For e-tenders, digital signatures play a crucial role, as a prospective vendor cannot at a later stage deny submitting a bid with certain prices or submitting certain information during the pre-qualification stage.
In today’s times, technology evolves real fast…the flip side, so do hackers. Armed with a deviously brilliant mind and superior knowledge of the latest technologies, hackers are breaching organization’s cybersecurity with such surprising ease that’s its worrisome.
The latest victim of a sophisticated cyber fraud has been the Madhya Pradesh (MP) government. Dubbed as the ‘e-tender scam’, the fraud involved large-scale manipulation of the government’s e-procurement platform to rig the bids in favor of a select few private companies. Fraudsters breached the e-procurement platform to check the bids quoted by various vendors and modified the bids of the companies of their choice to the lowest.
How did this happen?
The scam came to light in March this year, when the Madhya Pradesh Jal Nigam (MPJNL) was notified by an internal report that the bidding data submitted by vendors was being modified in collusion with some insiders and a few private companies.
The internal inquiry revealed that the bids for rural water supply schemes had been altered to make three favored companies the lowest bidders. The bids of other vendors were illegally made available to these bidders so they could lower their bids and seal the deal.
How was the scam unearthed?
Investigators conclude that the use of Digital Signatures (also known as Digital Signature Certificates or DSCs) and Encryption Keys played a pivotal role in unearthing the scam.
To ensure optimal security and transparency in the bidding process, the MP government’s e-procurement platform mandated that a vendor’s bidding data should be encrypted using the DSC of the Tender Opening Authority (TOA) and decrypted using the TOA’s encryption certificate keys.
When the bids of the submitted tenders were opened, the platform instantly highlighted a mismatch in the One-Way Hash (OWH) value of the vendor’s bid document. This, in turn, resulted in the ‘signature verification’ page showing an error in ‘signature and certificate validation status’, thereby indicating that the original bid data was modified at a later stage by an unauthorized person.
The OWH (a mathematical algorithm that indexes data of arbitrary size) that was generated at the time of submitting the bid was different from the tampered OWH, which indicated that the document content had been altered.
How digital signatures make e-procurements safer
In today’s times, many organizations strive to transform into a paperless office to improve their efficiency and reduce operational costs.
In a paperless environment like this where most documents -especially confidential documents like tender bids, contracts, etc., are stored in an electronic format, adopting a Digital Signatures-based approach can help organizations in many ways. Below are three significant benefits:
When it comes to submitting bids for e-tenders, prospective vendors submit a lot of confidential information like their company’s financial information, personal information of the directors and other senior personnel, name and contact details of their clients for reference checks, bid amount, etc.
To get an undue advantage over others, competing vendors would definitely like to access such confidential information. They usually obtain this information in connivance with insiders who have a direct access to it. As seen in the MP e-tender scam, once such information is accessed, the original bid documents can be modified to get an upper hand in the bidding process.
The use of Digital Signatures is perhaps the most certain way to prevent such manipulations. Since the ownership of a Digital Signature Key is bound to a specific user only, a ‘valid signature’ notification guarantees that the document was sent by that user only.
In many scenarios, the sender and receiver of a document need assurance that the document has not been altered in any way during transmission. Digital Signatures provide this feature by using cryptographic ‘message digest’ functions that contain a string of digits created by a one-way hashing formula.
As seen in the case of the MP e-tender scam, any alteration in the original document gets instantly highlighted due to a mismatch in the OWH value of the original document and its altered version.
Digital Signatures ensure that the sender who has signed any document cannot at a later stage deny signing it. For e-tenders, this feature plays a crucial role, as a prospective vendor cannot at a later stage deny submitting a bid with certain prices or submitting certain information during the pre-qualification stage.
As organizations shun paper-based processes and embrace digital practices like e-procurements, it is crucial that they implement robust cybersecurity measures to avoid breaches.
With an increasing number of procurement teams storing a chunk of proposals, contracts and other commercial documents in the digital format for ease of access, the need of the hour to prevent cyber frauds, is to adopt digital signing to verify the authenticity of such documents and use HSMs to ensure zero-compromise of the sensitive digital signatures.
About the author:
Ved Prakash is Senior Business Development Manager, India and SAARC Region, Gemalto.
(The story first appeared on cioandleader.com)