Amidst all the reports of poor security, privacy concerns, and the endless memes, we are still confused about whether or not we should link our Aadhaars. As the struggle to link the cards to bank accounts, SIM cards and other services cause Indians to lose sleep, the Unique Identification Authority of India (UIDAI), in a series of tweets, began the trend AadhaarMythBuster, in a bid to dispel fears about the government’s pet project.
The UIDAI claims that bank frauds based on Aadhaar were because people provided PIN codes and other card details to unscrupulous people. The biometrics collected by telecos are, according to UIDAI encrypted at the point of collection and sent over to UIDAI to confirm the details. The info is never stored by the service providers.
Use your Aadhaar OTP yourself. Do not share your Aadhaar OTP with any agency, individual, or entity for use on your behalf. Remember UIDAI never calls anyone and asks for Aadhaar OTP. Do not share OTP over any fraudulent call.#AadhaarEssentials pic.twitter.com/ppvQwgCNsJ— Aadhaar (@UIDAI) January 16, 2018
UIDAI does not keep a track of the nature of transactions done using Aadhaar. This means that when you verify your bank account or mobile SIM with Aadhaar, UIDAI does not get your bank account details or mobile number. #AadhaarMythBuster pic.twitter.com/itRguiQLXn— Aadhaar (@UIDAI) January 17, 2018
If you delve deeper into the reported stories of bank frauds based on Aadhaar, you will find that these were cases where people provided their card details, PIN etc. to unauthorized people on call. NEVER share your OTP/ PIN with anyone else. #AadhaarMythBuster pic.twitter.com/peTP99RUa6— Aadhaar (@UIDAI) January 17, 2018
Aadhaar is often looked at as means for the government to spy on its citizens. Many are still unclear about the way it stores data and what it does with it. It did not help UIDAI with the breaches in its security. Recently a French security researcher Robert Baptiste, highlighted problems with the official mAadhaar Android app, which lets you display a digital version of your ID card on your phone, according to a report on TNW.
Hi #Aadhaar 👋! Can we talk about the #BenefitsOfAadhaar for the #India population?— Elliot Alderson (@fs0c131y) January 10, 2018
I quickly check your #android app on the #playstore and you have some security issues...It's super easy to get the password of the local database for example...🤦♂️https://t.co/acjp6tUjqs
The #Aadhaar #android app is saving your biometric settings in a local database which is protected with a password. To generate the password they used a random number with 123456789 as seed and a hardcoded string db_password_123 🤦♂️ pic.twitter.com/Ty7cPmOjAb— Elliot Alderson (@fs0c131y) January 10, 2018
A lot of people asking me how bad is the generation of the local database password in the #Aadhaar #android #app.— Elliot Alderson (@fs0c131y) January 11, 2018
I published a small POC here: https://t.co/m2LcIXVYu8
If you start the application multiple times you will see that the generated password are always the same pic.twitter.com/U5TRTHiWen
Hi @UIDAI 👋! Do I have to explain you how real #Android developers are working?— Elliot Alderson (@fs0c131y) January 14, 2018
On his official #Playstore account. @UDAI published today an app called "NewTest" with blank screenshot and testingtestingtesting[...] as description 🤦♂️#AadhaarFail pic.twitter.com/e0iRWeesBd
Baptiste who’s also known as Elliot Alderson on Twitter, noted that the poor security on the app could easily let attackers who are in possession of your phone, bypass the password protection in mAadhaar and access your private information.
Hi @UIDAI,— Elliot Alderson (@fs0c131y) January 11, 2018
As said in this tweet, you stored the hash of the user password in the database. As the db password is identical for everybody it's easy for an attacker to get it an so compromised his account.
Can you consider this and fix that?
It is heartening to see UIDAI reaching out to the nation of over 1.3 billion people. Links to lists of FAQs are quite handy and the tweets clear out some of the lingering doubts on the system.
The journalists exposing the #Aadhaar breach deserve an award, not an investigation. If the government were truly concerned for justice, they would be reforming the policies that destroyed the privacy of a billion Indians. Want to arrest those responsible? They are called @UIDAI. https://t.co/xyewbK2WO2— Edward Snowden (@Snowden) January 8, 2018
However, question still remain over the security of the system. Recently The Tribune had accessed Aadhaar details of several citizens after shelling out a meagre sum of Rs 500 over a WhatsApp group. To make matters worse, former CIA operative and serial whistleblower Edward Snowden tweeted that the journalist who exposed the leak should be awarded.
ICYMI. India has a national ID database with the private information of nearly 1.2 billion nationals. It's reportedly been breached. Admin accounts can be made and access can be sold to the database, reports BuzzFeed. https://t.co/DtRIcMQ3O1— Zack Whittaker (@zackwhittaker) January 4, 2018
It is the natural tendency of government to desire perfect records of private lives. History shows that no matter the laws, the result is abuse. https://t.co/7HSQSZ4T3f— Edward Snowden (@Snowden) January 4, 2018
The UIDAI’s approach to quell citizens’ apprehensions on Aadhaar is commendable, but we think that it has arrived a little too late. It is also unclear if the authorities are planning to carry out a larger campaign that goes beyond social media as most of the population aren’t active on the internet. For many, Aadhaar linking has become a nuisance and the system is reduced to a joke in social media forums and casual banter.As of now, the country waits for the Supreme Court’s final hearing of the Aadhaar case. One of the petitions challenges the validity of Aadhaar and alleges that it goes against an individual’s right to privacy.