Cybergangs now selling ‘genuine’ NIDs

Imagine someone ordering and taking delivery of your personal data -- national identity card information, phone call records, and statements from your mobile financial accounts – as conveniently as ordering food online.

Astonishingly, this is what is going on.

Cybergangs in connivance with a section of unscrupulous staffers at the Election Commission and other government offices have been selling people's personal data.

They even offer "services" like providing a genuine copy of an NID card, changing one's information in the NID server and even locating a person by phone triangulation.

Anyone can avail themselves of these "services" via websites, Telegram channels, WhatsApp and Facebook groups for money.

Counter Terrorism and Transnational Crime Unit of police arrested two members of one such cybergang on Tuesday.

The gang, via encrypted messaging apps, gets orders for personal information of people or other "services" from clients. The demand is then sent to the unscrupulous staffers at the EC, who provide the details or deliver the "services".

It pays EC staffers involved, said Md Asaduzzaman, the chief of the Counter Terrorism and Transnational Crime Unit, during a press conference in the city yesterday.

The press conference was arranged following the arrest of suspects Md Jamal Uddin, data entry operator of IDEA 2 project of the election office in Kurigram Sadar, and Liton Mollah.

The CTTC arrested Liton from Bagerhat and Jamal from Pabna on Tuesday. They are now being quizzed on remand to find out who else is involved.

Asaduzzaman said Liton opened a WhatsApp group for getting orders from his clients while Jamal provided Liton with his credentials for the NID server.

Jamal would forward the one-time password (OTP) to Liton every time Liton logged on to the server.

Jamal received Tk 3,000 a day from Liton.

Liton, who studied up to HSC, made over Tk 1 crore in one year and paid Jamal around Tk 10 lakh, the CTTC chief said.

Officials said changing personal data on the NID server requires the credentials of at least the top EC official at an upazila or top EC officials at district or divisional level.

"So, there must be corrupt EC officials who aided him. We are trying to find out who else is involved," said an official of the CTTC.

Brig Gen Abul Hasnat Mohammad Sayem, project director for the Identification System for Enhancing Access to Services (IDEA) (2nd Phases), said Jamal was an employee of a company to which they outsourced the data entry job.

"Data entry operators have limited access. We have informed the company ... Besides, police will take legal action against him as per the law," he added.

Asked about the possible involvement of EC officials who have the authority to change data on the server, he said they were looking into the matter.

"Access to one's NID can facilitate the opening of fraudulent bank accounts and getting loans on fake documents, alongside committing other crimes…," said cybersecurity expert Sumon Ahmed Sabir.

It is the job of the government and private entities entrusted with the personal data to protect people from identity theft, emphasised Sabir, chief technology officer of international internet gateway Fibre@Home.

DATA ON SALE

The Daily Star correspondents on Wednesday accessed one of the websites created by a cybergang.

Upon entering multiple NID numbers and their corresponding dates of births, all personal information of the individuals, including photos and signatures, appeared on the screen.

The gang was offering a range of "services", including personal data from the NID server for Tk 60, phone call records for Tk 1,600, statements of mobile financial accounts for Tk 2,300, and birth certificate "correction" and TIN certificate for Tk 100.

Apart from "genuine" ones, they also offered fake NID cards, birth certificates, Bureau of Manpower, Employment and Training certificates, and health certificates for potential migrant workers.

To avail the "services", clients are required to pay via mobile financial services.

Earlier in February, the CTTC busted a cybergang who obtained the NID information from a government website. They also cloned websites of some government agencies, according to investigators.

Imranul Islam, assistant commissioner of the CTTC's cybercrime investigation department, told The Daily Star that they had arrested seven people, including three "super admins" of a website.

"We found that the gang was involved in selling original NID information and statements of mobile financial accounts," Imranul said.

In April, detectives arrested Pallab Das, data entry operator of IDEA 2 project of the EC office in Rangpur, for issuing NID cards to fraudsters who embezzled crores of taka from banks and financial intuitions by taking out loans.

Joynal Abedin alias Idrish, a former salesman at a jewellery shop in Dhaka's Mirpur, obtained six NID cards with the help of Pallab, investigators said.

An official at the NID wing of the EC said about 176 organisations have access to the NID server.

On June 7, 2023, TechCrunch, a San Francisco-based online publisher of start-up and technology industry news, reported that personal information of about 5 million Bangladeshi nationals have been leaked from a government website.