When Aadhar was in its initial stages, whenever security issues were raised with Mr Nandan Nilekani, he used to assure that Aadhar is not a “Card” but it is only a data base. Information in aadhar database never travels across the network and only “Yes” or “No” responses to queries travel. If there is any duplication, the de-duplication exercise will ensure that two people will not be issued the same Aadhar number etc. He never accepted that things could change during implementation and security holes could develop in course of time.
Even now, to be fair to UIDAI, the leakage of aadhaar data has happenned outside the servers of UIDAI, firstly at the time of enrollment when enrollment laptops were stolen in many places, and more recently when some Government departments put up Aadhar data on the web along with some benefit payment information. In between frauds in enrollment occurred in large scale in the name of people who could not provide proper finger prints because they either had lost their hands or the finger prints were not good.
The recent breach when stored bio metrics were used by Axis Bank and E Mudhra, some technical patch seems to have been found to detect such attempts in future. Just like trying to identify a “live” finger, a perfect match of two finger prints is also flagged as doubtful.
Thus UIDAI may claim that technologically they are upto any challenge where data protection at the server level is considered.
UIDAI has also taken steps in ensuring that the AUAs and ASAs are all “ITA 2008 compliant” at least by declaration. If these agencies make a sincere attemt at ITA 2008 compliance, the security would be taken to a slightly higher level since more heads will focus on the issue particularly from outside of the technology professionals whose vision would be clouded with the functionality of the software/hardware and fail in taking a holistic view.
But when we discuss the security or insecurity of the Aadhar Enabled Payment system (AEPS), we are not restricting our vision to only “Technical Security” of the UIDAI server side. We are discussing the security vulnerabilities across the entire system of usage which includes the Business Correspondents, Banks, NPCI and any other intermediary involved.
Now the biggest risk in AEPS comes from the Biometric devices that are used by the Business Correspondents (BC) which includes many merchants and individuals. These merchants could be dishonest or negligent and ignorant causing problems of misuse of payment credentials which are shared by the customers.
There have been instances in the past of people selling goods below the market rates only to steal the credit card data either in offline “card present” transactions or online “card not present” transactions. It can happen even in AEPS transactions if the biometric data can be stored and replayed.
There have been instances of Trojans/Viruses affecting the POS systems stealing the card data. There have been also instances of Manchurian Chips being installed in POS machines for data stealing.
All these vulnerabilities can be relevant to AEPS also.
Man in the Middle attacks particularly of the Man in the Browser type are very much possible in the case of AEPS.
When AEPS is compromised in any manner, the entire chain of Bank accounts of a person could be compromised in one go and money from multiple Bank accounts of the person can be wiped out in a single breach.
We know that in such a case, UIDAI will not take any responsibility and Banks will also try to wriggle out placing the blame on everybody but themselves. NPCI is hidden behind the screens along with the App developers and software developers who specialize in releasing software with bugs and play with Zero day vulnerabilities.
Ultimately the customer is left to fight with the Police and blame them for not being able to solve Cyber Crimes.
Government has repeatedly refused to accept the principle of “Mandatory Cyber Insurance” to protect customers and technology people are happy to experiment with the system since they are never questioned for any fraud.
With the present push on AEPS , what is happening is that customers are left with “No Alternative” but to accept AEPS. They can themselves avoid the use of the system but they have no control on any fraudster impersonating them with the use of fake Aadhar cards.
We therefore urge the Government not to rush introducing AEPS in the current status. There is a need for taking some security measures that prevents frauds committed with social engineering and insider involvement.
Until such time, it is recommended that the introduction of AEPS should be deferred. I suppose that the solution could be worked out perhaps in about 3 to 6 months if the Government is keen.
Naavi