Flaws in Aadhaar data security: Investigators

Even as Cyber Crime wing of the police is looking into the case of illegal access to Aadhaar database, a few independent investigators have discovered a security flaw in the Aadhaar system.

Published: 05th August 2017 02:51 AM  |   Last Updated: 05th August 2017 08:29 AM   |  A+A-

Aadhaar – a unique 12-digit number is assigned to about 99 per cent of adult Indian residents. | File Photo

Express News Service

BENGALURU: Even as Cyber Crime wing of the police is looking into the case of illegal access to Aadhaar database, a few independent investigators have discovered a security flaw in the Aadhaar system.
Cyber security experts said that the flaw can be used to get SIM cards, opening bank accounts etc.

Meanwhile, police officials who are probing the case are looking the technical details on how the accused Abhinav Srivasatav got the required access to provide e-KYC, and how the database did not display the name of the KYC agency calling the server to provide Aadhaar verification and others.

Sources from Unique Identification Authority of India (UIDAI) said that the accused might have accessed passwords by hacking or ‘piggy-backing’ on E-Hospital - a healthcare delivery platform developed by National Informatics Centre (NIC).

Independent investigators, who are analysing the ‘Aadhaar e-KYC’ application, ruled out the possible hacking into the Central Identities Data Repository. Cyber analyst Anand Venkatanarayanan, who verified the process employed by the Android app, felt that the owner of the application might have reused a licence key from one of the User Agencies - either Authentication User Agency or KYC User Agency.
Apart from it, the code of the app, allowed it to run against the production database without displaying the name of the agency running the programme, leading to violation of Aadhaar Act.

One of the other shortcomings, discovered during the analysis was that the app did not use OTP or fingerprint authentication but the demographic authentication. Though the OTP and fingerprint authentication has some security features, demographic authentication is forbidden under law, since it uses name or mobile number or Aadhaar to verify the credentials.

“Since demographic authentication does not require notifying the holders via email and/or mobile phone, it opens up the terrible possibility that these holders details could have been used as eKYC for getting SIM cards, opening bank accounts etc. While we have no data to indeed claim that this did happen, this is a massive security hole in the entire eco-system and must be plugged immediately,” Venkatanarayanan wrote in a blog related to the case.

Until the security hole is plugged, using Aadhaar as eKYC is no better than existing paper based KYC process. The primary purpose of using eKYC is that it provides a safety net for residents against their paper based KYC documents getting forged and used without their knowledge for illegal purposes, he added.

There is no breach of any Aadhaar data: UIDAI

Following the arrest, UIDAI issued a release on Tuesday, stating, “The UIDAI has carefully gone into the matter and would like to inform and reassure public that there is no breach of any Aadhaar data and compromise of individual’s privacy and security in this case.” “As far as the said App is concerned, it was trying to provide Aadhaar verification to the residents based upon their own consent and to download their own demographic data. Hence, alleged privacy violations reported in some section of media is not true as no one could  get any data of any other person through this App. Aadhaar data remains fully safe and secure.” “Aadhaar based authentication is robust and secure as compared to any other contemporary systems,” the release added.

Stay up to date on all the latest Bengaluru news with The New Indian Express App. Download now
(Get the news that matters from New Indian Express on WhatsApp. Click this link and hit 'Click to Subscribe'. Follow the instructions after that.)


Disclaimer : We respect your thoughts and views! But we need to be judicious while moderating your comments. All the comments will be moderated by the newindianexpress.com editorial. Abstain from posting comments that are obscene, defamatory or inflammatory, and do not indulge in personal attacks. Try to avoid outside hyperlinks inside the comment. Help us delete comments that do not follow these guidelines.

The views expressed in comments published on newindianexpress.com are those of the comment writers alone. They do not represent the views or opinions of newindianexpress.com or its staff, nor do they represent the views or opinions of The New Indian Express Group, or any entity of, or affiliated with, The New Indian Express Group. newindianexpress.com reserves the right to take any or all comments down at any time.

flipboard facebook twitter whatsapp