Serious concerns hang over Aadhaar security after ‘hackers clone fingerprints’ to make fake biometric cards in Uttar Pradesh – and investigators suspect an ‘insider role’
UP’s Special Task Force arrested 10 members of an alleged gang of fraudsters
Investigators believe they hacked the secure code for the system and cloned fingerprints of issuing authorities using gelatin gel, laser and silicon
It’s suspected that an ‘insider’ helped alleged hackers bypass security measures
Damning details related to Aadhaar card security have emerged after the Uttar Pradesh special task force on Sunday arrested 10 members of a gang allegedly involved in issuing fake biometric cards.
Investigators told that the gang members had not only hacked the secure ‘source code’ to access the application but also cloned fingerprints of authorised issuing authorities by using gelatin gel, laser and silicon.
The exposure raises serious questions on the Centre’s efforts to link its various schemes, PAN, individual bank accounts and mobile numbers with Aadhaar card, until now considered foolproof.
‘The investigation has thrown up some shocking facts about the modus operandi of this gang,’ Triveni Singh, additional superintendent of police, STF, said.
‘The operators made copies of the login details used by valid enrollment centres, issued by UIDAI, the nodal authority mandated to issue the 12-digit unique number.
‘They were also able to crack and replicate the application for the retinal scanning, an ocular-based biometric technology.’
Singh said the team was yet to ascertain the enormity of the operation as these members are believed to have shared or sold these codes to other centres as well.
‘The gang was selling clone operator fingerprint and copy of client application for Rs 5,000 to run illegal centers.
‘During the raid, the STF seized software with fake fingerprints as well as finger and retina scanners,’ he said.
Members of the investigation team said while the gang members learnt about the use of gelatin gel and latex from the internet, they suspect an insider role in the creation of the duplicate client application (software) which allowed them to bypass security measures like fingerprints and IRIS scans needed for Aadhaar enrollment.
‘The clone copies were made by taking fingerprint on butter paper and later treating it with chemicals and ultraviolet rays at different temperature to create a mould using gelatin gel and latex,’ an STF official said.
‘But the breach of high-tech application and source code is not possible without the collusion of one or more UIDAI officials.’
According to web security experts, the UIDAI functions on a sophisticated source code.
A cyber expert explained: ‘The source code is available only with the core team. It is a collection of computer instructions or scripts on which an application is defined.
‘In June, after the UIDAI found the same login (fingerprints) being used at multiple places to issue Aadhaar card, they introduced latest version of their application which had added feature of IRIS scanner for operators to authenticate’.
‘These gang members may have got the access to that source code and tampered the biometric authentication like fingerprints and IRIS. So now, these illegal centres had the software to login to the Aadhaar sever without using any biometric details, which is worrisome,’ the web security expert added.
The STF officials said although all the 10 arrests were made from Kanpur in UP, the web of ‘illegal’ Aadhaar centers is spread across India and lakhs of enrollment have been done by such centres.
However, the team is yet to figure out if this loophole was sold to elements involved in making the unique ID for illegal migrants.
The task force is in the process of finding out the number of biometric details which were uploaded by the gang on the Aadhaar data pool. Many officers secretly admitted that the arrests are a major setback for the Aadhaar project.
A senior official at UIDAI told that the issue had come to their notice a few months back following which they registered an FIR and upgraded their security features.
The UIDAI has deactivated close to 81 lakh Aadhaar identities, after discrepancies were found in the biometric data or supporting documents. The UIDAI has defined sophisticated security measures, hardware and software to be followed by an enrollment centre but on ground none of these precautions is practised, claims STF.
‘Most of the work is outsourced to third parties and there is no verification or audit of operators”.
During investigation, it was found that several Aadhaar enrollment centers were operational with a wrong name,’ a member of the STF said on condition of anonymity.
This revelation has set alarm bells ringing at UIDAI, which has to audit and verify numbers of such illegal centers running across the country. STF teams are conducting raids in other states to arrest similar gangs and also to detect who leaked the source code of UIDAI application.
Enrollment officers and a registrar who are involved in the process of issuing licenses and verification are on the STF radar, sources said.
The concerns about the security in Aadhaar system have been raised after recent reports of its database being vulnerable to hackers.
Recently, the Supreme Court declared the Right to Privacy a fundamental right, leaving many in limbo about the whole concept and authenticity of Aadhaar verification.