Few months ago, an abnormal occurrence came to the notice of the Uttar Pradesh government – e-tickets for buses being run by the state’s transport corporation were being generated free of cost. An audit was conducted and a scam was exposed. It was actually the return of a scam that had been rampant in the state until seven years ago. This time, the size of the scam was pegged at Rs 9.42 lakh, but it had the potential to do more damage. The government pressed into service the special task force of the state police, a unit that is otherwise entrusted with chasing hardened criminals and carrying out the most difficult law and order operations.

The government did not go public about the scam until earlier this month when the special task force arrested two men, and took two minors into custody, for allegedly hacking into the website of the state government’s road transport corporation. The four were accused of exploiting vulnerabilities in the e-payment system of the Uttar Pradesh State Road Transport Corporation.

While two of the accused are freshers in a private engineering college, the other two are school students. All four are residents of a village in Kanpur. The police suspect they trained themselves by watching YouTube videos and obtained trial versions of hacking kits easily available online for free.

But the resolution of the case may not be a cause for celebration. As a cyber security expert and former consultant to the Uttar Pradesh Police pointed out, the state government had faced a spate of such hackings until seven years ago. Following these breaches, several meetings were held to discuss how to tackle the problem, said the expert, who did not want to be identified. He added that cyber security remained a neglected area among government agencies in the country.

In March, Minister of State for Electronics and IT KJ Alphons told Parliament that more than 22,000 Indian websites had been hacked between April 2017 and January 2018, of which 114 were government portals.

How the website was hacked

Explaining how the transport corporation’s online system was breached, the police said the accused first targeted potential travellers by offering them big discounts on government bus tickets through advertisements on WhatsApp and Facebook. They then “tampered with the payment confirmation data” on the Uttar Pradesh State Road Transport Corporation’s website with the help of an application called Burp Suite. Burp Suite is a security testing kit for finding vulnerabilities in web applications and fixing them. However, it is also said to be used by hackers to exploit those vulnerabilities.

Scroll.in phoned Additional Superintendent of Police Triveni Singh, who is in charge of the Special Task Force, to ask for more details on how the crime was committed. He did not answer calls.

Elaborating on how the scam might have played out, the cyber security expert said that whenever a payment request is sent through the government website, it is forwarded to a payment gateway, which in turn forwards the request to a bank that is supposed to receive the money on behalf of the government. The hacker, using the software kit, plants a tampering script (an automated series of instructions) in the channel connecting the payment gateway with the bank and enables a transaction of the amount of the ticket but actually involving no money. The payment gateway then forwards the transaction receipt to the government website and the system is convinced that the transaction has been executed on its face value. The hacker then sells the ticket at the offered discounted price and keeps the money, the expert said.

“There are two ways to fight such hacking,” the expert said. “First, multiple scripts can be planted on the government’s part on the same channel between the payment gateway and the bank, which can detect and stop the tampering script from operating. Second, regular audit [should be conducted] of such payments received through payment gateways.”

However, the expert pointed out that these methods had been discussed at the meetings seven years ago and that it all boiled down to having the will to implement them.