommends entering the shopping site manually into the browser. Phishing is a common hacker tactic via email that tricks users into giving personal information to a non-trustworthy source, he explained. It usually involves scare tactics lead users to a fake Internet site that looks like a trusted popular site.
What about downloading music? Harmon said his business does not recommend peer to peer-to-peer file sharing because 75 percent of files contain viruses.
Aaron Goossens, a Burke Onsite shop technician, said the most common problems he sees are Facebook gaming issues, along with viruses from large websites like Yahoo or MSN.
Be sure to check the privacy policy on any site that asks you for personal information, Harmon said. Will the site sell your email address? And check your security settings often.
Never post anything to a social networking site that “you wouldn’t put on a billboard on the road,” Harmon said. “It’s your reputation online.”
In particular, that means don’t post personal information like your birthdate, Social Security number or, Harmon noted, when you’ll be going out of town.
Using an Internet filter is a good option; it’s easy to set up and it adds a layer of protection, Harmon said. A filter can be used to block types of websites such as gambling or social networks. It is a popular option for schools and offices.
Jones said that if you’re confused about what programs to use, call a local computer store and ask the employees what antivirus, firewall and security software programs they use.
http://www2.morganton.com/news/2011/jul/11/are-you-safe-web-ar-1198677/
Subscribe to:
Posts (Atom)