[ISN] Password breach at Customs leads to huge revenue loss

From: InfoSec News <alerts_at_private>
Date: Mon, 1 Jun 2009 03:04:44 -0500 (CDT)
http://www.thehindubusinessline.com/2009/06/01/stories/2009060151480100.htm

By T.E. Raja Simhan
The Hindu Business Line
June 01, 2009

Chennai, May 31 Theft/unauthorised third-party use of customs officials’ 
password for accessing the computer network (Customs Electronic Data 
Interchange or EDI) used by both the customs staff and the merchant 
community is causing loss of revenue, says an internal communication 
circulated to the offices at the Central Board of Excise and Customs 
(CBEC).

On a number of occasions there have been frauds reported in the various 
Customs EDI locations involving “compromise of password by officers. 
Such frauds have led to revenue loss of crores of rupees”, the 
communication said.

The Directorate of Systems has repeatedly issued detailed instructions 
on password security. These instructions set out the basic steps that 
should be followed by all the users to eliminate the possibility of 
‘compromise of passwords’.


Dismaying factor

“However, despite such instructions being reiterated repeatedly it is 
dismaying to notice that instances of password compromise continue to 
recur with unfailing regularity. It is evident that officers are not 
taking these instructions seriously and there is also a failure on the 
part of supervisory officers to effectively monitor the performance of 
their subordinates,” it says.

“The biggest threat to security of an electronic system comes from 
password compromise and sharing of password. In effect, when an officer 
shares his password with anybody, he has to, without doubt, be regarded 
as being in collusion in the fraud that results,” it says.


Important reason

Enquiries with the customs officials revealed that a typical instance of 
an unauthorised access of officer’s password is that of the information 
about a particular case being investigated by the department being 
leaked to the concerned importer/exporter.

It could also lead to the information being revealed to some other 
establishment resorting to a similar trade practice that has come to 
their notice.

The merchant establishment could rearrange its affairs to escape levy of 
penalty, besides prosecution. The fact that only a few officers have 
been punished and that too, not adequately for password breach may be an 
important reason why such breaches continue to recur, sources in the 
department said.

The Central Excise and Service Tax, Directorates and other formations 
will increasingly be required to work on applications requiring 
conformity with password security guidelines. The board would like to 
ensure that all the security-related instructions issued by the 
Directorate of Systems are complied with by all officers, including 
supervising officers, and those violating them are brought to account 
without loss of time.

Further, whenever any case of ‘password compromise’ comes to the notice, 
it has to be thoroughly investigated and proceedings for inflicting 
exemplary punishment should be undertaken and concluded expeditiously.

It should be made clear to all the officers that maintenance of password 
security is the sole and individual responsibility of each officer and 
any breach will make them liable to disciplinary action resulting even 
in dismissal from the Government service, the CBEC has said.


_____________________________________________
Visit the InfoSec News security bookstore!
http://www.shopinfosecnews.org 
Received on Mon Jun 01 2009 - 01:04:44 PDT

This archive was generated by hypermail 2.2.0 : Mon Jun 01 2009 - 01:10:01 PDT