FB pixel

Conflicting accounts of possible Aadhaar breach as UIDAI extends Virtual ID deadline

Conflicting accounts of possible Aadhaar breach as UIDAI extends Virtual ID deadline
 

The Unique Identity Authority of India (UIDAI) has denied reports that a software patch compromising its system is allowing criminals to generate Aadhaar cards, noting that the biometrics of new applicants are checked against the rest of the database to prevent individuals from holding multiple accounts.

After Huffington Post reported that a software patch widely available for Rs 2,500 (roughly US$35) which disables several security features built into Aadhaar software. The critical security vulnerability seems to be a “marginal” reduction in the threshold for failure of the iris recognition portion of the enrollment software, making it easier to spoof with a photograph. The other weaknesses are a bypass of the requirement for enrollment operators’ biometrics to generate an Aadhaar number, and the disabling of the system’s GPS security feature, enabling the software’s use anywhere.

The code was analyzed be multiple security experts, who agreed with the conclusions of the report. The experts concluded that the patch was created to perform the minimum necessary for a particular use. Out of work Aadhaar operators told Huffington Post that they could use the hacked enrollment software to generate enrollment IDs, and coordinate with sources in authorized centers who could complete the registration for a fee.

The UIDAI responded with a statement that the alleged vulnerabilities would not be sufficient to enable hackers to abuse the system, due to the biometric authentication and deduplication processes.

“Claims made in the report about Aadhaar being vulnerable to tampering leading to ghost entries in Aadhaar database by purportedly bypassing operators’ biometric authentication to generate multiple Aadhaar cards is totally baseless. The report itself accepts that ‘it (patch) doesn’t seek to access information stored in the Aadhaar database’. Its further claim ‘to introduce information’ into Aadhaar database is completely unfounded as UIDAI matches all the biometric (10 fingerprints and both iris) of a resident enrolling for Aadhaar with the biometrics of all Aadhaar holders before issuing an Aadhaar,” the UIDAI said in a Twitter statement.

The statement also emphasized the Aadhaar features such as its audit mechanism and fraud monitoring system which the UIDAI says maintain the program’s security.

The Huffington Post responded to UIDAI’s statement, saying that it had not directly addressed the allegations and that it stands by its story.

No allegations of specific fraud incidents were included in the original report.

Virtual ID deadline extended

The newest breach allegations follow the extension of the deadline to implement Aadhaar virtual ID from August 31 to October 31, Business Standard reports.

The implementation deadline for UID tokens and limited e-KYC as authentication methods for use by banks and other business was also extended in a circular distributed by the UIDAI.

Virtual ID is intended to reduce the range of cases in which Indian consumers are required to share Aadhaar numbers, but its implementation deadline has already been pushed back.

The UIDAI recently published an FAQ to address misconceptions related to Aadhaar, as constant breach allegations and privacy concerns have led to a supreme court challenge, which a decision is expected in soon.

Article Topics

 |   |   | 

Latest Biometrics News

 

Edge computing firm Blaze IPOs, announces security deal with Vsblty

AI-powered edge computing company Blaize, known for its collaborations with biometric surveillance developers, went public on the Nasdaq on Tuesday….

 

Illinois to get mobile driver’s licenses in Apple Wallet by end of 2025

Illinois is “working to bring IDs in Apple Wallet to Illinois residents in the future with the goal of launching…

 

Singapore slaps app stores with age verification requirement for adult apps

Singapore will impose age assurance requirements on app stores starting in April 2025, blocking underage users from downloading social media…

 

Paravision’s next generation algorithm cracks top 5 on NIST FRTE 1:N benchmark

Facial recognition from San Francisco-based Paravision has landed in the global top 5 in the primary benchmark of the latest…

 

Age assurance legislation drives talk on how to create an age-aware internet

There are few hotter topics in biometrics and regulatory circles right now than the issue of age assurance as a…

 

Breach exposes privacy risk from de-anonymization of location data

Gravy Analytics, a prominent location data broker, has disclosed that a significant data breach potentially exposed through de-anonymization the precise…

Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Viewed This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events