FBR tax profiling system is not foolproof and people are sharing their concerns
Despite the claim of FBR’s Chairman that the online tax portal for around 53 million citizens is secured, some users have confirmed that the website’s registration process is way too simple and one can easily hack someone’s account provided they know their simple biodata.
We have personally checked the registration process for a particular CNIC which you can see below step by step. Step 1 involves entering your CNIC and clearing the CAPTCHA code:
Step 2 is again fairly simple, asking for an email address and a mobile number to associate with your profile on the website:
Step 3 involves verification which can be done through email or mobile:
Till now, it is fairly plain, anyone knowing your CNIC can basically create your account. Now to make things a “little” tricky, the next step involves asking some personal questions:
Technically speaking, my cousins can make my account as even they would know the answers to questions listed above. After the above is processed, the registrant’s account is successfully created and they are required to pay the Rs. 500 fee which is required every time you want to view your tax information online. Currently, the portal offers only 2 methods: Debit/Credit card or e-sahulat.
The Twitter user below got registered on the website without providing a phone number and answering the same simple questions regarding his family:
Just checked it out. Security is too weak. Should require payment by a card in the name of the payer – as email verification possible if mobile not in taxpayer name. Just got my data without giving a phone number registered in my name and answering simple questions about fam.
— Assad Ahmad (@assadahmad) June 21, 2019
Can citizens data be placed on online portals?
Someone has also raised a question on Twitter whether citizen’s personal info can be placed on online portals like this. We are not talking about car registrations and stuff like that anymore, the data actually pertains to personal assets of each individual and with such a basic level of security, the citizens data can be easily compromised. The question arises, whether this move was approved by the Senate or Parliament as a whole because sharing of such information requires the consent of the person involved:
As a citizen I can only be concerned by such measures. Your right of information intervenes with my right to Privacy. Also who allowed this or rather is it approved or ratified by Parliament or senate? The state monitors social media accounts, now my financial history, what next?
— Apocryphal.92 (@92Apocryphal) June 21, 2019
Various security breaches have occurred in the West and throughout the world due to lack of regard to user privacy and when we are talking about interfacing between two servers with such crucial info, there should be no compromise on security standards at all.
Interface is just too basic and doesn’t look trustworthy
The interface of the website doesn’t look appealing at all and forces users to question themselves regarding the integrity of the website. Many people have declined to enter their Debit/Credit card details on the website due to this very reason as the website feels really insecure. One person has mentioned that the website has been hacked in the past:
I completed all the steps but I couldn’t take the risk of providing my card details to such an insecure site that has been hacked previously
— AAMIR (@Doctoraamir2) June 21, 2019
The website also lacks content and fails to explain the terms given in the FAQ section leaving almost everything in ambiguity.
The family tree questions can be answered by any sibling, uncle, aunt nephew etc who might also know your CNIC number.
+ no explanations in FAQs about categories/terms. What the hell is an executive service? Why is there no detail and just count? MRP? Deduce yourself!
— Awais Masood (@AwaisMasood) June 21, 2019
The portal in its current version poses a big risk to the data of the citizens and considering that the data retrieval spans two servers, first from the FBR for tax information and the 2nd from the NADRA database for the user’s personal bio data, there is no telling whether the data transactions are encrypted or not. For the latter case, any hacker would be able to compromise personal info of tax filers easily. The Government should takedown the website and reanalyze it thoroughly to make amendments. Otherwise, data of 53 million people is out in the open.
What are your thoughts regarding the security of the newly launched tax portal? Do you think it is adequate?