Tuesday, March 13, 2018

Can your aadhaar card be hacked / misused?

Yes, Your aadhaar card can be hacked and it can result in data theft, monetary loss, identity theft / cybercrime. So, hold your breath and count to ten, no swearing / no bad words here... ;)

Aadhaar - One Nation, One Card :D
It is well known now that Aadhaar has become synonymous with a person's identity in India. Thank You, Narendra Modi (PMO). I liked him better when he opposed aadhaar as Gujarat's CM, when Congress Party was ruling the country.

Constitutional Validity of Aadhaar
The face of Narendra Modi, post-2015 where he openly defied Supreme Court verdict to link Aadhaar to more than 100 schemes, both public and private, while passing off the Aadhaar Act, 2016 as a money bill in Lok Sabha, where BJP had majority, I started disliking him further when his government and cabinet of ministers, made the Aadhaar card mandatory for both public and private services instead of its original purpose as envisioned. (viz a viz, DBT, govt subsidy and tracking leakages / tracking corruption)

Contempt of Court
When any act outlives its original purpose, becomes draconian and violates constitutional principles like fundamental rights and right to live a dignified life (Article 21, which also includes right to privacy as interpreted by Supreme Court of India) it must be scrapped or repealed as nobody is above the constitution. The Supreme Court is considered to be the apex court, in charge of interpretation of law and they (supreme court judges) are ALSO bound by the constitution.

Where's the Security?
The question is NOT something pertaining to an individual's opinion or my right to privacy, it concerns every *single* citizen of India. If they can't provide maximum security in terms of physical, electronic and digital security, they should at least have the decency to admit that their security is NOT up to the mark. Security won't "magically" happen, when UIDAI  / Modi govt says aadhaar database is secure. Something has to be shown like improvement to the aadhaar public database, aadhaar verification, e-hospital portal? (which was used to hack aadhaar once), recently disclosed details through verity infosol, hyderabad... What are these people doing to "really" improve security, by implementing safeguards / security standards??

Where's the transparency?
All too frequently, people lament about transparency and corruption (transparency in THIS product / THAT service); let me ask you, what is the level of security for UIDAI / aadhaar cards as a database?? Where's the transparency? You expect me to file a RTI?? 

Aadhaar Card - Not So Secure 
And all this ranting about Aadhaar card is for naught, if I can NOT make you understand the implication of losing your privacy, right? Here are the problems with Aadhaar Card,

1) I can NOT change my fingerprint, or iris (if it is lost)
- Like a credit card, debit card, sim card

2) Single point of failure
-Some judge and some panelist on some TV channel said, Government already has all of this information about you. Why are you uncomfortable sharing this data??
- Goes to show how uninformed the judge / panelist is about "disaster management / disaster recovery"
- aadhaar is a centralized database - which can lead to single point of failure

3) OTP is issued by Aadhaar's Website, hmmm, OK!
- So we are in 2018?? And you're telling me OTP is fool proof :P
- physical attacks / social engineering works

4) Aadhaar's android app called mAadhaar is an APK file
- There's a whole hours' worth of demonstration I can make on android security
- And conduct a full course on how to security test mobile devices / mobile OS
- Android OS, android API, apk and device permissions / settings / the works...

Disclaimer - I do NOT have to perform ANY of the above mentioned attacks...
A valid Aadhaar number is a key that opens multiple locks. Dialing *99*99# connects you to NPCI’s query service on Aadhaar mapper (QSAM), which cheerfully tells you which bank the Aadhaar holder is receiving subsidy deposits in. Indane’s website will tell you the name of the Aadhaar holder and their LPG connection ID, and the history of banks they have received subsidies in. Keep probing services like this, and soon enough one builds a comprehensive profile of an individual containing information that is most certainly not known to Google and Facebook, the Aadhaar ecosystem’s preferred bogeymen. Forget state-level actors, this is now available to common scamsters. Everyone from housemaids to members of Parliament have fallen prey to targeted phishing scams that use private information to convince the victim that they genuinely represent the service provider, only to find that money has been stolen from their bank accounts soon after.
Quoting from LiveMint's Article - http://www.livemint.com/Opinion/iUYT70CSTkEIuu2BDbCCsM/The-Aadhaar-ecosystem-leaks-too-much-data.html

Disclaimer - I do NOT have to perform ANY of the above mentioned attacks... It has all been done before, and it will be done again unless, UIDAI and the Govt of India take concrete steps to "regularly" and I emphasize, "regularly" audit the Aadhaar infrastructure, gain the public's trust and make aadhaar genuinely useful for the public.

(Despite having a bunch of "interesting" and "useful" individual identity cards, essential commodities act, motor vehicles act, passport act - separate means to identify and access govt schemes and services, people are coerced to enroll with UIDAI/Aadhaar, produce the same for public and private services in violation of Supreme Court's August 2017 - verdict. In legal jargon, it is called contempt of court...)

Hacking aadhaar is NOT new / newsworthy
It happens regularly... It is well known to people working in the security industry that Aadhaar database has been breached about half a dozen times, in the last 2 to 3 years, by various eminent individuals... ;))

https://www.thehindubusinessline.com/info-tech/uidai-suspends-airtel-airtel-payments-banks-ekyc-licence/article9995428.ece
https://www.thehindubusinessline.com/info-tech/uidai-suspends-airtel-airtel-payments-banks-ekyc-licence/article9995428.ece
http://www.tribuneindia.com/news/nation/rs-500-10-minutes-and-you-have-access-to-billion-aadhaar-details/523361.html
 https://www.thequint.com/news/india/exclusive-aadhaar-dirty-secret-out-add-anyone-as-data-admin
 https://thewire.in/210954/uidai-aadhaar-security-breach/

Bone of contention?
Unfortunately, Aadhaar card as of now,  serves no additional purpose, that your other identity cards, bank accounts and social welfare schemes fail to provide. Why do we need Aadhaar? For state surveillance on Citizens of India or, to catch a Nirav Modi, a Vijay Mallya (Kingfisher) and/or a Lalit Modi (IPL Scam)??

3 Point Conclusion
1) At present there is no data protection / privacy law in India, we need these laws... ( IT Act does NOT count as a full-fledged privacy law - read up on laws / legalese please!)

2) The Indian govt must have a framework for citizen's identity to be safely accessed via Aadhaar, limit the level of data available to third parties, conduct periodic security assessments / checks, comply with laws of the land, provide an opt-out clause, allow the citizens access to essential services such as direct benefit transfer, food subsidy, bank accounts and mobile phones without coercion to provide aadhaar card.

3) So when Aadhaar becomes congruent with its original vision of distributing benefits, subsidy and leakage / corruption tracking, I will be the first person and the best proponent of aadhar. I will encourage people to enroll and sensitize them about the benefits of aadhaar. Let's safely say, that's 5 to 10 years away... :D

Currently, Aadhaar's constitutional validity is being hotly debated in the Supreme Court of India...

I'll leave it at that... Peace Out!

- Kish