Knowing Your Transactions (and thyself)
By Anand Venkatanarayanan and Anivar Aravind
This is Part 3 of a series on Ola Qarth FIR. Here we focus more on why eKYC design is flawed and why it can’t be used for fraud prevention (someone getting multiple SIMs on your name), expanding further the issues pointed by Prof. Jayant Varma.
We also point out why Mr. Pandey’s explanation on Hindu is insufficient. This is not the first time, KYC User Agency key sharing has been reported. The infamous biometric replay attack that happened in Feb 2017 was the first instance of KUA key sharing and except assuring Aadhaar is safe, UIDAI seems to have done nothing in the interim to stop this practice.
Madness of Paper IDs
Why are paper IDs bad for transactions? Two simple reasons:
- No purpose limitation.
These two simple reasons make them prone for fraud. An ID proof is typically a copy of the original, mostly self signed. Since there is no purpose limitation written on the document itself (which incidentally can be skilfully removed by editing the digital image of the document) and more copies can be made of the copy, it is fraud prone.
So how can technology help solve this problem? The solution is via a combination of the following.
- Digital Identity.
- Transaction ID which has purpose specification built in.
- Cryptographic signature of (2) using (1).
- Audit Trail.
A digital identity is a cryptographic key pair (Public Key, Private Key) that is universally recognizable (Private Key is of course kept private). The key pair is mathematical wizardry facilitated by prime numbers theory, which guarantees that encryption by one key can be decrypted by another and vice versa.
Ever seen that lock button in your browser, when you visit the bank? That is a sign the website is genuine and is verified by a trusted provider (Symantec).
There are other details in this identity, which along with the public key forms a certificate.
Just like organizations can be given digital certificates, individual can also be given digital certificates. Digital certificates can be used to certify identities, but not transactions because they simply do not have the additional information required that is present in every transaction.
A transaction is basically between two parties with a purpose. When you want to buy a SIM, there is a transaction between the telephone company, you for a specific purpose. Since govt. regulations require the operator to ask for your ID, in the past we have given a paper ID and in the digital world, we can give a digital ID.
But how does the operator verify our ID? In the case of banks and the browser, we look for the green lock. Similarly if the digital ID is issued by a trusted provider (say UIDAI), the operator can just verify it easily, if the provider has a verification service.
However this is not enough. We have to fill the Customer Acquistion Form and put our signature apart from the plan details. It is possible to do the signing by our digital identity (and the operator too). This completes the transaction. But how can we ensure that our ID is not used for some other transaction for issuing another SIM?
This is only possible by binding our digital ID to the document and ensuring that the document is tamper proof. Digital signing is thus required apart from identity verification on the transaction details to ensure purpose limitation.
So how does digital signing ensures tamper-proof transactions? Remember that the digital ID has both a private and public key. So you can create a checksum (or a concise summary for non-tech. readers) of the document, encrypt with the checksum with your private key. This is called signature of the document, from your point of view (what you had signed).
Creating a signature however requires you type in a “secret” that you only know. It is very similar to typing a PIN to withdraw money from ATM, where the debit card is your digital ID and you need both to complete a transaction.
If you now attach this signature to the document through a binding (equal to putting a signature on a paper), we can call it digitally signed. Since the public key of your digital ID is known, anyone can verify that it was you, who indeed signed the document.
The telecom operator can now store this digitally signed document into this DB to prove that it was you with whom he had entered an agreement with, thus fulfilling the Know Your Customer norms of government.
- Aadhaar is only a identification verification mechanism and not a transaction verification mechanism. Thus it can only verify your identification if you provide your Aadhaar number or OTP/Biometrics. It is not a digital certificate (Aadhaar eSign is different and we will discuss it later) and hence cannot be used for signing.
- It is not a proof of address verification by itself and relies on the strength of paper based address proof submitted during enrollment, which of course can be easily forged with the help of a friendly postman.
- However the API returns a signed PDF / XML Block containing all demographic details on successful identity verification with the KUA, KSA identifiers and this is used for auditing purpose for Know Your Customer norms.
- Thus it does not verify or validate the transaction of buying the SIM itself.
- Now let us say that a novice resident used the Qarth App to do self eKYC by giving his/her OTP. This was validated by the App back end and it actually received a copy of the Signed PDF / XML Block as in (2) above. Since all it had is the KUA/KSA identifiers, it can easily be used as a proof that you indeed bought SIM cards by forging the paper based Customer Acquistion Form.
- The UIDAI by not disclosing the KUA whose key was used and notifying all the residents who used this service b/w Jan 2017 to July 2017 is actually putting them under a massive legal risk, since possession of a SIM card bought using your name, can make one a conspirator to terror attacks. (We really hope it is not one of the Telcos or Banks).
- If the KUA is a bank, then the self-verified eKYC PDF or XML could be used for opening an account for money laundering. Thus we really need to know who the KUA is and UIDAI not disclosing it is wilful negligence.
- The basic design flaw that enabled this loop hole, in the entire eKYC process is that it conflates identity verification as the same as transaction validation.
- Using biometrics worsens this problem because of known failure rates. One can simply ask you to swipe your finger twice, while blaming some system problem, to issue only one SIM card, but using the XML Block/Signed PDF to issue 2 SIM Cards as explained by Prof. Verma.
KUA Key sharing
So why does KUA Key sharing which led to the Qarth App happened? The short answer is, it was approved as a proper use case before the Aadhaar Act was passed by the parliament by the chief architect himself.
However this position (after 2 years of eKYC misuse) changed after the new license agreement changes .
Since every KUA is also a AUA, a shared KUA key allows demographic authentication as the Qarth App showed. All that is required for demographic authentication (Page 11) is any of the following:
- Aadhaar number
- Name (Partial Matching), Date of Birth.
It is very easy to write a data puller using demographic authentication (even when it returns a Yes/No) for any app. using a KUA shared key from just an Aadhaar number, without the resident ever being notified and UIDAI will report this as “100 Crore successful authentications on day X” and put out a wonderful media report extolling the virtues of Aadhaar.
eKYC enables private companies to build their own parallel databases. The Government continues to assure us that there haven’t been any data breaches etc. However, E-KYC ostensibly makes such data breaches unnecessary — because they just hand all the demographic data on a platter to private businesses.
Data received from E-KYC is more than enough for Aadhaar Type 1 Authentication by private operators in UIDAI ecosystem without user consent and all it takes is a shared KUA/AUA key.
When technology is broken, citing a law will not help the issues go away. No law can fix a broken technology.
Paper based ID and Address proofs are painful. And eKYC problem solves that problem to some extent. But as the name indicates, it solves the “Know Your Customer” problems for businesses. It does not solve the “Know Your Transactions” problem for residents and in fact makes it worse.
The design flaw of course can be fixed by simply inverting the initiator from the operator to resident. A great example of this is the women recharging phones model by Idea (h/t: Ramnath for explaining this model to Anand V).
But that can only happen when there is an acknowledgement that flaws exist in the first place and UIDAI’s leadership is too incompetent to even understand the risks and even when they do provide false assurances to residents to evade responsibility.
Until then, all we can advise the rest of you is to “Know Your Transactions” and exercise vigilance. That is the price, we have to pay for paperless convenience in this flawed model.