The recent news report that UIDAI has initiated investigation on three firms suspected to have violated the rules of aadhaar authentication by sending stored biometrics to UIDAI server for authentication. The firms involved are Axis Bank, Suvidha Infoserve and E Mudhra. (Refer article here). UIDAI claims that the data received for authentication multiple times was an “Exact Match” which is statistically impossible and hence indicate a “Stored Biometric” being sent for authentication. The firms on the other hand have stated that the authentication request refers to “Testing” of some applications and not any attempt in committing any fraud.
While in this particular instance, there may not be any fraudulent intentions on the part of the three parties involved, the incident has confirmed what we have been indicating as a possible security risk where the biometric can be stored in soft form and re used.
In the past we are aware that Certifying authorities have been indulging in the practice of keeping copies of private keys which can later be used for committing digital signature forgeries. Neither the CCA or the Government has taken corrective steps.
Now the entire “Aadhar Based Payment System” is in jeopardy because of the revelation of this incident. As one of the security professionals has pointed out (Refer article here), it was naive for UIDAI to announce in the public how they were able to identify the potential violation of Aadhaar authentication in this case. Like it often happen when Police officials conduct press conferences to boast about a successful investigation, the revelations made by UIDAI will be information to future fraudsters on how to bypass known security measures.
Now, having committed one mistake too many, it is the responsibility of UIDAI to harden their authentication mechanism without necessarily giving out too many details to the public. It is of course still possible to secure the authentication mechanism through innovative methods. But UIDAI may or may not be capable of identifying such mechanisms nor they may be interested, since it is the characteristic of UIDAI that they have been always in denial mode whenever security weaknesses are pointed out.
We hope that without first resolving the security issues, UIDAI does not jump into Aadhaar based payment systems through NPCI and land Indian citizens in trouble.