It is predictable. No matter how dangerous a breach is reported, the UIDAI’s response is only to deny that there is any problem, because the biometrics are not leaked. Yes, the authority in charge of the security of the personal information provided by the entire country is so ignorant on misuse of data that they believe that a database of a billion numbers cannot be misused unless they have the biometrics. Well, in the interest of public education, here are some ways the data can be misused.

Remember, The Tribune has established that read only access to the entire database can be purchased within 10 minutes for as little as Rs. 500. The Quint has gone ahead and discovered how such a massive breach (yes, contrary to what UIDAI says, random people easily getting access to a secure database is a BREACH) was possible. Apparently, people who have access to the database as admin users can create access to add other admin users without any verification of identity (or even nationality). The Quint further established and confirmed that the entire database could be accessed by simply changing the Aadhaar number in the url. This basically means that almost anyone with some knowledge of programming can write a script that iterates through the numbers and scrapes the data and given enough time, the entire database of a billion plus users could be duplicated with hackers. Without the biometrics, as the UIDAI complacently points out.

There are enrolment agents selling Aadhaar application data for as little as Rs 2-5 per applicant.

There is absolutely no reason to believe that it isn’t. Those who profit from data understand its value. It would be among the first thing they did before selling access to others.

So what exactly is it that malicious people with this kind of access to big data can do?

Big data surveillance/manipulation

Companies like Google or Facebook have been known to manipulate mass behavior using targeted content. Combine that with America’s out of control security establishment, what you have is people outside India with the power to manipulate things like public sentiment or elections. They could trigger riots or create mass perceptions to exploit national resources. But I am not going to dwell a lot on this, mostly because Aadhaar data has already been vulnerable to foreign intelligence in various ways, so I doubt they would not be able to do it without this access.

So let us look at smaller crooks.

Risk of exploitation for young women

If you can run a filter on a database for women between the ages of say…. 17 and 19 – any conman would be able to target them on WhatsApp pretending to be an old friend who just got their phone number and asking them to recognize him, etc or some other story of starting a conversation and getting their cues with cold reading (a method of observing spoken and behavioral nuances to “read minds”) something most confidence tricksters are adept at. From there, it could go anywhere. Praise their looks and suggest they try modelling and sell professional portfolio services. Lure them into an online affair and blackmail with intimate evidence. Offer to meet them in person and kidnap or otherwise harm them….. absolutely anything can happen when a person with an evil mind has information on a large number of vulnerable people. Schhopwhoop already reports on a sex maniac using demographic details for serial targeting of young women.

Risk of financial exploitation for those not aware of digital security

Perhaps you would not tell a random person your Aadhaar number and OTP for them to steal your life’s earnings. But many would readily answer questions in a verification call from UIDAI – for example. A person with such a database can spend his day calling up people with a script like this “Hello, this is a call from UIDAI to verify your Aadhaar for security. Because of all these exposes in the news, we are updating and verifying all Aadhaar accounts to improve your security. I’d like to confirm your details. Your Aadhaar number is…… your name is….. your official address is…. and your phone number is ….. is this right? Thanks. Ok sir, I will need to verify this. As you know, your Aadhaar can be verified with biometrics or an OTP. What would you prefer? I can give you the address of our main office in the next city where you can come between 9am and noon or you can choose to receive an OTP if your Aadhaar has your correct phone number. Ok, I am sending you the code for verification. Can you read it out to me and confirm that your details are correct? I can hold. Thank you for your cooperation sir, have a good day” Next thing the mark will know is an SMS telling him his bank account is empty.

Maybe a few will be aware of this. But there will ALWAYS be people who are too ignorant or trusting – after all they are the ones blindly trusting an extremely insecure Aadhaar and linking it to everything, aren’t they? It doesn’t take everyone to fall for the scam for a massive profit. A few a day will have the scammers retiring happy with new identities within a month.

So yeah, this access to a billion personal details linked to Aadhaar without biometrics has the capacity to put the entire country vulnerable to their bank accounts being drained.

More elaborate scams

I started a Kotak Mahindra Bank account recently and validated with an OTP. A few days later, a woman landed up at my home claiming to be from the bank. She had come to verify my identity. She wanted to “see” my Aadhaar and PAN. Then she told me that she would be needing my finger prints and OTP to complete the registration of my account. Now I’m not telling my OTP to anyone here, right? After all, I’d be entering it on her phone. I could even ask her to look away if I liked. But if Aadhaar validates with both OTP and fingerprints, why did they want both? I didn’t get any clear answer. Also, there is really no way of knowing whether the woman is really a legit bank employee come to validate or a scammer with access to who has made accounts to the bank from some other vulnerability. There is no way for me to know whether her phone is secure. She could have malware on it, or it could be deliberately rigged to show me one thing and validate something else entirely.

Banking scams a la Airtel Payments Bank

Airtel Payments bank misused the validation of demographic data for the mobile SIMs to use the demographic data to create accounts in the names of the SIM holders without requiring OTP or biometrics. OTP and biometrics are a way to vaidate the demographic data. If the scammer has authentic data from the database, they don’t need the Aadhaar number to be validated at all. It is from the database, it is valid. Any bank could use that data to create accounts in the name of all Aadhaar holders with correct information. In other words, the Airtel Payments Bank scam without even the small unnoticeable tick to alert a watchful person that the data would be reused by another entity.

General marketing

Wouldn’t it be nice for Pharma companies to have lists of doctors with more personal information to communicate in a manner that implies the doctor really trusts them? How about a nice list of office goer looking people’s emails to target for selling life insurance? Opening a coaching class or gym in the area? A dubious operator with access to such a database could give you the address of every child or fit people in your locality to target for enrolling. How about the phone numbers of every college age student to promote professional modelling photo services to? Or cheaper versions for stunning social media profiles? Or simply a list of 100 of phone numbers of the hottest looking women in your locality? For enough money, they could probably let you choose from photos.

None of this needs a breach of biometric data, but it exposes citizens to criminals in ways that they would fall for more readily because the scammer knows things about them that he can use to appear trustworthy as opposed to random strangers. A request to meet made on a street would not work, but if your average stranger could find your phone number based on photos and area, he could land up in your phone, a relatively trusted zone – most of us don’t give out phone numbers easily – to request a meeting very formally. It is the same stranger, but you would be under the illusion of having trusted him enough to give your number willingly.

The UIDAI likes to pretend that data security is strictly about Aadhaar being validated with biometrics when in reality it is also validated with an OTP. Also a data breach that leads to personal information being made public could harm the people the information belongs to in very real ways without breaching Aadhaar further. What the UIDAI is really saying here is that they care about their hoard of biometric data and not your safety – this is not a security breach for them. Only for you.

Unfortunately, you don’t have the right to even seek legal recourse when the UIDAI compromises your safety for its ambition.

So UIDAI saying this:

“There has not been any Aadhaar data breach. The Aadhaar data including biometric information is fully safe and secure,”

Is complete nonsense.


Vidyut

Vidyut is a commentator on socio-political issues with a keen understanding of tech and policy. She has been observing and commenting on Aadhaar since 2010 from a perspective of human rights, democracy and technological robustness.

2 Comments

Aadhaar data for sale in enrolment centers for Rs 2-5 per applicant - Aadhaar FAIL · January 6, 2018 at 2:15 pm

[…] in reality it is a very big problem. As pointed out in an article dedicated to explaining how breach of Aadhaar data even in the absence of biometrics information is a huge security breach, a simple example from that post is easy to apply here: Any of these three agents could be the […]

Shooting the whistleblower - Hall of Fame - Aadhaar FAIL · January 7, 2018 at 1:53 pm

[…] access, as well as claiming that the breach that didn't happen wasn't dangerous, and other classic UIDAI nonsense, an FIR was filed against the journalist and the UIDAI is bullying The Tribune to prove that she […]

Leave a Reply

Your email address will not be published. Required fields are marked *