Conflicting accounts of possible Aadhaar breach as UIDAI extends Virtual ID deadline
The Unique Identity Authority of India (UIDAI) has denied reports that a software patch compromising its system is allowing criminals to generate Aadhaar cards, noting that the biometrics of new applicants are checked against the rest of the database to prevent individuals from holding multiple accounts.
After Huffington Post reported that a software patch widely available for Rs 2,500 (roughly US$35) which disables several security features built into Aadhaar software. The critical security vulnerability seems to be a “marginal” reduction in the threshold for failure of the iris recognition portion of the enrollment software, making it easier to spoof with a photograph. The other weaknesses are a bypass of the requirement for enrollment operators’ biometrics to generate an Aadhaar number, and the disabling of the system’s GPS security feature, enabling the software’s use anywhere.
The code was analyzed be multiple security experts, who agreed with the conclusions of the report. The experts concluded that the patch was created to perform the minimum necessary for a particular use. Out of work Aadhaar operators told Huffington Post that they could use the hacked enrollment software to generate enrollment IDs, and coordinate with sources in authorized centers who could complete the registration for a fee.
The UIDAI responded with a statement that the alleged vulnerabilities would not be sufficient to enable hackers to abuse the system, due to the biometric authentication and deduplication processes.
“Claims made in the report about Aadhaar being vulnerable to tampering leading to ghost entries in Aadhaar database by purportedly bypassing operators’ biometric authentication to generate multiple Aadhaar cards is totally baseless. The report itself accepts that ‘it (patch) doesn’t seek to access information stored in the Aadhaar database’. Its further claim ‘to introduce information’ into Aadhaar database is completely unfounded as UIDAI matches all the biometric (10 fingerprints and both iris) of a resident enrolling for Aadhaar with the biometrics of all Aadhaar holders before issuing an Aadhaar,” the UIDAI said in a Twitter statement.
The statement also emphasized the Aadhaar features such as its audit mechanism and fraud monitoring system which the UIDAI says maintain the program’s security.
The Huffington Post responded to UIDAI’s statement, saying that it had not directly addressed the allegations and that it stands by its story.
No allegations of specific fraud incidents were included in the original report.
Virtual ID deadline extended
The newest breach allegations follow the extension of the deadline to implement Aadhaar virtual ID from August 31 to October 31, Business Standard reports.
The implementation deadline for UID tokens and limited e-KYC as authentication methods for use by banks and other business was also extended in a circular distributed by the UIDAI.
Virtual ID is intended to reduce the range of cases in which Indian consumers are required to share Aadhaar numbers, but its implementation deadline has already been pushed back.
The UIDAI recently published an FAQ to address misconceptions related to Aadhaar, as constant breach allegations and privacy concerns have led to a supreme court challenge, which a decision is expected in soon.