India Insights with Suparna Goswami

Access Management , Fraud Management & Cybercrime , Governance & Risk Management

Another Aadhaar Leak, and Yet Another Blame Game

It's Time for Collaboration on Enhancing Security
Another Aadhaar Leak, and Yet Another Blame Game

The Unique Identity Authority of India, which administers the Aadhaar program, is again facing harsh criticism about its security measures.

See Also: Forrester Report |The Total Economic Impact™ Of Palo Alto Networks Prisma Cloud

This time, State Bank of India, the nation's largest bank, is claiming that security gaps in UIDAI systems opened the door to the generation of fake Aadhaar cards.

But UIDAI insists its systems are secure.

Rather than playing a blame game, government-owned banks, including SBI, as well as UIDAI and other government entities must collaborate to enhance security.

The Accusations

Public sector banks in India have been entrusted with the task of helping UIDAI with Aadhaar enrollments, for which they hire vendors empaneled by UIDAI.

SBI's Chandigarh branch says it hired two vendors for the enrollment task and later discovered that fake Aadhaar cards were generated by one of the vendors, which allegedly used multiple station IDs or devices. A station ID is basically a device ID for a computer or laptop used. Any device used for Aadhaar enrollment must have a device ID as part of the authenticated ID.

SBI said its officials or the vendor did not create these multiple station IDs, so there must have been holes in UIDAI's security system that allowed "someone to hack the system and generate multiple station IDs."

Countering the charge, UIDAI said: "The Aadhaar database is fully secured and no security breach biometric or otherwise, has taken place." It claimed that one of the agents at a vendor hired by SBI used his ID to generate Aadhaar cards using multiple station IDs.

Persistent Problem

There have been multiple issues with vendors who have been accused of not following proper security guidelines. Last year, UIDAI blacklisted 49,000 Aadhaar centers run by vendors who did not follow appropriate security guidelines.

Plus, in recent years, there have been a series of security lapses involving Aadhaar.

Cases have involved fingerprints of authorized Aadhaar enrollment officers getting cloned, government websites displaying Aadhaar details of millions people and Aadhaar information getting disclosed by hospital apps.

Since those incidents, the government has introduced a slew of measures designed to help close security gaps, including introducing Virtual Aadhaar ID that allows users to authenticate transactions.

But UIDAI still has a long way to go in improving communications when security concerns arise, rather than just offering the standard response: "We are safe."

UIDAI needs to engage with the security community to understand and address their concerns. Minimizing communications out of concern for not revealing security details has so far not served it well.

All Parties Have a Role to Play

Because SBI hired vendors to handle Aadhaar enrollments for its customers, it's responsible for ensuring that enrollments are completed only through devices in its physical and logical control (see: Helpline Mishap: UIDAI Wrongly Blamed).

But UIDAI also must monitor empaneled vendors to help prevent fraudulent activities and punish those who commit infractions.

Bangalore-based cyber law expert Na. Vijayshankar suggests UIDAI must put implement additional technological controls to ensure that only one station ID is granted per person.

"Unless it is deactivated, a second station ID should not be provided. This means that the operators need one human agent for every station ID," he says.

UIDAI also should instruct banks to use RFID tags to ensure there is an automatic log out once an enrollment system user leaves their desk.

The solution to Aadhaar security issues is for everyone involved to work together. The blame game solves nothing.



About the Author

Suparna Goswami

Suparna Goswami

Associate Editor, ISMG

Goswami has more than 10 years of experience in the field of journalism. She has covered a variety of beats including global macro economy, fintech, startups and other business trends. Before joining ISMG, she contributed for Forbes Asia, where she wrote about the Indian startup ecosystem. She has also worked with UK-based International Finance Magazine and leading Indian newspapers, such as DNA and Times of India.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing careersinfosecurity.in, you agree to our use of cookies.