An Indian journalist recently found out that it took just £5 and ten minutes of searching to gain access to confidential Aadhaar card details of over a billion Indian citizens, thereby raising questions about the security around India's largest citizen enrollment programme.
It costs just £5 for anyone to gain access to a webpage and obtain the name, address, photo, phone number and email address of any Indian citizen with an Aadhaar number.
A few years ago, the Indian government launched an ambitious programme to confer twelve-digit unique identity numbers, dubbed Aadhaar numbers, to over a billion citizens using which citizens could access government services, apply for jobs, benefit from government subsidies and grants, and apply for essential loans.
According to government figures, over 95% Indians have been conferred Aadhaar card numbers so far and these numbers are now mandatory requirements for making large purchases, applying for loans, opening bank accounts, filing tax returns, applying for driving licences or energy connections, purchasing homes, applying for passports, making hotel reservations or even applying for jobs. In effect, the new unique ID is virtually replacing all existing identification processes as the sole identification protocol for over a billion Indians.
Aadhaar numbers are considered scam-proof and unique by the government as they are associated with every individual's biometric details like iris scans and fingerprints. As such, no two individuals can claim to own the same number and no individual can hold more than one Aadhaar number, unlike existing Voter card IDs and Permanent Account Numbers (PANs) which were duplicated and printed by scamsters at will.
Following its implementation, the Aadhaar enrollment programme has helped the government save billions. For example, in April last year, compulsory enrollment of students helped the government expose almost half a million 'ghost students' in whose names officials were syphoning off food allocated to the government's mid-day meal programme for rural students.
Earlier today, the government's Human Resource Development Ministry uncovered as many as 130,000 ghost teachers employed in government colleges in whose names universities were allocating 'salaries' and transferring the money elsewhere.
Despite their obvious advantages, the security around Aadhar cards have often been questioned by security experts as well as journalists, and for good reason. In May last year, the Centre for Internet and Society revealed that unique identities and personal information of as many as 135 million Aadhaar users were published online by four different government agencies.
Researchers at the institute were able to download spreadsheets from government websites but were also able to obtain full Aadhaar numbers of individuals due to inconsistent masking patterns. For example, some agencies masked the first four digits while others masked the middle digits, making it simpler for malafide hackers to join the dots.
While the breach had compromised details of one in ten Indians, a report from Tribune India has now revealed how anyone can gain access to Aadhaar card numbers and associated identification details of any Indian citizen by paying a mere £5.
'It took just Rs 500, paid through Paytm, and 10 minutes in which an “agent” of the group running the racket created a “gateway” for this correspondent and gave a login ID and password. Lo and behold, you could enter any Aadhaar number in the portal, and instantly get all particulars that an individual may have submitted to the UIDAI (Unique Identification Authority of India), including name, address, postal code (PIN), photo, phone number and email,' wrote Rachna Khaira from Tribune India.
'What is more, The Tribune team paid another Rs 300, for which the agent provided “software” that could facilitate the printing of the Aadhaar card after entering the Aadhaar number of any individual,' she added.
The reporter added that the hackers who supplied the software to her 'seemed to have gained access to the website of the Government of Rajasthan, as the “software” provided access to “aadhaar.rajasthan.gov.in”, through which one could access and print Aadhaar cards of any Indian citizen'. However, one needs to know the entire twelve-digit Aadhaar number of any citizen to obtain additional details like name, address, email address, phone number and photograph.
Responding to the revelation, the Unique Identification Authority of India (UIDAI), which is responsible for the security of Aadhaar data and associated biometric details, said that it was a case of 'misreporting' and that all Aadhaar data is safe and secure.
'The Aadhaar number is not a secret number. It is to be shared with authorised agencies whenever an Aadhaar holder wishes to avail certain service or benefit of government welfare scheme/s or other services. But that does not mean that the proper use of Aadhaar number poses a security or financial threat. Also, mere availability of Aadhaar number will not be a security threat or will not lead to financial/other fraud, as for a successful authentication fingerprint or iris of individual is also required,' it said.
While it is true that no biometric details were compromised, it is also true that additional personal information of citizens can be obtained by using the malicious software and as such, can be misused by cyber criminals in various ways. However, it will be impossible for anyone to purchase a SIM card, a new connection, or any government or private service by using someone else's Aadhaar card as biometric details will need to be verified at the time of purchase.