Arrests for Aadhaar-Related Fraud Raise ConcernsSecurity Experts Again Question Whether ID System Is Reliable
The arrest of 10 men in Uttar Pradesh for allegedly cloning fingerprints of authorized Aadhaar enrollment officers is once again stirring debate over whether it's wise for India to rely so heavily on Aadhaar for authentication.
See Also: A Guide to Passwordless Anywhere
The news comes in the wake of earlier reports of Aadhaar data leaks.
"The current incident is a problem at the enrollment end where fake Aadhaar identity may be created," says Na. Vijayashankar, a cyber law expert. "There are even greater problems at the usage end, where existing Aadhaar users may face identity theft."
Vijayashankar says the widespread use of Aadhaar poses significant risks. And a growing number of security experts say the government should find a replacement for Aadhaar as an ID and slowly migrate to a more secure digital ID system.
"But it is doubtful if the government is aware of what is to be done," Vijayashankar says. "I guess we need to live with it, since the government doesn't have a proper appreciation of the risk and hence no proper remedial action is being taken."
Meanwhile, the latest Aadhaar-related incident has prompted the Unique Identification Authority of India, which administers Aadhaar, to ask states to ensure that all enrollments, even those by private agencies, shift to government or municipal premises from external sites by this month.
Cloning Technique Described
The investigation of the latest Aadhaar incident has revealed that fingerprints of authorized authorities were cloned using gelatin gel, laser and silicon, police say.
The arrests were made on the basis of a complaint filed by the Unique Identification Authority of India on August 16 this year. According to news reports, the UIDAI claimed that the attempt to generate fake Aadhaar cards was foiled by the UIDAI system.
To enroll a user for Aadhaar, an authorized enrollment operator has to access the UIDAI system using his fingerprints and a scan of his retina.
In the incident that led to the arrests, the gang acquired images of the fingerprints of Aadhaar enrollment operators and printed these scanned images on butter-papers. Thereafter, they placed these prints on a sheet of light-sensitive resin, which was then exposed to ultraviolet rays, according to news reports.
The cloned fingerprints obtained at the end of this process looked like an office rubber stamp that can be pressed down on a biometric reader. About 46 such fingerprint stamps were confiscated, police officials say.
The gang also apparently found a way to subvert the second step of authentication - the retina scan. Police are on the lookout for the software developer who allegedly helped the gang bypass the retina-scan requirement, a person closely associated with the case tells Information Security Media Group. The gang used fingerprint stamps and technical know-how to allow multiple logins and enrollments using the stolen credentials, the source says.
Other Fraud Incidents
Police officials says similar cases in other parts of the country came to UIDAI's notice a few months ago. In fact, that is when UIDAI introduced the second step of authentication - the iris scan.
Despite this additional authentication step, issuance of fake Aadhaar numbers continued. "This is when they approached us and we started the investigation once they lodged a formal police complaint," Triveni Singh, Uttar Pradesh's additional superintendent of police, tells ISMG. "They provided us two or three Aadhaar numbers they suspected to be fake and we started our investigation from there."
Singh claims that the members of the gang learned the tricks of fingerprint cloning from YouTube. "They did some tampering with the secure code and hence it wasn't asking for iris scan. How they did this is not known yet," he says.
Authorities do not yet know whether the cloned Aadhaar numbers were used for any criminal activities.
Hoping for a Crackdown
Security practitioners are hoping for a quick crackdown against Aadhaar-related fraud. But that may prove difficult, given limited resources.
"There might be several such cases across country. It's easy to say we want culprits behind the bars," says a police officer involved in the case who asked not to be identified. "Given the shortage of skilled cyber forensic experts or cops that have sound knowledge in this field, the task is cut out for us."
The shortage of experts has resulted in a huge pileup of cases, says a forensics expert associated with the government, who asked to remain anonymous. "Most cases take a year to reach us," he says.
There are only seven Central Forensic Science Laboratories in India, and every court accepts forensic reports only from CFSL. "Imagine the number of cases that are pending only because CFSL is yet to file a report. There just aren't enough experts in the country," the forensics expert says. The severity of the situation can be gauged by the fact that the expert is currently working on a case that came to the lab 17 months ago.
"Today every crime in India has digital evidence. There are handful of government-accredited forensic labs in the country and most labs don't have experts," the forensics expert says.
Finding professionals with the right skills could prove challenging, given that all sectors are grappling with building cybersecurity capacity.
Most professionals don't see an immediate solution to this problem. According to Nasscom, a trade association of IT firms, India adds 40,000 cybersecurity professionals annually, whereas the demand is about 500,000 annually.
Some security practitioners recommend that the government design a framework to induct forensics experts and cybersecurity professionals into the police and government departments.