Wednesday, September 23, 2020
Home Opinions NDTV's Nidhi Razdan says her IT account was 'hacked' and details changed, find out...

NDTV’s Nidhi Razdan says her IT account was ‘hacked’ and details changed, find out how secure your account is

Today during one of my regular peeks on to the Twitter TL, I saw a couple of tweets from Nidhi Razdan which immediately caught my attention. In the twice a day outrage cycle of Twitter, I thought this series of tweets fall into the category of outrage worthy tweets. ‘Allegedly’ (a favourite word of NDTV) her Income tax account was hacked and all her details were changed by the hacker and she did not get any notifications about this change. Let’s look at the tweets in question

In a follow-up tweet to another NDTV journalist, she alleges that her mobile and security questions were changed. She also used the word ‘everything’ (which may include things like email, address etc)

- Advertisement -

I was totally intrigued by these series of tweets and thought this is quite dangerous if someone is able to hack into the account and change details without getting flagged. So the next thing I did was to go to the income tax India website (https://incometaxindiaefiling.gov.in/home) to see if the above is true/possible or not. In the series of steps below I have tried to ascertain 2 things

  • How easy is it to hack into someone’s account?
  • How easy is it to change basic contact details of someone’s account?

Let’s go step by step. Is it easy to hack into someone’s income tax account? The short answer is “YES”. During my investigation, I was startled to know that it is surprisingly easy to hack into someone’s account if you know 2 details of the person, namely his/her PAN and Date of Birth.

The above is the user login screen that is presented when you click on Login for registered users. User ID here is the PAN. The user must enter 3 other fields to successfully login to the website. Password, Date of birth and the captcha code.

Let’s say the hacker gets hold of your PAN and knows your date of birth. He doesn’t know your password yet. Next, he will try to ascertain the password of the account by clicking on the Forgot password link. And this is where I think one of the biggest loopholes of the income tax website exists. Let me explain how.

Once you click on the forgot password the following screen is presented

In the above screen, the hacker will enter the User ID i.e. PAN and enters the captcha code and clicks continue. He is now presented with the below screen.

The Reset password screen gives 4 options for resetting the password.

  1. Answer Secret Question
  2. Upload DSC
  3. Using OTP
  4. Using Aadhaar OTP

The options 2), 3) and 4) are very secure because they use some sort of 2-factor authentication. So unless the hacker has your mobile, it is very difficult to reset the password using these 3 methods. Now let us concentrate on the first option i.e. Answer Secret Question. Here is where the biggest loophole which I mentioned before lies. So once you select the Secret question and click continue you are presented with the following screen

In the Reset Password with Secret Question screen, the hacker has the following fields to enter.

UserID: He already knows what else he wouldn’t have reached this screen.

Date of Birth: Assumed that it is known

Secret Question: Here in the drop down there are 2 questions. One primary and one secondary. The hacker needs to guess the answer of one of them to successfully reset the password of the person.

As you can see from the above some of the questions are fairly guessable. Let’s say you have selected “Which is your favourite sports person”? as the primary question. There could be 5/6 common name that one can think of. The biggest bug in this screen is that it allows multiple attempts to answer the question. Basically, the hacker can spend the entire night going name by name till he finds the right answer. No notification whatsoever is sent saying that the secret answer was attempted multiple times. After the hacker guesses the answer to the question he is presented with the change password screen. And voila he can now change the password and login to the account. Of course, the trial and error method is unreliable and not guaranteed to work. In fact, it may even be considered improbable that this method would work, but there exists a small minuscule chance that is present.

The Income-tax authority should immediately change the logic for this Change password algorithm. Either remove the secret question way entirely and keep only the secure OTP option or put a restriction on the number attempts that one can have while entering the secret answer. If multiple attempts are made, then lock the account and send a red flag email to the registered email address.

So we agree with the first part of Nidhi’s tweet that it is actually easy to hack into someone’s account provided they know some basic details and do guesswork with the secret answer.

Now lets come to the 2nd question i.e. How easy it is to change basic contact details of someone’s account?

Let’s say the hacker once he has the login information, now wants to change the basic profile information like mobile and email.

In the Profile Settings, there are 4 tabs

  1. PAN details: Uneditable page displaying PAN of the assessee
  2. Address: Gives the address details stored on the account. Bear in mind that this address is different than the address stored in your PAN database
  3. Contact Details: Only editable section of My Profile page
  4. Aadhaar details: Again an uneditable page mentioning if the Aadhaar is linked or not.

Let’s concentrate on the Contact details page. Now let us say the hacker wants to change the primary mobile and primary email ID. This is what Nidhi asserted in her reply to Srinivasan Jain.

If one changes the mobile number and/or the email ID, then the following screen is displayed

An OTP is sent to the mobile and the email ID and only when both the OTP’s are entered, the profile changes get affected. This is a very secure way of ensuring that the profile updates are not made without a 2-factor authentication coming into play.

So the first part of Nidhi’s reply that her mobile number was changed is entirely not possible in real life unless the hacker has access to both her mobile and her email account.

Now the second part, of the security questions being changed. That can be changed without any additional 2 factor like OTP etc. But changing this is pointless as the hacker would have entered the account using this method. A notification email does arrive at your registered email address that the secret questions have been changed.

The hacker can also update the address in the Address tab without any OTP based authentication. Although it is to be noted that this address is different than the PAN database address. I am not sure for what purpose this address is used.

So, in summary, we have learnt the following thanks to Nidhi Razdan:

  1. It is easy to hack into someone’s account provided the hacker knows the PAN and the DOB of the person. The hacker then must guess the answer a simple question. No restrictions on the number of times he can answer is probably a very big flaw in the system. Either remove the secret question workflow for resetting password or introduce some additional security measures to make it difficult to hack via this route.
  2. It is not possible to change the basic contact details without entering the mobile and email OTP. This part of the profile update is very secure. One suggestion to the Income-tax team is that they also introduce OTP based authentication address and secret question update.

  Support Us  

Whether NDTV or 'The Wire', they never have to worry about funds. In name of saving democracy, they get money from various sources. We need your support to fight them. Please contribute whatever you can afford

Amit Kelkar
a Pune based IT professional with keen interest in politics

Related Articles

Trending now

Casting director of Rhea Chakraborty’s debut film ‘Jalebi’ among 10 Bollywood personalities to have died in the past few months. Read the details here

A post containing the list of recent deaths of Bollywood celebs and the alleged reasons behind their deaths is being widely shared.

‘Are your breasts real? Can I touch?’ Actress Sherlyn Chopra accuses KWAN talent agency co-founder of sexual misconduct

Bollywood actress Sherlyn Chopra on Tuesday took to Twitter to call out sexual misconduct of KWAN talent agency co-founder Anirban Blah.

Nikhil Dwivedi, filmmaker and director of talent agency owned by Salman Khan, claims latter did not buy stakes in KWAN. Read details

Uniworld Big Talent (UBT) owned by Salman Khan, holds major stakes in Big Bang Media Venture, the holding company which owns KWAN.

Delhi riots: Tahir Hussain and Ishrat Jahan among five others accused of receiving Rs 1.61 crores to instigate riots, ‘manage’ anti-CAA protests

The police have stated that Ishrat Jahan had used a part of the cash she received to purchase weapons for the riots.

Mumbai Police made actress Payal Ghosh wait till 2 AM, did not file sexual assault complaint against Anurag Kashyap: Reports

The BMC declared her society a containment zone to prevent the actress from filing a complaint.

ANI Editor rubbishes viral claim of the same person acting as a customer during demonetisation and farmer supporting agriculture Bills

Congress social media co-ordinator Vinay Kumar Dokania in a tweet alleged that a farmer interviewed by ANI over farm bills was the same man who praised demonetisation and Digital India in 2016

Recently Popular

‘Are your breasts real? Can I touch?’ Actress Sherlyn Chopra accuses KWAN talent agency co-founder of sexual misconduct

Bollywood actress Sherlyn Chopra on Tuesday took to Twitter to call out sexual misconduct of KWAN talent agency co-founder Anirban Blah.

Nikhil Dwivedi, filmmaker and director of talent agency owned by Salman Khan, claims latter did not buy stakes in KWAN. Read details

Uniworld Big Talent (UBT) owned by Salman Khan, holds major stakes in Big Bang Media Venture, the holding company which owns KWAN.

NCB summons KWAN Agency CEO. Did you know Anurag Kashyap aide and film producer Madhu Mantena co-founded KWAN as well as Phantom films

Interestingly, until now, all the big Bollywood names which have emerged in the NCB's probe have links with KWAN Agency

Mumbai Police made actress Payal Ghosh wait till 2 AM, did not file sexual assault complaint against Anurag Kashyap: Reports

The BMC declared her society a containment zone to prevent the actress from filing a complaint.

‘Maal you have?’ Deepika Padukone’s name emerges in the Bollywood drug abuse probe as NCB investigation intensifies

In a sensational revelation, Bollywood's top actress Deepika Padukone's name has emerged in the latest drug abuse probe carried out by the Narcotics Control Bureau (NCB)

Casting director of Rhea Chakraborty’s debut film ‘Jalebi’ among 10 Bollywood personalities to have died in the past few months. Read the details here

A post containing the list of recent deaths of Bollywood celebs and the alleged reasons behind their deaths is being widely shared.

India and China issue joint statement following 6th round of Senior Commanders’ meeting, agree to stop sending more troops to frontline

India and China have issued a joint statement in the aftermath of the 6th rounds of Senior Commanders' meeting between the two countries.

Casting director of Rhea Chakraborty’s debut film ‘Jalebi’ among 10 Bollywood personalities to have died in the past few months. Read the details here

A post containing the list of recent deaths of Bollywood celebs and the alleged reasons behind their deaths is being widely shared.

‘Are your breasts real? Can I touch?’ Actress Sherlyn Chopra accuses KWAN talent agency co-founder of sexual misconduct

Bollywood actress Sherlyn Chopra on Tuesday took to Twitter to call out sexual misconduct of KWAN talent agency co-founder Anirban Blah.

Dia Mirza denies allegations of drug abuse, seeks legal action

Diz Mirza "strongly refuted" and "categorically" denied the "false" and "baseless" allegations levelled with mala fide intentions.

Nikhil Dwivedi, filmmaker and director of talent agency owned by Salman Khan, claims latter did not buy stakes in KWAN. Read details

Uniworld Big Talent (UBT) owned by Salman Khan, holds major stakes in Big Bang Media Venture, the holding company which owns KWAN.

NDTV journalist of ‘chhota mota bomb blast’ fame is incensed at speech he finds uncomfortable: Read how

During one of his shows on NDTV, Sreenivasan Jain had claimed that terrorist Ishrat Jahan wanted to do a 'chota-mota' bomb blast.

Suspended AAP Rajya Sabha MP Sanjay Singh admits on TV that he broke Deputy Chairman’s mic

AAP leader Sanjay Singh, along with other opposition MPs, had created a ruckus in the Rajya Sabha after the passage of the Farm Bills.

Delhi riots: Tahir Hussain and Ishrat Jahan among five others accused of receiving Rs 1.61 crores to instigate riots, ‘manage’ anti-CAA protests

The police have stated that Ishrat Jahan had used a part of the cash she received to purchase weapons for the riots.

Uttar Pradesh: Man rips open pregnant wife’s stomach with a sickle to check the gender of foetus

Man in UP arrested after he cut open his wife's stomach, allegedly suspecting that she is going to give birth to another girl.

Mumbai Police made actress Payal Ghosh wait till 2 AM, did not file sexual assault complaint against Anurag Kashyap: Reports

The BMC declared her society a containment zone to prevent the actress from filing a complaint.

Connect with us

244,181FansLike
454,739FollowersFollow
16,500SubscribersSubscribe