Axis Bank case: To make Aadhaar safe, encryption devices coming soon, more in store


Even Aadhaar sceptics would do well to keep in mind that, while a criminal complaint has been filed against Axis Bank, Suvidhaa Infoserve and eMudhra for allegedly storing biometrics and using them in an unauthorised manner, it was UIDAI that discovered the irregular transactions and reported them to the Delhi Police’s cyber cell and, pending a probe, all transaction requests from these organisations have been put on hold. If the UIDAI system is able to detect fraud, as the banks did when they found millions of debit/credit cards had been compromised due to a faulty ‘switch’ in a payments gateway some months ago in India, presumably that would mean it was working well.
Under normal circumstances, as a safety feature, every time a transaction is made like withdrawing funds from a bank and UIDAI replies to an authentication request, an SMS/email alert is sent to the subscriber.

So, why didn’t UIDAI send out alerts this time around when, going by a report in The Times of India, one individual performed 397 transactions, many of which were based on biometrics that were ‘stored’ locally and bunched during one week in January? Is this an example of Aadhaar being open to misuse since banks, etc, can store your biometrics and use them to illegally authorise transactions later? There have also been reports of one website publishing Aadhaar data of 500,000 minors—this, of course, is a list of names and matching Aadhaar numbers, but does not have actual biometrics—and of white-hat hackers generating iris scans from high-resolution photographs and even the possibility of data being compromised since Aadhaar registrations/verifications are typically done by several private firms.

First, as UIDAI officials point out, since the individual doing the transactions was using his own Aadhaar number, the alerts went to him—to that extent, the system’s first fail-safe worked. Had the stored biometrics belonged to someone else, say a reader of this newspaper, she would have got the SMS/email alerts and would have escalated matters. Two, since the authentication request, and the reply, are encrypted at a 2048-bit level—normal encryption levels are 128 or 256—UIDAI officials argue this makes the system very safe from hacking. But what of cases where the biometrics are stolen, or generated from high-resolution photographs, and then stored locally? Since security has to be an evolving feature, designed to beat threats as they occur or before they do, UIDAI plans to introduce the concept of ‘registered devices’.

For the last few months, UIDAI has been working with vendors of biometric-capture devices to get them to install an Aadhaar-encryption key in the hardware itself—among other things, it ensures the biometric data used is ‘captured live’ and is not stored data. Last month, it was notified that, after May, no data requests will be entertained if they come from ‘unregistered devices’—existing biometric devices, such as those in ration shops already, are to be upgraded through software right now and those bought in the future must have the necessary pre-installed keys. It is certain criminals will find smarter ways to beat the system, and UIDAI will have to keep evolving to heighten security—to the extent some beat the system, or try to, as happens in the case of bank frauds, the criminal justice system has to be used to punish them.