Reports published by online tech journal ZDNet suggest that India’s high profile national ID database has been breached. This is the second time this year that people have been able to gain unauthorised access to extremely sensitive personal data belonging to Indian citizens.
Aadhaar – intended to protect citizens
Known as Aadhaar, the system stores data belonging to registered users including identity and biometrics information. Around 1.1 billion Indian citizens are currently registered with the service.
Aadhaar is used as a central verification point for opening bank accounts, buying a mobile phone contract, or enrolling for utilities like electricity. Approved providers can access ID information to verify the identity of an applicant. By maintaining a central registry, the Indian government hopes to combat ID fraud and theft.
Importantly, many of these crucial services are cannot be accessed by anyone who is not registered with the Aadhaar service.
The problem of linked accounts
A serious security flaw has been discovered however, allowing unauthorised users to capture sensitive personal details including name, ID numbers and bank details. The sort of information that should never be publicly available.
According to the security researcher who first discovered the security loophole, he was able to access the Aadhaar database via a third party – Indane, the state-owned utilities provider. The Indane website is connected to Aadhaar to verify identities – and the researcher found a way to trick Indane into giving him data belonging to other people.
Further testing revealed a serious security design flaw that would allow serious hackers to “guess” ID numbers, feed them into the Indane system, and return all the other identity details automatically. Because these guesses are not limited in anyway, cybercriminals could potentially steal thousands of identities every hour.
Although the Indian government was very slow to respond (they were warned of the issue over a month ago), the system is now offline while the security flaw is fixed. As yet there is no evidence to suggest that personal data has been stolen by anyone else.
A warning for the rest of the world
The system is one of the first of its kind, and many other countries hope to follow India’s example. The Indane/Aadhaar flaw is extremely basic and could easily have been avoided with proper testing by both parties.
Unfortunately for Indian citizens – and anyone else whose country uses a national ID database – they have little choice in the matter. If they’re not registered, citizens’ options are limited. Which means that a huge section of the Indian population are at the mercy of Aadhaar’s poor design and testing.
Hopefully governments in other countries are paying close attention to the troubles caused by Aadhaar and ensure they avoid making the same mistakes when deploying their own ID systems. Otherwise we can expect to see many more scandals like this in the near future.