Data leakage possibilities with Aadhaar based e-KYC systems
A recent incident in July 2017 that involved alleged data theft through a KYC app has added to the confusion and concerns in the minds of users about security and confidentiality of their biometrics and other PII data that are maintained by UIDAI. I am a bit skeptical about how PII is handled by various agencies who collect and transact with such data in our country. The concern about having my biometrics and other data lifted was at back of my mind when I was giving my fingerprint at a mobile phone shop for taking a new data connection last week.
It was not until a friend asked me for some clarifications about internals of biometrics based authentication systems that I paid close attention to various possible leakage points in Aadhaar based eKYC/authentication applications.
The overall architecture and process steps involved when using Aadhaar APIs for performing, say, authentication of an Aadhaar card holder are explained in its API documentation. For the sake of understanding possible data leakage points, a simplified diagram of the system is shown below in Fig. 1.
Fig. 1 (Aadhaar POS transaction flow. **)
Although the UIDAI has made it mandatory to get biometrics sensor devices certified, and have incorporated variety of fraud prevention and detection measures, still in my view it is difficult to completely prevent the leakage of sensitive data especially at the Point of Sale (POS) applications. Two most vulnerable leakage points are:
- The fingerprint sensor. The UIDAI has given the technical specifications for various types of biometrics sensors. For fingerprints it requires an Optical/multispectral/capacitance technology based scanner. The fingerprints scanned by a device are required to be encrypted before sending to the host machine, however, it may not be too difficult to skim the raw fingerprints from a scanner device and syphon it off for later use.
- The POS device and software. Even if all the data (scanned fingerprints from a sensor and response from UIDAI CIDR servers) traveled encrypted, ultimately the details of a person being authenticated are often displayed on screen to a human for confirmation. Anyone who has gone through the e-KYC process at a bank or a mobile phone shop in India knows that the agent there is shown your details including your photo etc. during the Aadhaar based e-KYC transaction at his/her POS terminal. It is not difficult to record the screen and keystrokes on a PC. Google will offer you many detailed guides that explain how to do screen recording and keyboard logging on a PC.
What should/can be done to prevent such PII/biometrics thefts is a natural question that arises. I will write my thoughts on this in a future post.
Meanwhile, UIDAI on its part does one useful thing: whenever someone performs an operation (e.g. authentication) using an Aadhaar number and biometrics UIDAI system sends an alert (see a real sample below) on the registered email ID and phone number of Aadhaar card holder about the operation. A user can then take suitable action in case such operation was done without his/her knowledge. Therefore, it is important to maintain your correct mobile phone number and email address with UIDAI. Now, if your registered email and phone number also have been compromised then you may not have much chance to take any timely action for dealing with your stolen identity.
Fig. 2 (An alert email message from UIDAI sent on a successful Aadhaar authentication.)
**Some parts of Fig. 1 are taken Google image search results.