Access Management , Fraud Management & Cybercrime , Governance & Risk Management
Another Aadhaar Leak, and Yet Another Blame Game
It's Time for Collaboration on Enhancing SecurityThe Unique Identity Authority of India, which administers the Aadhaar program, is again facing harsh criticism about its security measures.
See Also: Introduction to Elastic Security: Modernizing security operations
This time, State Bank of India, the nation's largest bank, is claiming that security gaps in UIDAI systems opened the door to the generation of fake Aadhaar cards.
But UIDAI insists its systems are secure.
Rather than playing a blame game, government-owned banks, including SBI, as well as UIDAI and other government entities must collaborate to enhance security.
The Accusations
Public sector banks in India have been entrusted with the task of helping UIDAI with Aadhaar enrollments, for which they hire vendors empaneled by UIDAI.
SBI's Chandigarh branch says it hired two vendors for the enrollment task and later discovered that fake Aadhaar cards were generated by one of the vendors, which allegedly used multiple station IDs or devices. A station ID is basically a device ID for a computer or laptop used. Any device used for Aadhaar enrollment must have a device ID as part of the authenticated ID.
SBI said its officials or the vendor did not create these multiple station IDs, so there must have been holes in UIDAI's security system that allowed "someone to hack the system and generate multiple station IDs."
Countering the charge, UIDAI said: "The Aadhaar database is fully secured and no security breach biometric or otherwise, has taken place." It claimed that one of the agents at a vendor hired by SBI used his ID to generate Aadhaar cards using multiple station IDs.
Persistent Problem
There have been multiple issues with vendors who have been accused of not following proper security guidelines. Last year, UIDAI blacklisted 49,000 Aadhaar centers run by vendors who did not follow appropriate security guidelines.
Plus, in recent years, there have been a series of security lapses involving Aadhaar.
Cases have involved fingerprints of authorized Aadhaar enrollment officers getting cloned, government websites displaying Aadhaar details of millions people and Aadhaar information getting disclosed by hospital apps.
Since those incidents, the government has introduced a slew of measures designed to help close security gaps, including introducing Virtual Aadhaar ID that allows users to authenticate transactions.
But UIDAI still has a long way to go in improving communications when security concerns arise, rather than just offering the standard response: "We are safe."
UIDAI needs to engage with the security community to understand and address their concerns. Minimizing communications out of concern for not revealing security details has so far not served it well.
All Parties Have a Role to Play
Because SBI hired vendors to handle Aadhaar enrollments for its customers, it's responsible for ensuring that enrollments are completed only through devices in its physical and logical control (see: Helpline Mishap: UIDAI Wrongly Blamed).
But UIDAI also must monitor empaneled vendors to help prevent fraudulent activities and punish those who commit infractions.
Bangalore-based cyber law expert Na. Vijayshankar suggests UIDAI must put implement additional technological controls to ensure that only one station ID is granted per person.
"Unless it is deactivated, a second station ID should not be provided. This means that the operators need one human agent for every station ID," he says.
UIDAI also should instruct banks to use RFID tags to ensure there is an automatic log out once an enrollment system user leaves their desk.
The solution to Aadhaar security issues is for everyone involved to work together. The blame game solves nothing.