BENGALURU: Even as Cyber Crime wing of the police is looking into the case of illegal access to Aadhaar database, a few independent investigators have discovered a security flaw in the Aadhaar system.
Cyber security experts said that the flaw can be used to get SIM cards, opening bank accounts etc.
Meanwhile, police officials who are probing the case are looking the technical details on how the accused Abhinav Srivasatav got the required access to provide e-KYC, and how the database did not display the name of the KYC agency calling the server to provide Aadhaar verification and others.
Sources from Unique Identification Authority of India (UIDAI) said that the accused might have accessed passwords by hacking or ‘piggy-backing’ on E-Hospital - a healthcare delivery platform developed by National Informatics Centre (NIC).
Independent investigators, who are analysing the ‘Aadhaar e-KYC’ application, ruled out the possible hacking into the Central Identities Data Repository. Cyber analyst Anand Venkatanarayanan, who verified the process employed by the Android app, felt that the owner of the application might have reused a licence key from one of the User Agencies - either Authentication User Agency or KYC User Agency.
Apart from it, the code of the app, allowed it to run against the production database without displaying the name of the agency running the programme, leading to violation of Aadhaar Act.
One of the other shortcomings, discovered during the analysis was that the app did not use OTP or fingerprint authentication but the demographic authentication. Though the OTP and fingerprint authentication has some security features, demographic authentication is forbidden under law, since it uses name or mobile number or Aadhaar to verify the credentials.
“Since demographic authentication does not require notifying the holders via email and/or mobile phone, it opens up the terrible possibility that these holders details could have been used as eKYC for getting SIM cards, opening bank accounts etc. While we have no data to indeed claim that this did happen, this is a massive security hole in the entire eco-system and must be plugged immediately,” Venkatanarayanan wrote in a blog related to the case.
Until the security hole is plugged, using Aadhaar as eKYC is no better than existing paper based KYC process. The primary purpose of using eKYC is that it provides a safety net for residents against their paper based KYC documents getting forged and used without their knowledge for illegal purposes, he added.
There is no breach of any Aadhaar data: UIDAI
Following the arrest, UIDAI issued a release on Tuesday, stating, “The UIDAI has carefully gone into the matter and would like to inform and reassure public that there is no breach of any Aadhaar data and compromise of individual’s privacy and security in this case.” “As far as the said App is concerned, it was trying to provide Aadhaar verification to the residents based upon their own consent and to download their own demographic data. Hence, alleged privacy violations reported in some section of media is not true as no one could get any data of any other person through this App. Aadhaar data remains fully safe and secure.” “Aadhaar based authentication is robust and secure as compared to any other contemporary systems,” the release added.