Missing fingerprint liveness detection opens the door for Aadhaar spoofing attacks
Aadhaar is leaking again, and the Unique Identification Authority of India (UIDAI) is facing questions about the deployment of liveness detection in its biometric fingerprint authentication system. The Hindu reports that cases of financial fraud have been traced to fingerprint authentication in the Aadhaar-enabled Payment System (AePS) that did not employ liveness detection, which UIDAI had promised to roll out in March 2023.
Using thumbprint data and Aadhaar numbers downloaded from the Stamps and Registration Department in the state of Karnataka, perpetrators were able to create 3D images of the prints that fooled the unprotected authentication and allowed them to withdraw money through AePS. Victims were unaware of the transactions.
The Hindu says its requests for a comment from UIDAI on the lack of liveness detection in the modality have thus far gone unanswered. In February, UIDAI raised the issue of spoofing attempts with state governments and announced that it would introduce the liveness-enabled FMR-FIR (Finger Minutiae Record – Finger Image Record) fingerprint authentication modality on March 1.
With the Aadhaar national digital identity system being adopted for more use cases, India has hosted over 100 billion total authentication transactions. Liveness detection in biometric fingerprint authentication is working in some areas of the country – but not, apparently, Karnataka.
Aadhaar’s permeability has become an ongoing talking point, with questions about biometric data breaches, bugs, digital ID data offered for sale on the dark web, and, in this case, the use of single-factor authentication for financial transactions.
There are proposed fixes. In light of the AePS fraud, Karnataka will block out the first eight digits on all documents related to registration. However, questions about feasibility and timelines hover around practical implementation, and police point out that a similar blocking of digits was mandated before, but ignored.
Meanwhile, police are also seeking access to Aadhaar data in court, despite UIDAI restrictions on the use of biometric data by law enforcement.