In September 2017, the Uttar Pradesh STF busted a network of hackers who had been able to bypass the UIDAI biometrics requirements to create fake Aadhaars. They created fake fingerprints, patched the enrolment software to bypass the requirement for iris scans and enrolled fake Aadhaars for

This is a translation of the Press Release by the STF at the time

Special Task Force, Uttar Pradesh, Lucknow

Press Note No.- 203 Date- 10.09.2017

A gang of Hackers, trying to forge Aadhar Cards through Bypass and Finger Print Cloning of biometric standards as laid down by UIDAI, exposed.

A gang of Hackers, trying to forge Aadhar Cards through Bypass and Finger Print Cloning of biometric standards as laid down by UIDAI, has been exposed by a Special Task Force, Uttar Pradesh on 09.09.2017. A rare distinction was achieved when head of the gang Saurabh Singh, along with 10 other accused were arrested from Kanpur-Urban district.

Details of arrested accused people-

1) Saurabh Singh S/o Bhupendra Singh, R/o H.No. K-22, Bank Colony P.S., Barra, Kanpur-Urban.

2) Shubham Singh S/o Bhupendra Singh, R/o H.No. K-22, Bank Colony P.S., Barra, Kanpur-Urban.

3) Shobhit Sachan S/o Gyanendra Singh, R/o H.No. K-219, Bank Colony P.S., Barra, Kanpur-Urban.

4) Shiv Kumar S/o Dinesh Kumar, R/o Sagra P.S., Zafarganj, Fatehpur.

5) Manoj Kumar S/o Malkhan, R/o Village Dheera, P.S. Bindki, Fatehpur.

6) Tulsiram S/o Ram Prakash Shakay, R/o Village Chaoudhary Bhogav, P.S. Bhogav, Mainpuri.

7) Kuldeep Singh S/o Lt. Shiv Kumar Singh, R/o Village Sarsideeh, P.S. Kandhai, Pratapgarh.

8) Chaman Gupta S/o Ashvani Gupta, R/o Pihani Chungi P.S., Hardoi Rural.

9) Guddu Gond S/o Kalpnath Gond, R/o Village Visunpura, P.S. Ahiraoula, Ajamgarh.

10) Satendra Kumar S/o Chandrapaal, R/o H.No. 119 K.R. Puram, Sangwa Road, P.S. Chakeri, Kanpur-Urban.

Details of seizure:-

S.No.

Item

Quantity

1

Laptop

12 only

2

Artificial finger prints on paper

38 only

3

Chemically made artificial finger prints

46 only

4

Mobile phones with SIM card

12 only

5

Aadhar finger scanner

02 only

6

Finger scanner device

02 only

7

Iris-Ratina Scanner

02 only

8

Rubber Stamp

08 only

9

Aadhar Card

18 only

10

Web Cam

01 only

11

GPS Equipment

01 only

12

Polymer Curing Instrument (UV Rays)

01 only

13

Photo Polymer Rayses (Pink Chemical)

01 only

14

Printo Print Enhancer

01 only

15

Transparent Glass Plate with artificial finger print stuck in middle with tape.

02 only

In last few days, STF, Uttar Pradesh was getting information/clues about a gang active in misusing Operator Mandatory certified logic ID and Bypass for making forged Aadhar Cards through Tampered Client Application involving unauthorised persons from Operators and Enrolment Agencies. After UIDAI got cues regarding above information, Deputy Director of UIDAI registered complaint with Cyber Crime Police Station with reference no. 02/2017 IPC Sections 416/419/467/471 and Sections 66 / 66C / 66D I.T. Act. Before this, complaints related to Aadhar Card were also registered at Lucknow, Deoria and Kushinagar. As an inter-state gang was active in the case UIDAI requested STF, Uttar Pradesh for help to expose the gang activities. In this connection, Additional SP Shri Triveni Singh, and his team, were directed by Shri Amitabh Yash, IG, STF, UP and Shri Manoj Tiwari, DGP, Senior SP, STF, UP, to notify collected information and take necessary action accordingly. Accordingly, actions were taken in the case and police mechanism was set on alert.

During investigation it was found that the above module is active in different districts of UP and Saurabh Singh of Kanpur is mastermind of the above gang. All details were detailed and attested to trace the locations and movement of the mastermind, Saurabh Singh, by Cyber team of the STF Headquarters. After exact information were extracted, Saurabh Singh and other 10 mentioned above were arrested, along with above seizures, by ASP Triveni Singh, from H.No. K-219, Bank Colony P.S., Barra, Kanpur-Urban on 09.09.2017.

The arrested accused told that to make forge Aadhar Cards they were bypassing the set legal standards and they took finger prints of authorised operators through Biometric device. Thereafter they took print on butter paper from lazer printer. Thereafter, it was treated with photo polymer regin chemical in polymer curing instrument (UV-Rays), heated at 10 degree and then at 40 degrees to produce artificial finger prints similar to original finger print. The artificial finger print is used to log in Aadhar Card website. This artificial finger print of the operator is used by other people at different places to complete the enrolment of aadhar. The artificial finger print works like the original one only. It is important to mention that earlier Aadhar Client Application was accessed through finger print of the operator, but when it was found that hackers are using clone finger prints to access the system, UIDAI added IRIS authentication along with the finger print to access the application and therefore, access by fraud operators was restricted. But, while investigating the case, it was found that hackers have developed the technology to bypass the IRIS authentication requirement. These application hackers started sending unauthorised operators, taking 5 thousand from each. This way a number of machines could work on single ID of an operator.

During investigation, another fact came to light that the standard Information Security Policy was not enacted by UIDAI with Registrars, Enrolment Agencies, Supervisors, Verifiers and Operators. Using this loophole hackers were able to create forged Aadhar cards. Security Audit for whole Aadhar Enrolment Process would be done.

The above persons are booked by the Cyber Crime Police, Lucknow, under IPC sections 419, 420, 467 468, 471, 473, 474, 34, Sections 66, 66C and 66D of IT Act and Section 7/34 of Aadhar Act and further necessary investigations and actions are carried forward.

Modus Operandi

Bypassing of set biometric standards of UIDAI through Clone Finger Print and tampering of Source Code of Application Client of UIDAI, establishing Fake Tampered Client Application, bypassing set Operator Authentication Process to make forged Aadhar Cards.

At that time, the UIDAI had claimed that this was a foiled attempt – implying that the gang had not been successful in making fake enrolments.

“UIDAI’s technological system and architecture is so robust and resilient that it detected some anomalies and abnormal activities in the enrolment process. UIDAI took cognisance of it and filed a complaint with UP STF along with the details of such operators and enrolment agencies for further investigation and necessary action under law,”

However, by now, readers of this site know that what UIDAI claims and what really happened can be entirely different things.

In January 2018, GoNews 24×7 followed up on this story to discover startling information. The mastermind of the scam is still at large and the equipment and cracked software used for bypassing the UIDAI safeguards and creating fake Aadhaars is still available. Neither the police nor the UIDAI were able to say how many fake Aadhaar cards were made by this gang. This is not surprising, given that once validated and enroled, there is virtually no way for UIDAI to know which Aadhaar ID is real and which one false unless they individually verify the all the details available with them. The STF believes that this software is in use by several different enrolment agents who conduct Aadhaar enrolments for UIDAI.

In other words, there is no telling how many such cards are in the system, how many of them are in use and how many more will be created.

I expect the UIDAI will continue to assure us that the data is safe, even if an unknown portion of it may be fake.


Vidyut

Vidyut is a commentator on socio-political issues with a keen understanding of tech and policy. She has been observing and commenting on Aadhaar since 2010 from a perspective of human rights, democracy and technological robustness.

Leave a Reply

Your email address will not be published. Required fields are marked *