Last updated: 01 October 2018
As technology evolves, so do hackers. Armed with a deviously brilliant mind and superior knowledge of the latest technologies, today’s hackers are breaching organisations’ cybersecurity with surprising ease.
The latest victim of a sophisticated cyber fraud is the Madhya Pradesh (MP) government. Dubbed as the ‘e-tender scam’, the fraud involved large-scale manipulation of the government’s e-procurement platform to rig the bids in favour of a select few private companies.
The fraudsters breached the e-procurement platform to check the bids quoted by various vendors and modified the bids of the companies of their choice to the lowest.
How did this happen?
The scam came to light in March this year, when the Madhya Pradesh Jal Nigam (MPJNL) was notified by an internal report that the bidding data submitted by vendors was being modified in collusion with some insiders and a few private companies.
The internal inquiry revealed that the bids for rural water supply schemes had been altered to make three favoured companies the lowest bidders. The bids of other vendors were illegally made available to these bidders so they could lower their bids and seal the deal.
How was the scam unearthed?
Investigators conclude that the use of Digital Signatures (also known as Digital Signature Certificates or DSCs) and Encryption Keys played a pivotal role in unearthing the scam.
To ensure optimal security and transparency in the bidding process, the MP government’s e-procurement platform mandated that a vendor’s bidding data should be encrypted using the DSC of the Tender Opening Authority (TOA) and decrypted using the TOA’s encryption certificate keys.
When the bids of the submitted tenders were opened, the platform instantly highlighted a mismatch in the One Way Hash (OWH) value of the vendor’s bid document. This, in turn, resulted in the ‘signature verification’ page showing an error in ‘signature and certificate validation status’, thereby indicating that the original bid data was modified at a later stage by an unauthorized person.
The OWH (a mathematical algorithm that indexes data of arbitrary size) that was generated at the time of submitting the bid was different from the tampered OWH, which indicated that the document content had been altered.
How Digital Signatures make e-Procurements safer
In today’s times, many organisations strive to transform into a paperless office to improve their efficiency and reduce operational costs.
In a paperless environment like this where most documents -especially confidential documents like tender bids, contracts, etc., are stored in an electronic format, adopting a Digital Signatures-based approach can help organisations in many ways. Below are three significant benefits:
When it comes to submitting bids for e-tenders, prospective vendors submit a lot of confidential information like their company’s financial information, personal information of the directors and other senior personnel, name and contact details of their clients for reference checks, bid amount, etc.
To get an undue advantage over others, competing vendors would definitely like to access such confidential information. They usually obtain this information in connivance with insiders who have a direct access to it. As seen in the MP e-tender scam, once such information is accessed, the original bid documents can be modified to get an upper hand in the bidding process.
The use of Digital Signatures is perhaps the most certain way to prevent such manipulations. Since the ownership of a Digital Signature Key is bound to a specific user only, a ‘valid signature’ notification guarantees that the document was sent by that user only.
In many scenarios, the sender and receiver of a document need assurance that the document has not been altered in any way during transmission. Digital Signatures provide this feature by using cryptographic ‘message digest’ functions that contain a string of digits created by a one-way hashing formula.
As seen in the case of the MP e-tender scam, any alteration in the original document gets instantly highlighted due to a mismatch in the OWH value of the original document and its altered version.
Digital Signatures ensure that the sender who has signed any document cannot at a later stage deny signing it.
For e-tenders, this feature plays a crucial role, as a prospective vendor cannot at a later stage deny submitting a bid with certain prices or submitting certain information during the prequalification stage.
To protect digital signatures from any compromise, organisations around the world use Gemalto’s state-of-the-art SafeNet Hardware Security Modules (HSMs) to ensure maximum safety of the encryption keys that are the heart of all digital signatures.
Gemalto’s intrusion-resistant, tamperproof HSMs ensure strong access controls that prevent unauthorized users from accessing the sensitive encryption keys.
While traditional HSMs suffice in securely storing the encryption keys, they severely lack in a critical aspect – key management. Since the encryption keys pass through multiple phases during their lifetime, efficiently managing them at each stage becomes important.
SafeNet HSMs come in-built with a ‘Secure Key Management’ feature that seamlessly manages the crypto keys at each stage of their lifecycle (generation, storage, distribution, backup, rotation and destruction) thereby ensuring optimal protection of the keys.
To Sum It Up
As organisations shun paper-based processes and embrace digital practices like e-procurements, it is crucial that they implement robust cybersecurity measures to avoid breaches.
With an increasing number of procurement teams storing a chunk of proposals, contracts and other commercial documents in the digital format for ease of access, the need of the hour to prevent cyber frauds, is to adopt digital signing to verify the authenticity of such documents and use HSMs to ensure zero-compromise of the sensitive digital signatures.
Learn more about Gemalto’s solutions for securing digital signatures and encryption key management.