Aadhar Biometric Security Considerations

Aadhar is one of the flagship projects of India to provide Unique Identification Number to every Indian . It uses Biometric information like Thumb impression and Iris scan to avoid duplicate Identification. Initial applications of Aadhar was to avoid leakages in the Government subsidy programs by using direct cash transfer to the bank accounts of the beneficiary which is linked to the Aadhar database. Now the applications of Aadhar is increasing and it is becoming mandatory to avail any Service offered by Government and Private Companies. With the use of Aadhar based eKYC, vendors can instantaneously verify the identity of the customers when providing services like Telecom, Finance etc. where it is mandatory to know the customer identity.

With the ban of 500 and 1000 Rupee notes on 8 Nov 2016, Indian Government is trying to push the people towards Digital Cashless Economy. There is a surge in digital transactions in the form of Online banking, Mobile wallets, UPI and so on. Government also launched the UPI based BHIM app for Smartphones and is among the top ranked apps considering number of downloads in Google Play Store and Apple store. We are seeing news reports quoting top Government officials about Aadhar based Payment system in which only a Thumb impression and Aadhar number is sufficient to transfer money. There are some pilot projects going on currently before the widespread launch. Reliance Jio is using the Aadhar Biometric based eKYC for verifying customers and providing SIM cards and mobile connectivity services.

For the Aadhar based payment system to work, just a Smartphone with a Thumb or Iris scanner is required. There are cheap thumb scanners available which can be connected through a USB cable to a smartphone. Vendor needs to install an app which is authorised for Aadhar payment service and link hist bank account information. To receive money, Vendor will need to enter the amount to be received into the app and the Customer’s Aadhar number and Customer needs to validate it with the Thumb impression. If the Aadhar biometric is validated, the money is transferred from the Bank account linked to the Customer’s Aadhar number to the Vendor’s Bank account.

I have some security concerns with this system. There can be malicious vendors/hackers, if they managed to get the Aadhar number and Biomentric information, can transfer money without the approval of the customer. I’m not sure if if there is any encryption when the Thumb scanners transfer the scanned Information to the smartphone. So someone come up with custom Thumb scanner device which stores the Thumb impression and allow its access to the vendor later. I assume the information is encrypted between the app and the Aadhar server so that should not be a problem. There are already some cases reported where money is transferred using the Aadhar payment system without customer knowledge and the number of such cases will only rise without complete security analysis.

In the meanwhile there is an option for the customer to lock access to Biometric information so that this problem can be avoided. One needs to visit https://resident.uidai.gov.in/biometric-lock
Aadhar biometric lock screenshot
One needs to enter the Aadhar number and click on generate OTP(One Time Password). OTP will be sent to the mobile number registered with Aadhar through SMS. After this one can lock or unlock the Biometric locking. This way users can unlock the Biometric access only when they intend to use greatly reducing the possibility of misuse. I found that the user interface of the website pretty bad. It does not show what is the current status of the Biometric lock and it is time consuming process. Sometimes the OTP is delayed by few minutes which can greatly affect if the customer wants to unlock quickly before a transaction and may cause user leaving it unlocked. Authorities need to look into these issues and fix it as soon as possible. Also a mobile app to do this faster would be greatly helpful.

Over all I would like to caution users to be careful when using Aadhar Biometric transactions and avoid it if possible till the security considerations are clear.

Leave a Reply

Your email address will not be published. Required fields are marked *