New forms of fraud keep emerging but a gang arrested on Thursday managed to stun everyone with their ingenuity. The gang cloned the thumb prints of online examination candidates for the Constable admission exam in Rajasthan and used them to provide expert proxy examination solvers to answer examination papers on behalf of the real candidates. The SOG has arrested a village service worker and the mastermind along with 3 other members of this gang. Their revelations are even more astonishing. This same method is being used to clone thumb prints and provide proxies for 25 candidates in 7 examination centres.

The methods used to bypass biometric checks for appearing for the exam.

Obtaining a thumbprint clone using fish oil, wax and fevicol

The accused learned to clone fingerprints on youtube. First, they applied fish oil on the applicant’s finger. They then pressed the finger on a piece of warmed and softened wax to obtain the reverse of the thumb print. Then, they applied a film of Fevicol on the reverse fingerprint to obtain the clone once the Fevicol had dried and could be peeled off.

Aadhaar verification was used to test the quality of the cloned fingerprint

Before the cloned fingerprints were used by the expert proxies to appear for exams, they were tested by verifying the applicant’s Aadhaar number. To do this, they affixed the cloned prints onto another person’s thumbs and used them to verify the applicant’s Aadhaar. Only when the thumb print was proved accurate in authenticating the identity of the applicant with Aadhaar was it used at examinations.

On the day of the examination, the gang arranged for experts to appear on behalf of the applicant

On the day of the examination, the cloned thumb print would be affixed onto the thumb of the expert proxy examination writer who would then go to the centre and appear for the exam on behalf of the applicant. The well tested fingerprint was impossible to detect and passed the biometric authentications. The expert completed writing the paper and exited the examination centre.

The Big Question: How secure is everything depending on thumb prints from SIMs to Aadhaar?

From buying a mobile SIM to opening an account in a bank and availing of government welfare services, everything is accessible using the identification with thumb prints. Even the Aadhaar card itself is accessible with thumb prints. Attendance is marked in offices using biometrics. PDS distribution depends on the thumb prints. In such a situation, this matter of proxies appearing for examinations has directly become attached to the safety of our identity itself. Cloned thumb prints can do many kinds of frauds in many places. The ambitious Aadhaar project that we understood so far to be very secure has been shown by this gang to be hollow.

The Police Entrance exams – there are still 36 days to go

Online examinations have been introduced for the first time to fill 5390 posts of police constable. They started on the 7th of March and continue for 45 days. On the 12th and 14th of March, in Jaipur, there was a computer hack and attempt to appear for the exams from another place. 12 people were arrested.

Alwar too saw attempts to pass off proxies as candidates and another 8 were arrested from two centres in Jaipur for the same.

This story is an excerpt translated from the original at Dainik Bhaskar.

It is clear that not only is it very easy to spoof Aadhaar biometrics, Aadhaar itself serves as the quality test to ensure that the actual scam goes off without a flaw.

Medianama’s take

These kinds of frauds will be increasingly impossible to prevent or trace because the methods used for cloning the fingerprint as well as testing it are so widely available as to allow virtually anyone to create a false fingerprint and use it as necessary.

This is an inherent flaw in using biometrics for proving identity. As IT researcher, J T D’souza had put it in a talk on Aadhaar “The cloned fingerprints will match the biometric record indefinitely as long as they are in good condition, long after the actual person’s fingerprints have aged enough to stop matching”.

The more the proliferation of Aadhaar, the more people will run into a need to bypass its authentication and the more people will discover such jugaads (practical hacks) to circumvent it. This is the beginning. Aadhaar is not secure for the purposes it is being used for.