In a troubling recurrence, goods were released by exploiting the Customs' Automated System for Customs Data (ASYCUDA) through unauthorised access. This time, a container of imported cigarettes valued at Tk 6 crore was cleared using the user ID of a revenue officer, causing alarm within the National Board of Revenue (NBR).
Details of the breach
The breach occurred on May 20, 2024, when an unauthorised party accessed the ASYCUDA World system using the credentials of Mohammad Zakaria, a Deputy Commissioner at Chittagong Customs House. Zakaria was receiving medical treatment in Kolkata at the time.
Investigations revealed the login occurred at 11:33pm and again shortly after, during which a container of cigarettes, falsely declared and imported, was cleared. Notably, no one-time password (OTP) was received on Zakaria’s registered device, raising questions about the system's security measures.
Patterns of misuse
This is not an isolated incident. Similar breaches have plagued the ASYCUDA system in recent years:
In September 2023, hackers attempted to manipulate the system to release goods fraudulently.
In May 2023, the user ID of a deceased officer was used in another thwarted attempt.
In 2019, a staggering 222 containers vanished from ports due to fake IDs.
Over the past six years, more than 50 such breaches have been reported, exposing systemic vulnerabilities.
Response and investigations
The NBR has initiated multiple investigations, including a seven-member committee formed on October 22, to trace the perpetrators. Two parallel probes are underway, one led by the Customs Intelligence and Investigation Directorate (CIID) and the other one by an NBR-appointed senior official.
The Bangladesh Police Cyber Crime Unitis also involved to bolster efforts in identifying the culprits.
Strengthening security
The ASYCUDA system, critical for managing customs processes, employs a three-tiered security protocol: password authentication, two-factor authentication with OTP, and IP address and device binding.
However, recent breaches indicate flaws in implementation. In response, the NBR has introduced additional measures: stronger passwords and mandatory resets every 21 days, restrictions on social media access on devices linked to the system, implementation of code signer certificates to prevent unauthorised decryption or encryption, engagement with the Bangladesh Computer Council (BCC) for rigorous testing and future security upgrades.
NBR's position
NBR spokesperson Syed A Mu'men described the situation as "worrying and sensitive" and emphasised the board’s commitment to addressing the vulnerabilities. “We are determined to identify the culprits and ensure the system’s integrity,” he said.
Another senior NBR official assured stakeholders of collaborative efforts to fortify the system, adding: “Our aim is to make ASYCUDA impenetrable, safeguarding national revenue interests.”
Broader implications
As ASYCUDA underpins foreign trade activities, these incidents not only threaten revenue but also undermine trust in the country’s trade infrastructure. The recurrence of breaches underscores an urgent need for robust digital security and vigilant monitoring to restore confidence in the system.
The coming months will be critical as NBR works to implement these measures and prevent further exploitation of the system.