Every system, every programme, every website has a weakness. A loophole that can exploited if one has a keen sense and understanding of how it works. Some may use the information for good and notify those in charge about it, while other may use it to serve their own nefarious means. A case of the latter recently emerged when a software programmer was caught for creating and distributing a software that could allow agents to book around 1000 IRCTC Tatkal tickets at one go. Ironically, the programmer was working for CBI.
Booking train tickets under Tatkal can be an ordeal, which is why many seek the help of agents to book it for them. Agents ask for a modest fee in return of their service, and usually guarantee the booking. One of the ways in which some agents were able to book Tatkal tickets was through the help of Ajay Garg, a programmer for the Central Bureau of Investigation since 2012. Garg was able to create a software that could exploit vulnerabilities of the IRCTC ticket booking system. He was able to do this since he worked at IRCTC prior to joining the CBI and learned the weaknesses in the system to his advantage.
Garg's operation was quite successful while it lasted. He amassed a lot of money from agents who used his software to book Tatkal tickets. Notably, he was able to hide his tracks by using a chain of Indian and foreign servers and payments in cryptocurrency like Bitcoin, the last of which would have shot up in value during the Bitcoin bubble this month.
His software is quite intriguing and shows how familiar he was with the workings of the website. While it normally takes around 120 seconds to generate a PNR, Garg's software was able to generate a number of them extremely fast. The software could bypass IRCTC captcha, bank OTP and form, providing proxy IP addresses and multiple user IDs passwords, PTI reports. All agents needed to do was install the software and key on the username and password, which Garg would change often to ensure payments. All of this essentially allowed agents to confirm hundreds of Tatkal tickets, making life all the more difficult for individuals trying to book tickets by themselves.
The fact that the vulnerabilities continued to exist for all these years suggests that Garg never informed IRCTC while he was there. More importantly, it also shows that websites running on old or outdated software are at greater risk of being exploited. While Garg has been arrested by the CBI for his illicit business, the case should be a wake up call for the IRCTC and other platforms like it that can be manipulated. There is no word yet on whether IRCTC has managed to fix the loophole, but it looks like at least for now users should not have to worry about being duped under Tatkal booking.
Cyber-security is a major concern in India, as outdated software and programs running in a number of organisations across various sectors have made it an easy target for hacking. 2017 has seen some global attacks like Wannacry and Petya which affected a number of countries including India. Following the Tatkal ticketing scam, Railway Minister Piyush Goyal has directed IRCTC and the Centre for Railway Information Systems (CRIS) to take measures to strengthen cyber-security.