Securing Aadhaar
With reference to “UIDAI introduces 16digit 'Virtual ID', limited KYC for Aadhaar holders” (January 11), The Tribune report has clearly set the cat amongst the pigeons. UIDAI is absolutely right when it says that there is no Aadhaar breach but prima facie it appears that some user credentials have been compromised or misused. This is a worrying development and highlights multiple issues. Indians are privacy averse — WhatsApp alone generates reams of data and there are credible reports on how unknown entities can easily monitor group conversations despite “end to end encryption”. Likewise, generation of virtual tokens sounds good in theory but will require massive uptime of resources. Not all users are adept in that. Most users aren’t even aware of two factor authentication. Indian banks rely only on the most insecure form of two factor authentication — the generation of OTPs via SMS. We require a hardware-based tokenisation system that generates random passwords every 30 seconds or some form of YubiKeys. Existing solutions work well but banks and now the Aadhaar database are only coded to get things going. Most Indian banks’ Android apps were affected by malware for the purpose of stealing user credentials. Credible reports have appeared that clearly show how the Aadhaar app uses insecure methods to generate passwords or “secure itself”. A culture of privacy needs to be built from ground up. Removing WhatsApp and Facebook is the first step. Barring them from using UPI is another. The UIDAI needs to adopt more open protocols — if they are the custodians of our identities, they need to be made more accountable. Instead, they are silencing their critics by misuse of legal provisions.