Aadhar — Why you should be worried about your money
Biometrics are awesome for identification, So awesome that we can secure our phones with a single click using our finger print. You can then use this security (atleast in theory) to do bank transactions, do a recharge, Top up your paytm, pay for Uber, all the goodness with ease. A lot of it is already setup in many countries.
In the era of demonetization, and in a digital world where we are now not allowed to use cash over 2 Lakhs. All that is needed to unlock all our bank details /transactions is our trusted finger which no one else has. So awesome !! Small problem — The government has all our fingerprints and all that data is as secure as money left on the ground.
Few Details is all that is needed to hack
Usually banking security depends on the following :
- Mobile number : Bank sends an OTP which is used to verify identity. Threat level : High. Sim card cloning is easy: Read this: Sim card cloning or read this if you want to do it Quora Sim card cloning How to
- Email: Threat level : High. As they say “Privacy online is a myth” (Pitchers). No need to go deep, emails are insecure, period.
- Password/ Forgot password: Once you get enough data on a person you can just use forgot password to get access. Sample questions like “Who was your high school teacher or what was your first car” are some of the easiest to mine since lot of these records are public — i.e not on your end but on the providers end.
So, What does this have to do with aadhar ?
Currently a lot of the aadhar data is actually available as Excel dumps. Read this DNA article on Aadhar. Aadhar has almost all our data including our private info, fingerprints and Iris scans, which might be great for identification when protected and used correctly but currently this is the state:
- Aadhar act protects your data until a court order comes around to see everything except biometrics. Only problem is that it is almost impossible to prove that Aadhar is the source of data in a court of law.
- There is no hotline/emergency system for vulnerability or identity theft. So, even if there is a potential hack — no action will be taken nor a case registered until a cyber crime actually happens
- White hat hackers who showed a vulnerability got arrested. This is the biggest problem, even if someone found an issue — instead of addressing and resolving , they resorted to sedition charges. Read this or this
What we need before enforcing Aadhar
The idea of Aadhar is great, but in its current state it can easily turn into one big mess. We need the following to ensure its security and privacy:
- Hotlines dedicated to Aadhar crimes/Digital crimes
- Open sourcing of security software and a Bug bounty to find and resolve major issues. Any computer science person would tell you that security is achieved through encyrption and not by hiding the code. In fact if aadhar software depends on the code rather than cryptography algos than it is in fact more vulnerable.
- UIDAI needs to reveal its encryption techniques and prove its software to security researchers. Currently we don’t know if they even have a cryptographer or security researcher in the team
“With great power comes great responsibility” and I have serious apprehensions about the leadership of UIDAI which has not been ready to prove its credentials on security. In such a situation, we need to make more noise to make them act or just be ready for that time when a crazed hacker steals all your money/info which you were forced to add to “Digital India” with Aadhar and demonetization.