Was N-Power website hacked and applicants’ BVN exposed?By Olugbenga ADANIKIN on June 30, 2020
ON Friday, June 26, Bashir Ahmad, the Personal Assistant on New Media to Nigeria’s President Muhammadu Buhari announced on his verified Twitter handle @BashirAhmaad the re-opening of a new batch of the N-Power Social Intervention Programme of the current administration.
Ahmad said the application was free.
He further disclosed that fresh applications were to commence from 11:45 pm on the above date, encouraging eligible candidates to visit the portal hosted on the website of the Federal Ministry of Humanitarian Affairs, Disaster Management and Social Development (FMHDS).
In less than 48 hours, over a million applicants were reported to have applied for the job.
“In line with the ongoing N-POWER Batch C online application which commenced Friday, June 26, 2020, the Ministry of Humanitarian Affairs Disaster Management and Social Development, hereby announces that over 1,000,000 applications have been received from across the Federation in less than 48 hours after the Honourable Minister, Sadiya Umar Farouq, declared open the new N-Power Portal on the Ministry’s website,” the Ministry stated in a report by The ICIR.
The initiative is part of the Federal Government’s social intervention programme to create job opportunities and build capacities of youths across different sectors such as technology, agriculture, and teaching, among others.
However, a viral post on WhatsApp claimed the website has been hacked and that applicants’ Biometric Verification Numbers (BVN) have been exposed.
“Attention: Please if you know anyone who registered for Npower recently, inform them to move their money to their relative’s account, N-power site has been hacked and their BVNs are exposed.”
“Treat as Urgent,” a WhatsApp user posted.
First, independent findings by The ICIR revealed that the job portal is secured by the Amazon, a United State-based tech firm.
The web domain is also different from the previous domain used for the N-power job website when it was originally under the direct supervision of Yemi Osinbajo, Nigeria’s Vice President.
Currently, the webpage basically operates as a sub-domain of the official website of the FMHDS.
Based on the technical details of the N-Power website, the internet connection was also encrypted.
It was observed that unlike a website that has HyperText Transfer Protocol (HTTP) which is mostly considered unsecured, the N-Power Application portal is preceded by the HyperText Transfer Protocol Secured (HTTPS), thus secured.
Websites with HTTPS are mostly considered secure. It often has a ‘lock’ symbol to indicate the security status.
“HTTPS uses Transport Layer Security (TLS) and Secure Sockets Layer (SSL) to encrypt normal HTTP requests and responses,” Cloudflare, a UK IT firm stated.
“As a result, HTTPS is far more secure than HTTP. A Website that uses HTTP has https:// in its URL, while a website that uses HTTPS has https://.”
As of Tuesday noon (June 30), both portals, the N-Power website and the N-Power application portal are secured and running. The original domain is also secured based on the above analysis.
Speaking with The ICIR, Akindayo Akindolani, Managing Partner, McAnderson Institute of Technology, said once a website is visited and the lock sign is missing, it implies the website is not secured.
He said there are times when website domains are renewed and the SSL are left out; this, he noted, could make the website vulnerable to cyber attacks.
He disclosed further that aside from the lock, users might find it difficult to determine the security of a website has been compromised except it is checked from the backend through the login details. This move, he said, would enable the user to verify the login data and recent activities on the website.
“Once a website is hacked, the original contents could be changed. Aside from the lock sign, if you log in to the backend and check the login history details, you can find some discrepancies.”
But this is not the case with N-Power portal, The ICIR has confirmed.
Remi Afon, the President of Cyber Security Experts Association of Nigeria (CSEAN) who also shared similar opinion with Akindolani, however, stressed that ascertaining the safety of a website would also include checking for pop-ups, malware and unusual links on the comment sections.
“The padlock signs only show that information sent to the website is encrypted,” Afon said, adding that “most hacked websites are not easily detected by mere visiting them except they are defaced.”
Meanwhile, the Senior Special Assistant to the President on Public Affairs, Anjuri Ngelale in a tweet post has debunked the claim that the website is compromised.
Garba Shehu, spokesperson to the President Buhari also affirmed Ngelale’s clarification by retweeting his message which earlier debunked the false claim.
The ICIR also reached out to Halima Oyelade, Special Assistant on Media to the FMHDS Minister. She also debunked the claim.
“Thank you for reaching out. No, it is not true,” she replied The ICIR‘s enquiry via a text message
Similarly, Mr Zam @DaBullIt, the Twitter user had also admitted to having spread the fake news and apologised for misleading the public.
Some Think Inventing Smears For FGN NSIPs To Stop ns From Accessing N-Power Engagement Is The Way To Play Politics.
“BREAKING: Npower Reg Portal Hacked, Applicants BVN Exposed. Pls don’t apply if you’ve not until coast is clear. Let’s help rebroadcast.”
— Ajuri Ngelale (@AjuriNgelale) June 28, 2020
Based on all available information, the claim above is MISLEADING and FALSE.