- Published: 25 August 2021
Citizen Services portal unsafe, could lead to theft of credentials, say IT experts; PMC IT official confident civic sites secure, says will rectify this ‘one mistake’
Cyberattacks on government agencies emphasise the vulnerability and risks attached to the highly sensitive information stored, what it highlights even more is how exposed and easily accessible our personal information and data is to criminals. In an alarming revelation, a city-based software professional, who accessed the Pune Municipal Corporation’s (PMC) Citizen Services portal — wherein citizens avail services after providing personal and valuable data — has marked it unsafe. The PMC’s massive data of citizens is a goldmine for hackers and a massive alarm for people, if breached. This verily reminds one of the ransomware attack on the Pimpri-Chinchwad Smart City Project a few months ago that led to the encrypting of all files and application systems of 27 servers leading to a loss of Rs 5 crore.
It may be noted that the Citizen Services website offers a variety of services that provide marriage registration, death and birth certificates, among other crucial services.
Shrikrishna Kulkarni, the software professional who highlighted the issue th rough social media, told Mirror, “The problem with the website is it lacks hypertext transfer protocol secure (HTTPS). Users share crucial information — including documents — while using PMC’s Citizen Services. This data of citizens using the website to access services on offer is insecure and there are chances it could be breached by cyber criminals.”
HTTPS is an extension of the hypertext transfer protocol used for secure communication over a computer network. Data sent using HTTPS is secured via transport layer security which provides three key layers of protection — encryption, data integrity and authentication — protecting against man-in-the-middle attacks (MITM).
Cyber expert Sourajeet Majumder, who also visited the website, explained it thus: “There is a registration and login portal on the site (where users enter their login credentials), thus it is very important for Citizen Services site to use HTTPS. Since it is not using HTTPS currently, the communication between a user’s browser and the server is not encrypted — this can, therefore, be intercepted and tampered with by attackers. An attacker can carry out an MITM attack to steal user credentials entered on this particular website.”
According to PMC, there are almost 3,000 births and around the same number of deaths registered every month on an average. Citizens accessing death and birth certificates share user credentials and certificates as well. As per experts, death and birth certificates or marriage registration processes involve sharing of crucial information which can be misused to forge documents.
Majumder said the lack of HTTPS means the communication between users and the server is in plain text and can be easily viewed and read by hackers using the same network. This increases the chances of revealing a user’s IDs and passwords, too.
Experts have stressed that exposed usernames, IDs and passwords pose a higher threat. Managing director of Cyber Vault, a cyber expert company, Anil Raj said, “Once a user’s credentials are leaked, miscreants can access all other information from the Citizen Services website. Usually, social media and email host companies provide good security, but if your user credentials are revealed anyone may access the data. Also, around 60-70 percent people commonly use the same credentials (login IDs and passwords) for various websites. Such behaviour makes citizens vulnerable to loss of data that may lead to other losses if their credentials are leaked.”
At present, the PMC’s IT department has less manpower — there are only seven officials against the 70. PMC officials have said that civic websites are usually developed and handled by a third party. Rahul Jagtap, IT head, PMC, said, “Most websites have SSL certification which means they have HTTPS. But if the Citizen Services website doesn’t have one, we will do it immediately.”
Autor(en)/Author(s): Anup Satphale
Quelle/Source: Pune Mirror, 18.08.2021