Indian Government Website for Farmers Exposes DataSecurity Practitioners Say It Lacks Basic Encryption Tools
A ministry of agriculture website in India lacks basic security measures, risking exposing personal data on millions of farmers who use the site to obtain crop insurance, a security practitioner who uses the site has pointed out.
The website of Pradhan Mantri Fasal Bima Yojana, the Prime Minister Agriculture Credit Scheme, is running on hypertext transfer protocol (HTTP) and capturing in clear text information and personal details of farmers, including name, age, bank account numbers, mobile numbers and Aadhaar numbers. A website capturing citizen information should be using HTTPS where the communication protocol is encrypted.
Satish Kulkarni, a security practitioner with a leading IT firm who owns agricultural land, says he raised the issue last year with the government. He says he had written to CERT-In to bring up the matter, but no action has been taken until now. "I am not sure how we can have a safe digital India initiative with this attitude of the government," Kulkarni says.
Kulkarni says mail he sent to Dr. Sanjay Bahl, director general of CERT-In, last week, however, elicited a response. The response read: "Thank you for reporting this to CERT-In. For your information CERT In has contacted NIC - the hosting provider - to do the needful along with Ministry of Agriculture. A mail has also been sent to Ministry of Agriculture".
But even today the site is running on HTTP protocol.
Other security practitioners share Kulkarni's concerns about the slow pace of government action on security issues.
"We in India are very much accustomed to government apathy. Even after repeated reminders, the government decides not to make use of suggestions by the security community," says Dinesh O Bareja, COO at Open Security Alliance. "Therefore most of us have stopped reacting to such blunders by the government."
The ministry of agriculture did not immediately reply to Information Security Media Group's request for comment.
Farmers in India use the PMFBY website to obtain crop insurance. Farmers either enter the necessary data on their own or work with agents, who enter it on their behalf.
According to Census 2011, there are 118.8 million cultivators across the country. A report by the Hindustan Times, however, states the figure was about 263 million in 2014.
"I am not sure how such an important website is launched with insecure communication," Kulkarni says. "We keep talking about digital India, but such basic blunders on government websites gives an impression of insecure digital India."
All the information in the the registration form is captured in clear text, so it's easily accessible by hackers looking for data, Kulkarni says.
"If the government, who is custodian of our data does not care, then who will care?" asks a forensic expert associated with the government, who asked not to be named.
Ironically, India is planning to come out its own Data Protection Act, the first draft of which will be made public soon. "And here we are talking of a data protection act. This is double standard on part of the government," the forensic expert says.
Kulkarni says he and others also faced several other issues while filing the online form on the website. "Every time I was trying to fill up the form, the website would show error. Furthermore, it shows I have paid my premium while I am yet to pay."
A common complaint among Indian security researchers is that there is little action or acknowledgement by the government when website vulnerabilities are being pointed out to them.
For instance, Kulkarni says that when he called CERT-In to notify it of the security issue, "the person at the help desk could not understand what I was talking about. When I asked him how do I escalate the matter, he was clueless. The person wanted me to provide the evidence. This, after I had mailed them the screen shots of the website. I don't understand what evidence they need to confirm if a website is http or https."
Bareja notes: "At times, it feels like the response department of government of India is just a national feel-good factor with no concrete action. It is obvious there is no particular officer assigned to the response department. However, at the same time, CERT-In wants us to be a community and share information."
A Call to Action
Earlier this year, multiple government websites were either defaced or faced security vulnerabilities.
Bharat Sanchar Nigam Limited, the state-run telecommunications company; India Post; the Indian Space Research Organization; and numerous portals were discovered to be exposing Aadhaar details of Indian citizens. Even the Supreme Court of India website was defaced in March this year.
Some security experts suggest the government needs to take a number of steps, including:
- Mandate cybersecurity awareness programs for all government employees;
- Conduct regular security and phishing drills;
- Do more to attract and retain qualified cybersecurity staff, recruiting experts from the private sector.