The Inside Man (Part 2)

By: Anivar Aravind and Anand Venkatanarayanan

The earlier writeup required technical chops to understand the full import of the Qarth FIR and hence was difficult to comprehend for non-technical users. This writeup was a rewrite of the same article to address this issue.

The Facts

1. UIDAI filed an FIR Against Ola owned payments company Qarth to Bangalore Police alleging the app gave out Aadhaar eKYC without permission
2. There was an FIR filed by UIDAI. The very act of filing the FIR implies that there was a breach via unauthorised access to the CIDR.
3. The Android Application was pulled down from Play Store and it did work as the screenshots showed. If it had not, there would not have been an FIR and there was no need to pull it down either.

4. The Application accepted either of (Aadhaar number, Full Name) or (Aadhaar number, Mobile number) and provided a full KYC response as the screenshots show.

5. There is only one “documented” way to get this response, by calling the eKYC APIs.

6. Calling eKYC APIs require license keys. Not everyone gets these. And the list of all KYC user agencies who are allowed to provide these services are published by UIDAI.

7. The owner of the application Abhinav Srivastava, definitely does not show up in the above list.

8. The Aadhaar regulations specify that a e-KYC requires consent from the user. The consent is either obtained by the OTP mechanism or by validation of the finger print.

Implications

1. The owner of the application, definitely reused a license key from one of the 232 KYC User agencies.
2. As per the regulations, this is a criminal offence.

Sharing of Keys is forbidden

3. The android application also ran against production database and did not display the name of the KYC agency, which also violates the regulations.

Authentication Agency name must be displayed

4. The android application neither used OTP or finger print authentication and instead used demographic authentication. While the law expressly forbids it, the API allows it and as can be seen from the android application, any of the 232 KYC providers can actually use this approach (AUA and KUA are one and the same as far as calling is concerned. Ideally they should not have been mixed up and should have been kept separate and that would have avoided the same back end doing both demographic and KYC authentication)

5. Demographic authentication is not an authentication at all. It can only be called as a “Search” because all it needs is demographic properties such as Name/Mobile and Aadhaar number.

6. All these identifiers were leaked for at least 13.5 Crore people as per the CIS report. And the government itself has admitted that close to 210 government sites including the four that was mentioned in the CIS report did leak Aadhaar numbers, Names and other information.

7. Since demographic authentication does not require notifying the holders via email and/or mobile phone, it opens up the terrible possibility that these holders’ details could have been used as eKYC for getting SIM cards, opening bank accounts etc. While we have no data to indeed claim that this did happen, this is a massive security hole in the entire eco-system and must be plugged immediately (Just shut down demographic authentication totally for all purposes, When we have a OTP or Fingerprint authentication).

8. The right way to think about demographic authentication is “Search” and the word authentication is misleading. Also consent in eKYC is “purpose limited” and using a third party android App which does not show “purpose” breaks the consent framework at it’s core.

Conclusion

Until the above security hole is plugged, using Aadhaar as eKYC is no better than existing paper based KYC process. The primary purpose of using eKYC is that it provides a safety net for residents against their paper based KYC documents getting forged and used without their knowledge for illegal purposes. And even the normal authenticated eKYC process provides a signed PDF, which can be cached and reused.

However even with eKYC there exists serious issues as pointed by Prof. Jayant Varma in his blog. This begs the question that if it is no better than existing solution and has the same issues as before, what value does eKYC offer to citizens, who were compelled to obtain their Aadhaar number by providing their biometric identifiers.

The obvious answer is none.

(This article is released under CC-BY license. Media organisations are free to repost this article in entirety or use the analysis here in the correct context without distorting it, as long as they provide a back link to this post)