UIDAI emails and records show that an Aadhaar operator’s biometrics were used multiple times in different locations on the same day, without his knowledge, reports HuffPost India. The UIDAI barred him from being an operator for 5 years. It also fined him Rs 33 lakhs in December 2018, a month after it barred his access to the Aadhaar enrollment system for enrolment errors.
This operator’s biometrics are still being attempted at being used, the purpose of this is unclear, but there is a clear breach. This indicates that his biometrics were stolen and misused for an unknown period of time, while the UIDAI remained oblivious.
Why it matters: The misuse of an Aadhaar operator’s biometrics indicates vulnerabilities in the Aadhaar and the security nets of the UIDAI.
- Vikram Sheokhand worked as an Aadhaar enrolment operator at the local State Bank of India office in Jind, Haryana
- According to the UIDAI’s records, Sheokhand’s biometrics were used in multiple places within a few hours in a Ratnakar Bank branch, a Yes Bank branch, and an SBI branch in Haryana, and at the Madhya Pradesh State Electronics Development Corporation in Bhopal
- UIDAI emails confirm that Sheokhand’s credentials were used in multiple places in a single day and on November 8, 2018. On November 13, the UIDAI barred Sheokhand from working as an enrollment operator for 5 years.
- However, attempts are still being made to use his biometrics in different banks across the country
What was misused and how was it done?
HuffPost India was able to access previously undisclosed documents, including Sheokhand’s Aadhaar authentication logs from the UIDAI, his communication with the UIDAI, and FIR reports from the Haryana police.
- A UIDAI document “Installation and Configuration of Aadhaar Enrolment Client” explains that an operator must register with the UIDAI and then download their biometrics and unique Aadhaar operator ID number. The operator’s biometrics and ID number are stored in the computer as “credential file”.
- The operator can then use that specific computer to enroll new users to Aadhaar, each enrollment is completed with a “sign-off” by the operator which he does by pressing his/her finger into a biometric reader.
- The Aadhaar enrolment software Enrolment Client Multi-Platform (ECMP) then matches the operator’s fingerprint with the digital copy of their fingerprint stored on the computer in the “credential file”
- When the two prints match, the ECMP accepts the enrollment and sends it to the UIDAI server
- It appears that Sheokhand’s credential file was stolen and use to enroll people for Aadhaar
- Despite having “locked” his biometrics (after the UIDAI asked him to), Sheokhand still receives automated email alerts informing him that someone has been trying to log into the Aadhaar system using his fingerprints, suggesting that copies of his fingerprints still remain out there.
- Sheokhand has expressed his worries, “What if someone misuses my biometrics and frames me in some major financial fraud, or to plan some major terror activity?”
What did the stakeholders say?
Sheokhand’s employer and private vendor FIA Technology Systems said that it has submitted details pertaining to Sheokhand’s case to the SBI and UIDAI who are investigating the case. The UIDAI asked Sheokhand to “lock” his biometrics, which temporarily disables biometric Aadhaar authentication.
Pertinent points to note:
- Sheokhand first learnt that his biometrics were stolen on November 14, 2018 a day after the UIDAI barred his access to the Aadhaar enrollment system. But in an email, the UIDAI said he was banned because his ID was used multiple times on November 8.
- Upon looking at Sheokhand’s log, HuffPost India found more instances when his credentials were misused for an unknown while before the UIDAI realized it.
- UIDAI flags 646 ‘errors’, fines Rs 33 lakh: On December 28, Sheokhand was fined Rs 33 lakh for uploading fraudulent documents 333 times, each instance carried a penalty of Rs 10,000. The UIDAI said that it found another 304 cases in which the scanned and uploaded documents uploaded were of poor quality. It found 9 miscellaneous errors. Both carried a penalty of Rs 25 for each instance. The UIDAI thus pointed out 646 ‘errors’ made by Sheokhand.
- FIA Systems says only 1 of 646 errors traced to Sheokhand: In an email to the UIDAI, an executive of FIA Systems noted that only 1 of these 646 errors could be directly traced back to Sheokhand’s station ID. OS Rana noted that his ID was misused by “some fraudster on other stations”. (A station ID is the unique number given to an enrollment center – in this case, the SBI branch in Jind where Sheokhand worked.)
- Sheokhand said that on some days, his biometrics were authenticated over 47 times on a single day without him knowing.
UIDAI’s denials piling up
The UIDAI has traditionally denied any breach of Aadhaar data and allegations that its security systems are/have been compromised. The UIDAI has:
- Denied that people were able to get personal details of TRAI Chairman and former UIDAI CEO RS Sharma after he put out his Aadhaar number in public (more on this here.)
- Denied ZDNet’s report that an Indane system had exposed Aadhaar numbers
- Denied HuffPost India’s report of a software patch which could be used to generate unauthorized Aadhaar cards
- Filed a FIR against a journalist from The Tribune who reported that Aadhaar details of 1 billion people could be bought for Rs 500
More on Aadhaar:
- On the UIDAI software compromise: the UIDAI seems incapable of fixing this mess
- Updated: UIDAI to SC: Social Media Agency to not access any private conversation