The Aadhar based payment system which is meant to capture the biometrics and initiate banking transactions is being pushed for implementation by June 30, 2017.
However, we request the authorities not to stand on false egos and try to introduce a system which could create a huge security hole in the financial eco system in the country.
The main problem in the proposed system is that there will be thousands of Business Correspondents, “Bank Mitras” who will be authorised to carry biometric devices and initiate banking transactions. The concept is great provided it is having checks and balances to avoid misuse and fraud.
At present, it appears that the authorities have not taken sufficient steps to protect the users from the adverse impact of frauds.
Before we proceed further, I would like to draw the attention of the public to the recent incident when 32 lakh debit cards were supposed to have been compromised through HITACHI ATMs where the malware is presumed to have wormed its way to a NPCI controlled switch and compromised multiple banking systems. There are theories that the compromise of multiple bank’s systems were compromised not through NPCI but because some card holders used the infected Yes Bank ATMs and then other Bank ATMs spreading the infections. The exact nature of the infection is not known. However the following article explains in detail one research report on the incident and is worth reading in detail.
Report: India’s sluggish response to cyberattack that infected 3.2 million cards exposes its vulnerabilities
There is no doubt that all the compromised ATMs reported in the above incident were “Certified” by authorized vendors of RBI and Banks. They were also under direct control of licensed ATM operators most of them being Banks. There was physical security in the form of guards and electronic surveillance in the form of CCTVs. Despite this, the systems were compromised.
The compromise also prevailed in the system for a long time and no body realized it until the damage was done. When breaches started happening, no body reported it to CERT-In and there was every attempt to brush the controversy under the carpet. Security experts who were assigned the responsibility to conduct forensic audits ended up erasing evidence, not knowing the law of the land.
Finally there is an “Admission” by Hitachi that they accept responsibility which makes things more suspicious as whether they were trying to protect any other agency in the process which could also have been held either solely or collectively responsible for the breach.
In this background we need to see how secure is the AEPS system where the biometric devices or the Micro ATMs are held in the custody of public and is out of sight of the regulators.
The devices are certified by some agency such as STQC as fit for use as per some standards but are manufactured by different private sector companies many of them from abroad. Some of these Micro ATMs may work as an application running under Android OS systems.
While the certifying agencies may certify the functionality of the devices, it is a myth that these devices are tamper proof.
It is a common security understanding that any device which a hacker has access to for a prolonged period in confidence is subject to the risk of being manipulated with the introduction of a changed mother board or a Manchurian chip add on. In the past we have seen that POS devices for credit card swiping at the Merchants supplied by China to UK merchants were stealing data and Scotland yard had to conduct an elaborate exercise to identify and remove those devices. Very recently in India we have observed that the Petrol vending machines in Lucknow were tampered with to cheat the customers of the quantity of petrol dispensed, by adding a chip in the circuit. Some time back, Digital auto rickshaw meters in Bangalore were also similarly tampered by insertion of a chip in the meter.
It is therefore possible and reasonably certain that the Micro ATMs and POS systems using Aadhar Enabled Payment Systems will be compromised in due course. This would result in the biometrics of customers being copied and re used on a systematic basis. This also has been demonstrated by Axis Bank and E Mudhra not so long ago.
Since some of these biometric devices may be imported from China to meet the rush and also because they may be considered cheap, we may expect that backdoors may be installed in such equipments which could defeat the STQC audits and prevail while the system goes into use.
We may recall that VolksWagon designed a software to cheat the emission standard tests to give false results while resetting itself in actual usage where emission standards were compromised for better pick up and power. Similarly, the manufacturers of these equipments will design their systems to behave well before STQC and turn rogue when it goes into the usage environment.
In due course there is therefore a possibility that we are creating a network of financial devices which can be exploited by an enemy country in a Cyber War situation.
The Indian Election Commission (EC) recently faced a comparable challenge on the EVMs as the AAP MLA showed how he can replace the mother board if given access to the machine and therefore how the elections can be tampered with. The EC however rightly pointed out that the EVMs used in actual elections would not be out of its sight and is randomly assigned to different booths and hence cannot be tampered with as indicated by AAP MLA.
The Aadhar Enabled Payment System has to take a cue from the EVM controversy and understand that they donot have controls which EC has designed for EVMs as regards the Micro ATMs and biometric devices.
It is not impossible to introduce security controls to prevent any misuse or quickly catch a delinquent transaction if it happens but such controls donot seem to exist in the current devices which are standard devices meant for a different security scenario.
In future, we can get these devices manufactured by BEL or ECIL under close supervision and with all the security features which make tampering nearly impossible. But for this there is a need to take time and not rush implementation of AEPS by June 30, 2017.
I wish the authorities listen to this sane advice unless they are ready to place Indian Financial system into jeopardy for the sake of impressing upon Mr Modi that we are technologically ahead of other countries in implementing a digital payment systems.
Naavi