Aadhaar must up security measures to ward off financial frauds, says report

Bangalore-based civil society group The Centre for Internet and Society (CIS) has expressed concerns over the lack of security features associated with Aadhaar-linked financial transactions. The CIS report on information security practices of Aadhaar has come at a time when the Supreme Court is hearing a petition that challenges the government's decision to link the unique 12-digit Aadhaar number with one's PAN card, issued by the Income-Tax Department.

Authored by Amber Sinha and Srinivas Kodali, the CIS report points out that unless sufficient security features are added, the system is prone to financial frauds.

"The availability of large datasets of Aadhaar numbers along with bank account numbers and phone numbers on the Internet increases the risk of financial fraud," the report says. According to the authors, social engineering is often used to find out bank account details, credit card numbers and passwords to steal money from people's accounts. "One of the prime examples is individuals receiving phone calls from someone claiming to be from the bank. Aadhaar data makes this process much easier for fraud and increases the risk around transactions. In the US, the ease of getting Social Security Numbers from public databases has resulted in numerous cases of identity theft. These risks increase multifold in India due the proliferation of Aadhaar numbers and other related data available," they point out.

The CIS research has found numerous instances of publicly available Aadhaar numbers along with other personally identifiable information (PII) of individuals on government websites. The report highlights four government projects - run by various government departments - with publicly available financial data and Aadhaar numbers, and estimates that the Aadhaar numbers leaked through these four portals could be around 130-135 million and the bank account numbers leaked could be at around 100 million.

"Financial fraudsters could potentially link their phone numbers to Aadhaar numbers and also update those across the banks using individual Aadhaar information and thus deprive individuals of their benefits from the state. It has been reported that brokers do buy tonnes of copies of Aadhaar documents from shops selling SIM cards and other institutions for the purposes of identity fraud," they explain.

According to CIS, Aadhaar Payments Bridge (APB) and Aadhaar enabled Payment Systems (AePS) are the prime reason why bank accounts are being mapped to Aadhaar. "While the National Payments Corporation of India (NPCI) claims that it does not store bank account details, and only store Aadhaar numbers and bank names, these are certainly being stored by various government departments who are seeding the NPCI mapper. The NPCI has also built an Aadhaar lookup for banks to know the status of an Aadhaar number (whether it is active or not), enabling district bank managers to have access to Aadhaar numbers of individuals," the report says.

It cites the NREGA portal of Andhra Pradesh to provide a detailed understanding of the workflow for Aadhaar Payments Bridge (APB). "Officials exchange information for the APB in the form a text file containing Aadhaar numbers and disbursal amounts between the service provider and the banks. As of now, this process could be potentially exploited to transfer larger sums of money than the actual amounts. There are no existing standards for encryption and security procedures to safeguard these files or the security of the communication," the authors say.

The report refutes the government's claim that the biometric data is safe. They allege that biometric data can be collected without consent as people's fingerprints can be lifted remotely from a variety of objects that they may touch, and their iris data can be picked up by a high-resolution directional camera from a distance. "In light of these factors, the public presence of Aadhaar numbers, DBT transfer details, registered mobile phone numbers and seeded bank account numbers presents a huge opportunity for financial fraud."

The report also notes that the terms and conditions for Aadhar-enabled payment systems have been vague and in case a financial fraud, the consumer may not be able to assert his claims. The terms and conditions have been vague in the recent AePS applications like the BHIM-Aadhaar App, it adds.

Regulations and standards around Aadhaar are at a very nascent stage, thus increasing financial risks for both consumers and banks who venture into AePS.

The report agrees that Aadhaar-enabled payment instruments can potentially simplify payment transactions for governments and certain classes of people, but criticises the risks associated with it.

"Its possible use without a two-factor authentication in banking and other security features are harmful and increase risk of financial systems for banks and account holders. In the banking industry, standards like Payment Card Industry Data Security Standard (PCI DSS) for payment cards, and ISO 27001 and ISO 27002 for risk assessment have to be carried out. However, in the case of Aadhaar, standards for data storage, sharing and transmission during collection are not available."

The risk assessment includes modelling and evaluating threats constantly and mitigating them. However, the threats around Aadhaar are new and are not really understood by banks and other financial institutions, the report says.

While current discussions are focusing on either having Aadhaar or discontinuing it, the CIS report points to a third possibility - that of making Aadhaar more secure.