wordpress blog stats
Connect with us

Hi, what are you looking for?

Aadhaar operator’s biometrics were stolen and misused repeatedly: report

UIDAI emails and records show that an Aadhaar operator’s biometrics were used multiple times in different locations on the same day, without his knowledge, reports HuffPost India. The UIDAI barred him from being an operator for 5 years. It also fined him Rs 33 lakhs in December 2018, a month after it barred his access to the Aadhaar enrollment system for enrolment errors.

This operator’s biometrics are still being attempted at being used, the purpose of this is unclear, but there is a clear breach. This indicates that his biometrics were stolen and misused for an unknown period of time, while the UIDAI remained oblivious.

Why it matters: The misuse of an Aadhaar operator’s biometrics indicates vulnerabilities in the Aadhaar and the security nets of the UIDAI.

The case

  • Vikram Sheokhand worked as an Aadhaar enrolment operator at the local State Bank of India office in Jind, Haryana
  • According to the UIDAI’s records, Sheokhand’s biometrics were used in multiple places within a few hours in a Ratnakar Bank branch, a Yes Bank branch, and an SBI branch in Haryana, and at the Madhya Pradesh State Electronics Development Corporation in Bhopal
  • UIDAI emails confirm that Sheokhand’s credentials were used in multiple places in a single day and on November 8, 2018. On November 13, the UIDAI barred Sheokhand from working as an enrollment operator for 5 years.
  • However, attempts are still being made to use his biometrics in different banks across the country

What was misused and how was it done?

HuffPost India was able to access previously undisclosed documents, including Sheokhand’s Aadhaar authentication logs from the UIDAI, his communication with the UIDAI, and FIR reports from the Haryana police.

  • A UIDAI document “Installation and Configuration of Aadhaar Enrolment Client” explains that an operator must register with the UIDAI and then download their biometrics and unique Aadhaar operator ID number. The operator’s biometrics and ID number are stored in the computer as “credential file”.
  • The operator can then use that specific computer to enroll new users to Aadhaar, each enrollment is completed with a “sign-off” by the operator which he does by pressing his/her finger into a biometric reader.
  • The Aadhaar enrolment software Enrolment Client Multi-Platform (ECMP) then matches the operator’s fingerprint with the digital copy of their fingerprint stored on the computer in the “credential file”
  • When the two prints match, the ECMP accepts the enrollment and sends it to the UIDAI server
  • It appears that Sheokhand’s credential file was stolen and use to enroll people for Aadhaar
  • Despite having “locked” his biometrics (after the UIDAI asked him to), Sheokhand still receives automated email alerts informing him that someone has been trying to log into the Aadhaar system using his fingerprints, suggesting that copies of his fingerprints still remain out there.
  • Sheokhand has expressed his worries, “What if someone misuses my biometrics and frames me in some major financial fraud, or to plan some major terror activity?”

What did the stakeholders say?

Sheokhand’s employer and private vendor FIA Technology Systems said that it has submitted details pertaining to Sheokhand’s case to the SBI and UIDAI who are investigating the case. The UIDAI asked Sheokhand to “lock” his biometrics, which temporarily disables biometric Aadhaar authentication.

Pertinent points to note:

  • Sheokhand first learnt that his biometrics were stolen on November 14, 2018 a day after the UIDAI barred his access to the Aadhaar enrollment system. But in an email, the UIDAI said he was banned because his ID was used multiple times on November 8.
  • Upon looking at Sheokhand’s log, HuffPost India found more instances when his credentials were misused for an unknown while before the UIDAI realized it.
  • UIDAI flags 646 ‘errors’, fines Rs 33 lakh: On December 28, Sheokhand was fined Rs 33 lakh for uploading fraudulent documents 333 times, each instance carried a penalty of Rs 10,000. The UIDAI said that it found another 304 cases in which the scanned and uploaded documents uploaded were of poor quality. It found 9 miscellaneous errors. Both carried a penalty of Rs 25 for each instance. The UIDAI thus pointed out 646 ‘errors’ made by Sheokhand.
  • FIA Systems says only 1 of 646 errors traced to Sheokhand: In an email to the UIDAI, an executive of FIA Systems noted that only 1 of these 646 errors could be directly traced back to Sheokhand’s station ID. OS Rana noted that his ID was misused by “some fraudster on other stations”. (A station ID is the unique number given to an enrollment center – in this case, the SBI branch in Jind where Sheokhand worked.)
  • Sheokhand said that on some days, his biometrics were authenticated over 47 times on a single day without him knowing.

UIDAI’s denials piling up

The UIDAI has traditionally denied any breach of Aadhaar data and allegations that its security systems are/have been compromised. The UIDAI has:

More on Aadhaar:

Advertisement. Scroll to continue reading.
Written By

I cover health, policy issues such as intermediary liability, data governance, internet shutdowns, and more. Hit me up for tips.

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.

Views

News

The US and other countries' retreat from a laissez-faire approach to regulating markets presents India with a rare opportunity.

News

When news that Walmart would soon accept cryptocurrency turned out to be fake, it also became a teachable moment.

News

The DSCI's guidelines are patient-centric and act as a data privacy roadmap for healthcare service providers.

News

In this excerpt from the book, the authors focus on personal data and autocracies. One in particular – Russia.  Autocracies always prioritize information control...

News

By Jai Vipra, Senior Resident Fellow at Vidhi Centre for Legal Policy The use of new technology, including facial recognition technology (FRT) by police...

You May Also Like

Advert

135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...

News

Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...

News

By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

News

Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Name:*
Your email address:*
*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ