Think twice before filing your income tax returns online because the National Technical Research Organisation (NTRO) has warned that accessing individual I-T records was possible through Cross-Site Request Forgeries (CSRF) attacks.
Through a letter dated January 17, NTRO alerted the Central Board of Direct Taxes that income, tax and associated particulars of a tax payee that has been filed electronically could be hacked through PAN card numbers by accessing the latter using CSRF injection.
The letter from NTRO centre director S Bhaskar asks the CBDT to take remedial measures in http://www.incometaxindiaefiling.gov.in website to keep the database of individuals private, confidential and secure.
Sources said with access to PAN card number, phone number and address, all that a hacker would need is the individual’s date of birth to conduct financial transactions ? from opening a bank account or a demat account or to invest in a mutual fund. NTRO?s finding defeats the CBDT?s resistance to the Central Information Commission ruling on providing information on income tax of an assesse. The CBDT has been denying information on grounds that it intrudes into the privacy of the individual. NTRO, a scientific investigative agency directly under the National Security Adviser, has also pointed out that the I-T department?s website http://www.incometaxindia.gov.in stood vulnerable to malicious attacks through SQL and XSS injections.
Though it did not specify where the attacks could come from, NTRO officials said hacking could be used to crash the website. SQL or Structured Query Language injection is a technique used by a hacker to log in as an administrator and add his own SQL to the site to gain access to confidential information or to change or delete the data that keeps the attacked website running.