Aadhaar is a 12-digit unique identification number issued by the Indian government to each Indian citizen. The Unique Identification Authority of India (UDAI), which functions under the Planning Commission of India, is responsible for managing Aadhaar numbers and Aadhaar identification cards.
The purpose of Aadhaar cards is to have a single, unique identification document or number that links a consumer’s entire details including demographic and biometric information.
The Aadhaar card/UID does not replace the other identification documents but can be used as the sole identification proof when applying services that require identification. It also serves as the basis for Know Your Customer (KYC) norms used by banks, financial institutions and other businesses that maintain customer profiles.
Risk of Aadhaar biometrics
Biometric data, unlike passwords, can never be changed, so if hackers successfully impersonate a fingerprint then they can cause serious havoc, and there is not much the victim will be able to do about it.
With the recent government policies making biometrics the central identity verifier via Aadhaar information, a billion consumers could be walking a thin line between security and convenience. Though it becomes extremely convenient to make transactions via a single touch on your smartphone, it also means that all a malicious hacker needs to get is your fingerprint. Once he gets that, there’s no stopping. Identity theft and fraudulent transactions may just be the beginning.
A simple fact: You cannot just change your fingerprint like you change your password in case of a hack. Even closing your account won’t solve your problems. Your fingerprint, wherever valid, can be used to steal your accounts.
Government’s claims about Aadhaar security
The government claimed that Aadhaar is completely secure, and the data of the consumers was absolutely safe from any malicious party until a severe flaw was detected in the system. The bug allowed a malicious operator to save a user’s biometrics and simply use it to carry out transactions on the victim’s behalf via replaying the saved biometrics.
In February this year, a Youtube video showed a demo of such a replay attack. Later that month, UIDAI filed a case against an employee of Suvidhaa Infoserve, saying that an Axis Bank’s gateway was used to carry out around 400 transactions via replaying Aadhaar information that was saved earlier.
To resolve these, the government decided to roll out new policies to ensure that critical Personal Identifiable Information (PII) of its citizen does not fall into wrong hands and get misused. On January 25, the Registered Device notification made the registration and encryption mandatory of every single biometric reader currently in use.
According to the guidelines issued by Ministry of Electronics and Information Technology, sensitive personal data such as passwords, financial information (bank account, credit card, debit card and other payment instrument details), medical records and history, sexual orientation, physical and mental health and biometric information cannot be stored by agencies without encryption.
Basically, the host computer can no longer store user’s biometrics which will eliminate the risk of using the stored biometrics without individual’s consent for authentication.
How easy is it steal fingerprints?
Hackers can easily clone your fingerprints to gain access to your life. What’s scarier is that it’s neither too costly nor too difficult.
Fingerprints can be picked up from daily objects easily or mass attacks are possible if the servers of UIDAI are hacked. Hackers can also skim fingerprints via malicious biometric devices just as with infected credit card machines. The problem here though is that you can block your credit card but not your fingerprint.
Using the stolen print
This can be done via digitally replaying the print to authenticate applications and transactions. Another possibility is to use 3D-model printers to simply make a physical copy of the print. It is even possible to make physical fingerprint replicas using simple dental moulds and some playing dough. According to a research at theDepartment of Computer Science and Engineering at Michigan State University in the US, fingerprints can be replicated in less than $500 with conductive ink fed through a normal inkjet printer, in a procedure that takes less than 15 minutes. According to researchers at CITER, the disturbing thing about fingerprints is they can be hacked just by using everyday items like some dental mould to take a cast, some playing dough to fill it. All they need is an impression of a person’s fingerprint. Using the cloned fingerprint, the hacker can enter every mobile application or devices that use the fingerprint as a security measure……Read more>>