Fraudsters sneak into NID server again

Fraudsters have once again gained access to the smart national identity card information system, allowing them to exploit the system by acquiring sensitive personal information for unauthorised use in providing various government services through cloned websites.

The Cyber Crime Investigation Department of Dhaka Metropolitan Police's Counter Terrorism and Transnational Crime Division busted this racket after arresting four suspects involved in cloning of a government website.

The gang was offering a range of services, including fake land rent payment certificate, TIN number, Bureau of Manpower, Employment and Training certificate, health certificate for expats, tax certificate, bank statement and solvency certificate at different rates, investigators say.

They created a website named "sebacenter.xyz" to provide these services as well as a number of cloned websites identical to the official websites of different government agencies.

The Daily Star yesterday gained access to one of the websites created by the fraudsters.

Upon entering multiple NID numbers and their corresponding date of births, the entire personal information of the individuals, including their photos, appeared on the screen, raising concerns over data protection.

As of October 2023, the country's NID server had information of about 12 crore voters, of whom around 5.5 crore have smart NID cards.

AFM Al Kibria, deputy commissioner of CTTC's Cyber Crime Investigation Department, said the arrestees gained the NID information from a government website.

An official at the NID wing of the Election Commission told The Daily Star that about 176 organisations have access to the NID server.

The NID server can be accessed by anyone if there are security lapses on the part of the relevant authorities, he said, adding that similar incidents took place in the past as well.

On June 7, 2023, TechCrunch, a San Francisco-based online publisher of start-up and technology industry news, reported that personal information of about 5 million Bangladeshi nationals have been leaked from a government website.

The arrestees are Solaiman Towhid, 25; Khokon, 27; Sheikh Sejan, 24; and Nasir Uddin, 30. They were arrested between February 11 and 14 from different parts of the country, and have since been sent to jail.

Police say they identified 20 "super admins" or masterminds and hundreds of users or "associates" of this racket that operates nationwide. The four arrested are super admins.

Imranul Islam, assistant commissioner of CTTC's Cyber Crime Investigation Department, said most of the customers who availed land tax services through this racket paid their long overdue tax. Many of them did not pay land tax for 30 to 40 years, and used this fraudulent service to evade tax.

He added that the proceeds of the illegal business were distributed equally among the super admins, while the users or agents got commission.

From one such account, they provided 360 fake land development tax payment receipts, according to investigators.

Of the arrestees, Solaiman and Khokon used to work together at a visa processing centre in Sylhet. They started providing this service since the corona pandemic, as certificates of corona vaccination were required for various government services.

Solaiman, who has skills in web development, can create an exact clone copy of any website. Along with Khokon, he created a clone website, surokkha.gov.bd.xyz, on the model of surokkha.gov.bd and issued fake corona certificates at the time, investigators say.

Later, when the demand for corona certificate fell, they started looking for new ways of forgery. In the meantime, they got Sejan, a "cybercriminal" known as White Devil in cyberspace, and Nasiruddin in the team, they add.

Previously, three cases were filed against Sejan on allegations of birth certificate forgery, NID information leak and various other cyber frauds, according to CTTC officials.

To avail services from these websites, users were first required to have electronic balance by paying an amount through various mobile financial services. Electronic money in their account was charged against the service they received.

Due to the high demand, the gang created a website (ldtax.gov.bdx.xyz) modeled after the Land Development Tax Payment website of the land ministry.

From the cloned website, users collected PDF copies of the tax receipts, which looked like originals, with QR code. But during verification, they came out as fake.

Mohammad Noor Hossain, system analyst at the land ministry, filed a case with Shahbagh Police Station against unnamed persons under the cyber security act on February 8 over the forgery.

CTTC officials then launched an investigation, and arrested the four from Sylhet, Narail and Cumilla.