This is a letter by Sameer Kochhar to Dr. Gulshan Rai in February 2017 warning of the subversion of India’s financial security through Aadhaar after UIDAI took legal action against him for reporting the vulnerability of a replay attack being possible to conduct unauthorized transactions using the Aadhaar payment app for merchants. Appropriate actions taken according to the concerns raised in this letter would have prevented several instances of fraud in the past months. No action appears to have been taken on the contents of this letter.
Subject: Highly Confidential
Date: 15 February 2017 at 3:07:51 PM IST
To: “Dr. Gulshan Rai” <firstname.lastname@example.org>
Cc: “email@example.com” <firstname.lastname@example.org>, “Mr. Shaktikanta Das” <email@example.com>, “Dr. Hasmukh Adhia” <firstname.lastname@example.org>, Ashok Lavasa <email@example.com>, “Ms. Aruna Sundararajan” <firstname.lastname@example.org>, “Dr. Ajay Bhushan Pandey” <email@example.com>, “A. Hota” <firstname.lastname@example.org>, Dr Gursharan Dhanjal <email@example.com>
15th February 2017
Dr. Gulshan Rai
National Cyber Security Coordinator
Prime Minister’s Office
Room No 307, 3rd Floor, Sardar Patel Bhawan, Parliament StreetNew Delhi 110001
Dear Dr. Rai,
You may be aware that Inclusive Growth of India is my lifetime work and passion. Several initiatives of the government in this regard including Jan Dhan Yojana, Fasal Bima Yojana, Demonetisation, Digital Payments and several others have been influenced by my 17 books related to these areas. Most of the current policies and their likely implications have been suggested years ahead in my work. Today I write to you on a matter that I believe to be of grave national security concern.
I have been raising issues related to Aadhaar and Payment Systems for very long. The first time I had raised an alarm was in INCLUSION magazine issue of April-June 2011, available at http://inclusion.skoch.in/issue/10/pied-piper-of-technology.html. Practically every issue predicted and discussed in 2011 has come back to haunt Aadhaar later. Some correctives too have been applied on the basis of this magazine.
Being a reforms historian, I smell a trend that several individuals may have been working in concert for many years (since 2011) to somehow control the electronic payments and financial systems of India. I am not an investigative agency and therefore unable to come to a conclusion that these are a series of coincidences or a concerted action.
If assured of my safety and protection under whistle-blowers act, I would be happy to brief you on these and then it is up to the government to decide if the matter is worth pursuing.
I was made aware by several sources of the following:
- Whenever Aadhaar Biometric is used on any merchant, PoS or acquirer, it is possible to store an image of the biometric locally. This puts the possibility of Aadhaar being used even without the person being present or even carrying out illegal transactions.
- I was sent an evidence video of such an action being demonstrated and I have put it in the public domain at https://www.youtube.com/watch?v=XrKwO2yW910
- CEO UIDAI has publicly tweeted calling this video a fake and accused me of rumour mongering while not answering a single question raised by me. He has also made several frivolous tweets tagging the Hon’ble Prime Minister, Hon’ble Finance Minister and Mr. Amitabh Kant. Public at large may construe this as the official government reaction to my article and tweets. If that is not the case, the appropriate authority may advise him to retract the tweets and apologize, alternatively he must provide detailed answers to the questions raised by me. If satisfied by such an answer, I would be happy to apologize and withdraw my tweets
- The name and phone number of the person using the app is clearly visible in the video and I urge you to investigate if the transaction happened and an authorisation code was generated. I am assured by my source that this indeed happened. I do hope that once you reach the source of the video, the person would not be victimised or targeted in any way by the concerned authority(ies) for doing his patriotic duty.
- The application being used is a retail app with an Aadhaar API. The card shown is that of the retailer and the biometric used is that of a dummy customer.
- I am also informed that every time Aadhaar is used, it generates a unique number (same number for every usage) that contains as variables, a time stamp and a place where the biometric has been used. This information as well as the Aadhaar number are visible to the person owning the point of usage. If true the implications are very scary. More so with every Indians biometric being available at any roadside place without any regulation audit or control.
- I believe that the merchants/front ends of such apps are made to sign an agreement to not to locally store or use such information. This piece of paper is the only identity protection available to the citizens.
- Given the foreign ownership of so many mobile wallets. How difficult or easy is it for say a China or Pakistan to be using sensitive Indian biometrics or even subvert the whole system.
- I believe that several people within the government are aware of this problem and there is a series of official as well as civil society correspondence on the matter with NPCI, UIDAI, RBI etc. It is my understanding that the political leadership of the country has not even been made aware of such a danger and the cover up.
- If the authorities are aware of this issue, then why and by who are Aadhaar enabled payment systems being promoted instead of conventional electronic payments? Mr. Amitabh Kant recently made a statement that biometric and mobile would be the only mode of payments in near future and PoS machines and cards would not be required.
- BHIM App is being very actively promoted by Niti Aayog. I am given to understand that the app was commissioned by NPCI through an outsourced private vendor called “Juspay” in Bangalore. I am sure it would be easy for the government to find the ownership structure of the vendor and potential conflicts of interest if any with Niti Aayog. I may hasten to add that recently a conflict of interest has been discovered between a multinational foundation working with the government in the area of health.
- Given that such a serious application has been outsourced and not made by RBI, NIC or CDAC. I hope extraordinary precautions were taken and there are appropriate security mechanisms in place.
- Electronic money has the same sanctity as money and must be used universally. Interoperability of such money is not mandatory by law. There are lobbies stopping such a policy direction to create islands and monopolies. This must be urgently stopped otherwise there may be serious erosion of faith of the citizens on electronic money that keeps getting locked up in various wallets.
- NPCI has become a single point for all payments. Has the cyber risk associated with it been assessed? NPCI is neither owned, nor regulated by the government and yet it is actively pushed either as an arm of the government or an arm of the regulator. The ownership of banks, multinational, private and Indian in NPCI notwithstanding and the conflict of interest of NPCI shareholders due to their obvious interest in creating and retaining payment monopolies.
- Why personnel in UIDAI, NPCI, advisors to government etc. seem to have a lifelong term with innumerable extensions and reappointments when it deals with Aadhaar or Payments?
These are just a few issues that I think your office may like to examine. I am trying to do only my duty to Bharat Mata, as not bringing up these issues to my mind, would be treason.
Chairman and Chief Editor
- Mr Ajit Kumar Doval, National Security Advisor to Prime Minister
- Dr Urjit Patel, Governor, RBI
- Mr Ashok Lavasa, Finance Secretary
- Mr Shaktikanta Das, Secretary-Economic Affairs
- Mr Hasmukh Adhia, Secretary-Revenue
- Ms Aruna Sundararajan, Secretary, MeitY
- Dr A B Pandey, CEO, UIDAI
- Mr A P Hota, MD & CEO, NPCI
So it appears that private warnings about the dangers of Aadhaar get ignored and public exposes get persecuted. There does not appear to be an intention to make Aadhaar secure.