Aadhaar breach exposes holes in ecosystem
Recently, the Unique Identification Authority of India (UIDAI) filed a criminal case against unknown persons after it found that biometric details of individuals were illegally stored and used for carrying out unauthorised transactions. Recent incidents of alleged storage of biometrics and its subsequent unauthorised use has exposed vulnerabilities in the Aadhaar ecosystem. The expose is alarming as the government and private agencies perform large-scale financial transactions and authenticate individuals using their Aadhaar number and biometric details daily.
The UIDAI is the repository of biometric details of more than 1.1 billion Indians and allows more than 400 empanelled authorised user agencies (AUAs) to access its servers. These AUAs provide further access to hundreds of their sub-units, which are spread across the country. This can be understood from the example of a telecom service provider, which acts as an AUA, and its affiliated offices are subAUAs. Similarly, a state government can be an AUA and its various ministries and departments can be sub-AUAs. These AUAs and their sub-units are only authorised to perform yes/no authentication (where the identity of the individual is confirmed by UIDAI) and not e-KYC (Know Your Customer) authentication.
The AUAs and their sub-units are also prohibited under the UIDAI Act, 2016, from storing the biometrics of an individual and performing unauthorised transactions. According to the UIDAI, the e-KYC can only be performed by the licensed Know Your Customer Agency (KUA) for providing subsidy, services and benefits to the intended beneficiaries.
UIDAI, which swung into action following an article and a video on social media allegedly exposed the vulnerability in the Aadhaar ecosystem, has also sent notices to Axis Bank, its banking correspondent Suvidhaa Infoserve and eMudhra, a KUA with the authority.
In its notice, UIDAI said on January 11, five authentication transactions were performed using one Aadhaar number on the same device and all these authentications had the same biometric match score. It said Suvidhaa Infoserve was not a licensed KUA with UIDAI, but was using Axis Bank’s e-KYC licence key, which was not permitted and therefore, illegal. In the FIR, UIDAI said it has found such unauthorised authentications took place between July 14, 2016, and February 9, 2017. A total of 397 biometric authentications were performed, of which 194 were through Axis Bank, 112 were through e-signature provider eMudhra and 91 were performed through Suvidhaa Infoserve.
A Suvidhaa Infoserve spokesperson said the company was testing some safety procedures and inadvertently sent the biometrics to a live server of Aadhaar, instead of sending it to their dummy servers. The spokesperson, however, declined to answer when asked about the need and provisions under which the testing was being carried out. The spokesperson refused to provide details whether Suvidhaa Infoserve had informed or taken prior permission from UIDAI for carrying out such activities. Instead the spokesperson said in an e-mail response: “We have received the query from UIDAI and met the officials as well as made a written submission. Given the technical nature of query, we would let UIDAI complete its process of looking into the matter rather than issuing a premature statement in media.”
Similarly, Axis Bank also chose to avoid answering a detailed questionnaire sent by Business Standard asking for details about the incident and whether it takes responsibility for the actions of its business correspondent. “We have shared all the relevant details with UIDAI and are awaiting their response on the matter. At this juncture we can categorically state that there has been no violations/breach at the bank’s end. We have also suspended services to Suvidhaa Infoserve,” Axis Bank said in an emailed response.
eMudhra in a statement said it was providing e-signatures to Suvidhaa Infoserve. The company needs to do eKYC for issuing these. “eMudhra is in compliance of all rules and regulations as laid out by the regulatory bodies. The company has also sent all documents proving that there has been no misuse of the Aadhaar systems from eMudhra’s end,” it said in a statement.
UIDAI, which has temporarily suspended transactions through these three agencies, tried to play down the incident by calling it one such case. This is the first information report filed under UIDAY since the Act was notified last year. “The UIDAI cannot be sharing any blame as its servers were not breached,” said a highranking official on condition of anonymity. The official said the Aadhaar ecosystem was robust and they have various checks and balances. “This incident is similar to a case where a bank employee steals the user ID and password of a customer and carries out illegal transactions. But it is very difficult because bank employees know that they would be easily caught for such an act,” the official said, explaining that Aadhaar-based transactions happens in a similar fashion. Only authorised people with their unique log-ins can operate Aadhaar-based authentication devices.