In an effort to address security concerns, UIDAI says it is introducing a new layer of security. The news comes as fresh security concerns are cropping up.
The Aadhaar saga continues. Over the weekend, we learned of the data breach that exposed 1 billion people to anyone willing to pay a mere 500 rupees (about $9.80 Canadian). Ever since, the UIDAI (Unique Identification Authority of India) has been left scrambling to defend the Aadhaar system. This includes filing an FIR (First Information Report) against the reporter and newspaper for bringing the explosive revelations to light. The FIR can lead to criminal charges.
The breach also sparked litigation from a human rights organization. The lawsuit seeks to initiate an independent probe into how the breach happened in the first place. In light of the explosive revelations, confidence in the system is sliding amongst the Indian population.
In an effort to get out of the PR nightmare that is unfolding, the UIDAI is announcing that it will introduce a password system. From Economic Times:
Days after newspaper report claimed breach in the Aadhaar database, the Unique Identification Authority of India (UIDAI) today released a 2-layer safety net — creating a Virtual ID and limiting Know Your Customer (KYC) – for the 12-digit biometric code.
The two moves will cover Aadhaar users from any breach.
Virtual ID will end any need to share your Aadhaar number at the time of authentication. This will be a 16-digit, randomly-generated number, which will be used for authentication instead of your Aadhaar number. Virtual ID, together with biometrics of the user would give any authorised agency like a mobile company, limited details like name, address and photograph, which are enough for any verification. It will not be possible to locate your Aadhaar based on this ID.
From a security standpoint, there are a few points one can pick up from this. For one, attackers now know that security codes are restricted to 16 characters. In addition, there are no letters or special characters mixed in the ID. So, already, this helps anyone wanting to brute force guess the number in the first place.
A second point to be raised here is the fact that these ID numbers are in the hands of vendors that want to use the Aadhaar system. As we’ve seen this year alone with the TransUnion data breach, Ancestry.com, and Alteryx, the private sector is far from perfect when it comes to safeguarding personal information.
A third point to be made is the idea of asking common every day citizens to remember a 16 digit number. Some people might remember this number, but expecting everyone to remember the number is going to be a questionable expectation. In all likelihood, some are going to be writing this number down somewhere. At that point, it may not take much imagination how such a number can be obtained. In a way, when one is to look at it in this light, it’s kind of scary that this is supposed to be a security improvement.
On the other hand, people who know security might actually approve of the fact that the number can at least be changed at any time. In a way, that is actually better security than the US model which simply requires the 9 digit number and a host of other personal information such as a date of birth for authentication purposes.
A problem is that this seems to cover interaction between an individual and a vendor. It’s not clear how this addresses breaches from the administrative side of things. That, of course, is the source of the concern raised by the Tribune where login credentials were given out for a comparatively trivial amount of money. If there are additional measures taking place on that front, it’s unclear for us.
Of course, while UIDAI is trying to reassure the people of India of the robustness of the Aadhaar system, a fresh concern is being raised. According to Gadgets 360, the database might be leaking where people bank. From the report:
there is another way to check this that, unfortunately, does not have the authentication safeguard of the OTP. This means anyone with your Aadhaar ID can see which bank account it was linked to.
In late December, the UIDAI tweeted a number that allows anyone to check the bank account linked with Aadhaar via SMS. Here’s how the process works:
1. Dial *99*99*1# from your phone. You will be charged 50 paisa for this message.
2. You will get a dialogue box asking you to enter the 12-digit Aadhaar number.
3. When you enter the Aadhaar number, it will ask you to either confirm the number or change it.
4. It will then show the bank it is linked to.
The SMS-based service by UIDAI does not involve an OTP being sent to the Aadhaar holder’s registered mobile number. Moreover, they are not even notified that someone checked their bank-linking information. For example, we entered the Aadhaar number of a colleague, and the service returned the name Allahabad Bank.
(via Hindustan Times)
Whether or not this initiates any action from UIDAI remains unclear. In any event, if there is anything UIDAI doesn’t need right now, it is more bad publicity. At this stage, one might raise the question of whether or not these features are being vetted by an independent security firm before rolling them out or if the UIDAI is just rolling out these features just hoping there is nothing wrong with it. Judging by what we are hearing about the Aadhaar system, it wouldn’t be an invalid question.