Irregular Transactions by storing biometrics, criminal complaint against Axis Bank
Even Aadhaar sceptics would do well to keep in mind that, while a criminal complaint has been filed against Axis Bank, Suvidhaa Infoserve and eMudhra for allegedly storing biometrics and using them in an unauthorised manner, it was UIDAI that discovered the irregular transactions and reported them to the Delhi Police’s cyber cell and, pending a probe, all transaction requests from these organisations have been put on hold. If the UIDAI system is able to detect fraud, as the banks did when they found millions of debit/credit cards had been compromised due to a faulty ‘switch’ in a payments gateway some months ago in India, presumably that would mean it was working well.
Under normal circumstances, as a safety feature, every time a transaction is made like withdrawing funds from a bank and UIDAI replies to an authentication request, an SMS/email alert is sent to the subscriber.
So, why didn’t UIDAI send out alerts this time around when, going by a report in The Times of India, one individual performed 397 transactions, many of which were based on biometrics that were ‘stored’ locally and bunched during one week in January? Is this an example of Aadhaar being open to misuse since banks, etc, can store your biometrics and use them to illegally authorise transactions later? There have also been reports of one website publishing Aadhaar data of 500,000 minors—this, of course, is a list of names and matching Aadhaar numbers, but does not have actual biometrics—and of white-hat hackers generating iris scans from high-resolution photographs and even the possibility of data being compromised since Aadhaar registrations/verifications are typically done by several private firms.
First, as UIDAI officials point out, since the individual doing the transactions was using his own Aadhaar number, the alerts went to him—to that extent, the system’s first fail-safe worked. Had the stored biometrics belonged to someone else, say a reader of this newspaper, she would have got the SMS/email alerts and would have escalated matters. Two, since the authentication request, and the reply, are encrypted at a 2048-bit level—normal encryption levels are 128 or 256—UIDAI officials argue this makes the system very safe from hacking. But what of cases where the biometrics are stolen, or generated from high-resolution photographs, and then stored locally? Since security has to be an evolving feature, designed to beat threats as they occur or before they do, UIDAI plans to introduce the concept of ‘registered devices’.
Source:Financial Express
No comments:
Post a Comment