New Delhi: Aadhaar data security – a hot topic since the introduction of the framework back in 2009 – is once again in the news. A three-month-long investigation claims to have uncovered a software patch that compromises the security of the data stored in Aadhaar identity database.
The patch, which isn’t developed formally by the Unique Identification Authority of India (UIDAI), allegedly allows hackers to generate unauthorised Aadhaar numbers by disabling the security features of the official Aadhaar enrolment software. It is said to come at a one-time charge of as low as Rs. 2,500 and is reportedly already used by many enrolment operators across the country.
The new hack is believed to have its roots in the decision that UIDAI took back in 2010 to speed up the enrolment process by opening it for private operators. Notably, the report highlighting the fresh Aadhaar patch emerges just ahead of the launch of face recognition facility by the Aadhaar-issuing body. The facility will bring face recognition in addition to iris and fingerprint scan to verify users.
The patch is said to let a user bypass critical security features as biometric authentication of enrolment operators and disables the enrolment software’s pre-installed GPS security feature that is used to help UIDAI identify the physical location of enrolment centres. The removal of the GPS requirement would allow patch users to generate numbers from anywhere in the world.
Further, the unofficial patch reportedly reduces the sensitivity of the iris-recognition system of the enrolment software, allowing a photograph of a registered operator to be used for authentication.
All this makes it easier for anyone who has access to the patch to generate Aadhaar numbers “at will”.
“Whomever [sic] created the patch was highly motivated to compromise Aadhaar,” said Gustaf Björksten, Chief Technologist at Access Now, as quoted by HuffPost India. Björksten was among the analysts who analysed the patch. According to the report, the patch came into circulation in early 2017. Björksten added that the patch was the waork of more than one coder.
At the time of opening Aadhaar registrations through private enrolment operators in 2010, UIDAI brought a standardised enrolment software called the Enrolment Client Multi-Platform (ECMP). The software needs to be installed on each enrolment computer. Björksten noted the decision to offer an installation package instead of giving a cloud-based solution to private enrolment operators put the critical components of Aadhaar at risk.
This also eventually opened the avenue for a hack like the latest patch that is reportedly working on top of the enrolment software, and was created by “grafting code from older versions of Aadhaar enrolment software – which had fewer security features – onto newer versions of the software.”
Sent fraud list to PMO: Rajan
New Delhi: Former RBI governor Raghuram Rajan said in his report to a parliamentary panel that he sent a list of high profile fraud cases to the Prime Minister’s Office but was “not aware of any progress” on it. In his report to the panel headed by BJP leader Murli Manohar Joshi, Rajan says overoptimistic bankers, government foot-dragging and slow growth were factors in mounting bad loans. He also said the size of frauds in the public sector banking system had been increasing, though was still small compared to the overall volume of NPAs. “The RBI set up a fraud monitoring cell when I was Governor to coordinate the early reporting of fraud cases to the investigative agencies. I also sent a list of high profile cases to the PMO urging that we coordinate action to bring in at least one or two to book. I am not aware of progress on this front. This is a matter that should be addressed with urgency,” said Rajan in his report. Unfortunately, he said, the system had been “singularly ineffective” in bringing even a single high profile fraudster to book. “As a result, fraud is not
discouraged,” Rajan said.