New Delhi: The security certificate of the income-tax (I-T) department’s Internet portal is yet to be renewed after it expired on 8 May, potentially making the site vulnerable to cyber attacks and compromising confidential information of assessees who continue to file their returns electronically.
A security certificate guarantees the authenticity of a website and that all transactions are encrypted and hence secure. Although it is not mandatory for all websites to obtain such certificates, it is a general practice with most banking portals and e-commerce sites.
“There has never been a case of either data theft or hacking on our data base,” a senior I-T official said on condition of anonymity. The same person added that the department uses its own server, which is not linked in any way to a common government pool.
Mint couldn’t immediately ascertain if the department had applied for renewal of the certificate.
E-filing is a growing preference among individuals filing returns even though it is mandatory only for corporate taxpayers and individuals with income exceeding Rs40 lakh. According to the I-T department’s website, about 4.83 million returns were filed electronically in the assessment year 2009-10. About 35 million returns are filed every year.
The website enables taxpayers to electronically file returns and fringe benefit tax returns, and ascertain their permanent account number, or PAN.
The I-T department’s portal https://incometaxindiaefiling.gov.in/ was issued a security certificate on 8 May 2008 by Entrust.net Secure Server Certification Authority and was valid for two years.
“A security certificate is granted by companies such as VeriSign (Inc.) and others after the portal fulfils certain important criteria. An expired certificate means that there could be certain gaps in the security updates required to ward off frauds,” said a technology sector analyst, who didn’t want to be named.
The analyst added that considering that it was a government portal and that too of the income-tax department, the issue is serious.
Presently, attempts to access the portal elicits a standard warning message by Internet browsers not to enter the website due to security reasons.
“The security certificate presented by this website has expired or is not yet valid. Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server,” says the warning message by Microsoft Corp.’s Internet Explorer.
Akhilesh Tuteja, executive director, IT advisory services at consultancy KPMG, said that typically it takes about one-three weeks to get the certificate issued for the first time due to due-diligence procedures. “However, a renewal should not take more than a couple of days,” he said.
The delay in renewing the certificate has begun to affect those seeking to file their returns electronically.
“Though the last date for filing returns for salaried people is 31 July and 30 September for companies, there are many clients of ours who have completed all the procedures and want to file the returns now,” said Arun Kutty, senior partner of Virmani, Roy and Kutty Chartered Accountants.
“But we’ve been unable to do so due to the security risk,” he said. According to Kutty, while call centre executives at the Aayakar Seva Kendra (or I-T service centre) set up to answer queries pertaining to e-filing were “clueless”, an email sent to the I-T department’s help desk, too, remained unanswered.
“It is important to build a process into the security policy which raises a flag immediately (about) the certificate lapses for a proactive approach against cyber fraud,” said Deepak Kumar, an independent information and communication technologies market researcher and consultant.
Sanjiv Shankaran contributed to this story.