The Government of India is placing a huge reliance on Aadhaar for all forms of KYC. In the coming days, the Aadhaar Enabled Payment System (AEPS) will also be introduced where the biometric of the Aadhaar owner will be used to trigger a financial transaction like the UPI/BHIM application that may be used to send or receive money from another UPI account. It is said that this will be a “PIN Less” and “OTP Less System”.
What this means is that as soon as the application is triggered with a fund transfer request and the biometric of the aadhaar owner is provided to the UPI application, the payment will be completed without a second reference to the account holder. It will be like a “Single Click Payment System”.
There is no doubt that from the user perspective the AEPS will be a very convenient system and particularly for the less educated persons, it appears to be an excellent system. However, one should not forget that in the financial transactions, “Convenience” is only one of the aspects of the transactions and “Security” is another important aspect that needs to be taken care of in any digital payment system.
It is to be reiterated that the systems being introduced by the Government expose the public to risks that are being ignored by the Government and its advisors.
Presently, Aadhaar has introduced a system where by the “Biometric” can be “locked”. When the biometric is locked, the system may generate an OTP for unlocking. Alternatively, the aadhaar holder has to go to the website and unlock the biometric which again can be done by an OTP. While this is touted to be a security feature that will prevent misuse of an aadhaar number, it must be recognized that the locking and unlocking is only linked to the OTP sent to the registered mobile and hence if a fraudster can get hold of a duplicate SIM, he can over come the locking security.
Thus in many ways, the OTP becomes the determining factor to secure a digital transaction. The security of OTP is directly related to the KYC system adopted by a mobile service provider particularly when a SIM is reported lost and a replacement is sought.
Recently, the Supreme Court has suggested that every Aadhaar number may be linked to a mobile again thinking that this would secure the system.
If for any reason this mobile OTP becomes the norm, then there is a need to ensure that this system is hardened by
a) Sending OTP by encrypted message
b) Increasing the complexity of OTP from a 4 digit numerical to atleast 6 digit numerical and if possible a combination of letters and numbers
c) Using voice based OTP delivery instead of a text based delivery
d) Return OTP also to be encrypted
e) OTP on either side to be sent and received with a digital signature which is both secure and also cyber law compliant.
While I donot expect many operators to become cyber law compliant and use digital signatures on mobile, encryption can be adopted without much of difficulty. However there needs to be a secure key management system to ensure that the security is difficult to be breached.
I hope the authorities including the implementers of the Watal Committee recommendations will consider appropriate measures to take steps to harden the security of the OTP system which has already been degraded by NIST in USA but continue to be used in India.
I presume that the mobile operators also realize their responsibility in exercising care in obtaining KYC of their customers both when new SIM cards are issued and when lost SIM cards are replaced.
The irony of the current system is that the mobile operator may use an aadhaar as KYC for issue of SIM cards while the Aadhaar uses the OTP on the SIM card for issue locking and unlocking biomeric or for issue of e-aadhaar. This circular authentication is not the ideal security support and it becomes more or less a “Single Factor” authentication system. There is therefore a need to think of alternate measures to break this “Circular authentication system”.