By Jerri-Lynn Scofield, who has worked as a securities lawyer and a derivatives trader. She now spends much of her time in Asia and is currently working on a book about textile artisans.
India’s leading financial newspaper, The Economic Times, featured a piece today, You can’t make citizens safer by making them more vulnerable. Aadhaar does exactly that that spotlighted flaws in India’s Aadhaar universal identification number scheme– including its undue reliance on biometrics.
As I discussed at greater length in an October post, Biometric ID Fairy: A Misguided Response to the Equifax Mess that Will Only Enrich Cybersecurity Grifters and Strengthen the Surveillance State, the Aadhaar system is being held up as a model by those who would like to capitalize on the Equifax data breach by replacing US Social Security numbers with a biometric identification system.
Given that the Aadhaar scheme is being touted as a model for the US to consider, I thought it would be worth spelling out some of its flaws, many of which are well known in India but with which the core of Naked Capitalism’s readership is not familiar.
Linkage of Accounts to Aadhaar
The Government of India and its various bureaucracies, aided and abetted by Indian courts, are mandating widespread use and linkage of accounts to the twelve-digit Aadhaar number. Thus, Indians must now supply an Aadhaar number when they apply for a bank account, as well as link any existing accounts to that number (otherwise, the bank account is frozen). SIM cards are tightly controlled in India, and Indians must now link their Aadhaar number to their mobile ‘phone accounts (including mobile wifi systems).
The use of Aadhaar doesn’t stop there and is in fact accelerating, according today’s Economic Times piece:
Next year, there is a plan to roll out Aadhaar-linked programmes like a Public Credit Registry with transaction data, and the National Health Information Network electronic health records. The risk of personal information leaks increases with more services getting linked to Aadhaar due to security vulnerabilities, or sheer incompetence of the government or third parties.
A couple of problems flow from this centralizing approach. First, the more basic services and accounts are linked to Aadhaar, the greater the consequences that follow from potential hacks. For not only will financial information be compromised by such a hack, but also mobile phone service, and all and any other services linked to the Aadhaar number.
Second, as today’s Economic Times piece makes clear,the terrorism boogeyman is being trotted out to justify a steady surrender of privacy– even though wider Aadhaar verification may actually supply a false sense of security. Once a person produces an Aadhaar number, it’s assumed that it was legitimately obtained– when that may indeed not be the case:
In October 2016, Delhi Police busted an Inter-Services Intelligence (ISI) spy ring and found that Mehmood Akhtar had an Aadhaar card naming him as Mehboob Rajput. In May this year, the Central Crime Branch found that three Pakistanis had obtained Aadhaar cards in Bengaluru through a middleman for Rs 100 each. More recently, Zeebo Asalina, an Uzbek national arrested in Orissa, had an Aadhaar card naming her as Duniya Khan.
Telecom Regulatory Authority of India (Trai) chairman and former CEO of the Unique Identification Authority of India (UIDAI) R S Sharma suggested … that security agencies may have a better chance of nabbing potential terrorists if all mobile connections are verified using Aadhaar. There is a major flaw in this assertion.
….
What is common in the aforementioned cases is that these Aadhaar cards were based on forged documents. Since UIDAI does not conduct verification by itself, it retains the flaws of these documents and is not ‘fraud-resistant’. In fact, once they have Aadhaar, things may get easier for potential terrorists, given the incorrect perception that it is foolproof (my emphasis.)
Touchingly Naive Faith in Biometric Fairy
I want to highlight another problem: the misplaced overreliance on biometrics. The single most serious problem with such reliance – which I discussed in my October piece cited above–is that unlike a number, once compromised, your biometrics– fingerprints, eyeballs, DNA– cannot be changed. Another October Economic Times piece, Watch out, Aadhaar biometrics are an easy target for hackers expands on the security vulnerabilities of relying on such systems for authenticating identity:
Biometric data, unlike passwords, can never be changed, so if hackers successfully impersonate a fingerprint then they can cause serious havoc, and there is not much the victim will be able to do about it.
With the recent government policies making biometrics the central identity verifier via Aadhaar information, a billion consumers could be walking a thin line between security and convenience. Though it becomes extremely convenient to make transactions via a single touch on your smartphone, it also means that all a malicious hacker needs to get is your fingerprint. Once he gets that, there’s no stopping. Identity theft and fraudulent transactions may just be the beginning.
Now, the government of India had averred that the biometric information collected under the Aadhaar system is secure. [Jerri-Lynn here: They would, wouldn’t they?] But as the article continues, that is not, actually the case:
The government claimed that Aadhaar is completely secure, and the data of the consumers was absolutely safe from any malicious party until a severe flaw was detected in the system. The bug allowed a malicious operator to save a user’s biometrics and simply use it to carry out transactions on the victim’s behalf via replaying the saved biometrics.
What I found particularly worrying is the ease with which fingerprints can be stolen:
Hackers can easily clone your fingerprints to gain access to your life. What’s scarier is that it’s neither too costly nor too difficult.
Fingerprints can be picked up from daily objects easily or mass attacks are possible if the servers of UIDAI are hacked. Hackers can also skim fingerprints via malicious biometric devices just as with infected credit card machines. The problem here though is that you can block your credit card but not your fingerprint.
The possibilities expand when 3-D printing technology is brought into play:
This can be done via digitally replaying the print to authenticate applications and transactions. Another possibility is to use 3D-model printers to simply make a physical copy of the print. It is even possible to make physical fingerprint replicas using simple dental moulds and some playing dough. According to a research at the Department of Computer Science and Engineering at Michigan State University in the US, fingerprints can be replicated in less than $500 with conductive ink fed through a normal inkjet printer, in a procedure that takes less than 15 minutes. According to researchers at CITER, the disturbing thing about fingerprints is they can be hacked just by using everyday items like some dental mould to take a cast, some playing dough to fill it. All they need is an impression of a person’s fingerprint. Using the cloned fingerprint, the hacker can enter every mobile application or devices that use the fingerprint as a security measure.
Yikes.
The same October Economic Times piece discusses simple ways to hack other types of biometric identification: including facial recognition, retinal scans, and voice recognition.
So, it appears that the biometric ID fairy is actually not going to save the day here.
In fact, the opposite is actually the case, with the rush to widen Aadhaar creating a serious risk of potential catastrophe.
Regular readers are well aware of the misery and economic chaos that followed from Prime Minister Modi’s botched demonetisation plan– which I discussed on several occasions, most recently in Remember, Remember the Eighth of November: India’s War on Cash Assessed One Year Later. (See also other coverage here, here, here, here, here, and here.) One reason demonetisation was such a debacle is that India remains a largely cash-based economy, and simply lacks the digital infrastructure that might have allowed its residents to cope with the nearly instantaneous cancellation of most of its currency in November 2016– and the failure to supply replacement currency quickly, and in sufficient amounts, to allow for normal economic activity to continue.
But don’t just take my word for the poor state of India’s digital infrastructure, particularly in rural areas. See this piece from yesterday’s The Wire, Alongside Modi’s Digital India, a Mounting Pile of Unanswered Network Quality Complaints, discussing how India’s deficient digital infrastructure is thwarting the drive to shift Indians away from cash and toward more digital transactions:
A year after demonetisation, an examination of complaints received by the Department of Telecommunications (DoT) shows that thousands of people across the country are struggling to make online transactions due to the lack of a mobile signal or because they receive their OTP (one-time password) messages three or four hours after they initiate a transaction.
These complaints aren’t restricted to a particular provider but instead point to a systematic quality of service issue.
The quality of service problems associated with India’s telecom network has been well documented. While the total data payload in the country’s network grew over 60% last year, India ranked 89 among 100 countries in terms of average mobile internet connection speeds. Various reports over the last two years have shown how frequent call and packet drops, network outages and congested networks result in poor coverage and increased download times.
Hacking Aadhaar and Digital Infrastructure
As the October Economic Times piece discusses, the potential for hacking Aadhaar also poses another threat to this digital infrastructure, if and when it ever gets up and running:
The government has made Aadhaar mandatory for Indian citizens to avail of many government services. Aadhaar is being used almost everywhere now. If the data gets leaked, unlike changing your passwords or creating a new account, people won’t be able to change their fingerprints or their facial structure. The digital infrastructure that the government is trying to push all across the country can come crumbling down if proper security measures are not at place.
The glorious dream of Digital India could simply be a disaster if a billion countrymen finally get digitalised and a single hack gives malicious hackers a lifetime access to their digital assets and identity.
Second Thoughts?
India is marching full speed ahead on Aadhaar plans, at a time when other countries– Estonia, Spain– are having second thoughts about such arrangements and in spite of the considerable burdens–mainly time and hassle– it imposes. I happen to be visiting India at the moment, and just a couple of weeks ago, I accompanied a friend as he purchased a new SIM card and wifi hotspot device. As I mentioned above, India tightly controls issuance of SIM cards. And the process my friend had to undergo to purchase a new wifi connection was anything but simple, requiring him to supply name, address, his mobile number; produce his Aadhar card; and be fingerprinted. Had to be seen to be believed!
This same friend mentioned that he’d just received notification from his mobile phone company, requiring him to verify a new account he’d opened in July– even though he’d supplied his Aadhaar number when he created that account. I know the plural of anecdote is not data, but imagine the costs Aadhaar is imposing, with everyone having to make time, in person, to produce an Aadhaar card and verify telecoms accounts (not to mention bank accounts, etc.) And that’s just the start of it.
This is in contrast to the situation in London, where last time I visited, SIM cards were available in vending machines. Many other Asian countries– Indonesia, Malaysia, Thailand– make it similarly easy to purchase a “burner” SIM– for use in a ‘phone, dongle, or other digital device. Same in Australia, New Zealand, the US.
Today’s Economic Times article mentions in passing what I think is the crux of the matter:
The [Indian government’s] cavalier attitude towards privacy — that privacy cannot be at the cost of innovation — which Union information technology minister Ravi Shankar Prasad put forth at the prestigious Global Conference on Cyberspace (GCCS) in New Delhi on November 23, indicates the willingness to put citizens’ personal safety at risk: that your privacy is a price that GoI is willing to pay for making it easier for businesses to be built around your data.
Or, to make a slightly different point: creating Aadhaar and and other similar technological solutions from scratch provide spectacular opportunities for grift– and that is perhaps the primary reason that so many are cheering on such efforts so loudly– despite their myriad deficiciencies.
Bottom Line
This is not a model that the US should seek to follow, as it considers what policy should be adopted in the wake of the Equifax hack. The current Social Security number system is not without its flaws, but biometrics are no panacea, either.
Fingerprints wear out, especially for tile and brick layers.
Older people have less readable fingerprint, due to wear and age.
If you are going for crime, starting later in life appears beneficial.
Security and business-as-usual are each others’ deadliest enemies. If you have to issue (as many as) 1.34 billion Aadhaar accounts, four bogus ones would be judged a stellar success rate anywhere else. I start to imagine a that’s good/that’s bad comedy sketch, like they used to have in the Hee-Haw show on TV:
We issued four bogus Aadhaar cards out of a billion.
That’s good.
No, that’s bad. Three of them were to Pakistani spies.
That’s bad.
No, that’s good. We caught those three.
That’s good.
I wish I could be so sure.
The last line is mine. The Hee-Haw writers could have kept it funny.
Another possible question is whether fingerprints are unique. Frontline did a documentary a decade or so ago on erroneous fingerprint IDs in criminal cases. Their take was that it was subjective human judgment that had mis-identified the suspects’ prints.
But we’re using fingerprints differently now. Time was, Sam Spade would discover a stack of bodies in a hotel room; they would take fingerprints from the room, they would hunt around for people who could have been in the room when the murders were committed, and any suspect whose prints matched would have to do some explaining.
Now we are running the prints past huge global databases. We’re confident we won’t find duplicate prints in a population fo three dozen or so — can we be sure in a population of 7 billion?
Yes, to which I would also add that on the hardware side, when you get borderline almost-identical fingerprint mapping signatures, there’s a lot of difference in the results you get from a low grade sensor with cheap optical components (especially non-optical grade plastic lenses with poor refractive indexes) compared to a higher spec device.
Plus the mapping matching is always a trade-off between cost (low performance graphic processing) and speed/quality (a little more firepower in the silicon). The temptation to shave a few cents off each reader and get away with lower costs per device at the expense of the quality of the mapping matching (you can’t really vary speed as dwell time at the device is something you can’t just keep adding to) is usually overwhelming.
The payment industry — certainly in Europe — has looked at this technology and rejected it on a variety of grounds. There’s always some trial going on somewhere, but nothing makes it past the testing phase.
Clive, my bank (French) allows me to access my account and make transactions, including intracountry transfers, using a fingerprint on my phone to approve. I suppose you’re referring to more substantial financial operations?
Can you do your Banking with your fingerprint on another phone?
3 parts of security:
What you possess
What you know
What you have
Your fingerprint on your phone + your phone is two elements of three.
Clive is discussing fingerprints only, I believe.
A phone, password and fingerprint are about as good as it gets.
The problem with bio-metrics is sickness, accidents and age.
As Synoia rightly points out above, you never, ever have fingerprint verification as a single factor security allowed in the payments industry. Your phone is acting as another factor, behind your back.
It’s astonishing how people don’t realise just how much of their financial affairs and protection they’re handing over to the smartphone platforms (iOS and Android). Like you ended up thinking, it seems as though your phone is just a neutral pass-through of your details to whoever’s App you’re using. Uh-uh. Your phone is quietly embedding itself into the whole system.
The power we give to iOS and Android is indeed troubling. It may be useful to recall that the business model behind these 2 systems is to use the OS to sell a product. iOS sells iPhones to users, Android sells users to advertisers.
Thanks for this post.
” First, the more basic services and accounts are linked to Aadhaar, the greater the consequences that follow from potential hacks. ”
And, as we now know, linking a special govt issued id to daily transactions is a very bad idea in itself. Social Security numbers were never intended to be used for daily commerce id. If they had been kept only for social security and employer tax deduction purposes they would be a less attractive hacking target. Now SS numbers are used for credit applications, job applications, school applications, medical records (non- Medicare/Medicaid) and a bunch of other things. An Aadhaar system that retains all the weakness of a govt issued, general commerce used data point only exchanges one target for another; it doesn’t change the nature of the target’s value to hackers.
” creating Aadhaar and and other similar technological solutions from scratch provide spectacular opportunities for grift ”
Yes, it does.
A couple of years ago, I attended an Internet Identity Workshop, which is held biannually. A startup (I can’t remember the name) was promoting the use of the ECG for authentication. Aside from worrying about the privacy/security implications, I wondered how dysrythmias that come with advancing age would screw things up.
I read that a Northern Ireland based company, B-Secur, earlier this year closed on a
I hope NC readers woud agree this “promising” research is very flawed: https://ruor.uottawa.ca/bitstream/10393/30221/3/Arteaga_Falconi_Juan_Sebastian_2013_thesis.pdf
What happens to the 100 – 1.41 – 81.82 = 16.77%? Not verifiable and thus no transaction allowed?
A 1% false positive is a recipe for going out of business, when combined with the nearly 17% who are denied. Roughly 1 in 5 can’t make a transaction.
Clive might know the percentage of fake credit cards, but it has to be much lower then 1.41%.
Yes, there’s never been a single documented case proving the existence of a faked chip-enabled plastic cards (debit or credit). A tolerance of even 0.1%-range false verification would be considered totally unacceptable in the payments industry. Let alone 1%+.
Sometimes an article can make such a great case of criticism of an idiotic idea that comments become redundant. The field is yours.