Some security experts are questioning whether the Reserve Bank of India's decision to mandate that all banks, payment banks, ATM operations and authorized card payment networks migrate to Aadhaar-based biometric authentication for electronic payment transactions is a good move.
They are raising concerns about the reliability of the authentication method, citing a series of recent data leakage incidents.
RBI's move to mandate Aadhaar in the financial sector is premature, in light of all the recent leaks. Regulators should delay the mandate until a few concrete steps are taken to improve security.
The 12-digit Aadhaar number - linked to demographic and biometric information of all residents and a photograph issued by UIDAI on behalf of the government of India - is already widely used as proof of identity.
Among the most significant of the recent Aadhaar-related breach incidents: The Modi government officially acknowledged that individuals' Aadhaar numbers and demographic information, as well as sensitive personal data, including bank account details, collected by various ministries and departments have been published online, accessible through an easy online search, according to a report in The Indian Express.
In another recent breach, cricketer MS Dhoni's wife, Sakshi Dhoni, described on social media how Dhoni's Aadhaar details were made public.
The government promised action against the agency engaged by UIDAI.
And in another case, on Feb. 15, UIDAI filed a police complaint against Axis Bank, financial transactions company Suvidha Infoserve and certification authority eMudhra for breach of Aadhaar biometric data. The UIDAI temporarily halted all Aadhaar-based transactions for these three organizations, citing misuse of data through unauthorized authentication and impersonation by illegally storing Aadhaar biometric data, Live Mint reports. The breach was noticed after one individual was found to have performed 397 biometric transactions between July 14, 2016 and Feb. 19, 2017. Of these, 194 transactions were performed through Axis Bank, 112 through eMudhra and 91 through Suvidhaa Infoserve, adds the report.
In April alone, more than 10 Aadhaar data leaks in various sectors were reported in the news media.
Besides data leaks, one more technological concern practitioners observe is poor data connectivity resulting in authentication failures. For instance, Pranesh Prakash, policy director, Centre for Internet and Society, says biometric authentications might fail following poor data connectivity and transactions might not happen even after inserting the individual's Aadhaar number.
Wait Until It's Foolproof
Clearly, RBI's move to mandate Aadhaar in the financial sector is premature, in light of all the recent leaks. Regulators should delay the mandate until a few concrete steps are taken to improve security.
For example, to help make Aadhaar-based transactions more secure, UIDAI is working on registering devices so that every device has a unique signature. Other steps UIDAI is considering include using device-level encryption and having every packet on the network digitally signed.
To bolster security for transactions, India's financial institutions also should deploy device verification parameters, make sure they have effective risk and fraud management systems, and alert UIDAI of multiple transaction failures due to authentication failures. Periodic testing of biometric systems by ethical hackers can also help discover system vulnerabilities.
Another concern: The Aadhaar database has not been defined as "critical infrastructure" by the Indian government, so it doesn't receive extra protections. The government needs to take action to change this and create a CERT devoted to protecting the data.
In addition, Pavan Duggal, Supreme court attorney and president of Cyberlaws.net, believes the Aadhaar Act, which spelled out the authentication program, did not comprehensively address privacy and data protection issues.
So it's good news, indeed, that the government is looking into making amendments to the Aadhaar Act to ensure it clearly articulates security and privacy clauses.