Latest Aadhaar security flaw isn't as serious as a data breach, but leaves the public open to social engineering attacks

The government has been very persistent in pushing Aadhaar as the primary government ID and also in assuring that the system is very safe. Even after an exposé appeared in The Tribune of how easily one can get Aadhaar details of anyone for just Rs 500, UIDAI has been very adamant about the security of the Aadhaar system. Now, another flaw has been found in this "secure" system, where anyone can access the name of your Aadhaar-linked bank account via any phone. While this is certainly not as serious as a data breach, the flaw does open up anyone to social engineering attacks.

Representational image. Image courtesy: CNN-News18

Representational image. Image courtesy: CNN-News18

The flaw, according to a Hindustan Times report, is based on the USSD (Unstructured Supplementary Service Data) that was publically shared by UIDAI in December and tells the user if their bank account has been linked with their Aadhaaar number or not. Just Dial *99*99*1# from your phone, enter your Aadhaar number, confirm it and if your bank account is linked, the name of the bank is displayed. This sounds like a good system, but the problem is that you can enter anyone's Aadhaar number and find out the name of the bank linked to that account.

No authentication service has been provided for verifying whether the original Aadhaar user is trying to find out if their account is linked or not. Now, just knowing the name of the bank does not seem like a big deal initially, however, telemarketers, spammers and hackers can use this information for various nefarious purposes, including spear-phishing, as suggested by the HT report. Having your Aadhaar and bank account details just lends the attacker more credibility.

On 10 January In a bid to address privacy concerns, the UIDAI introduced a new concept of 'Virtual ID' which Aadhaar-card holders can generate from the UIDAI website and give for various purposes, including SIM verification, instead of sharing the actual 12-digit biometric ID. The Virtual ID will be a temporary and a revocable 16 digit random number mapped to a person's Aadhaar number and the Aadhaar-issuing body will start accepting it from 1 March, 2018.

With inputs from PTI


Updated Date: Jan 24, 2018 09:27 AM

Also Watch

Watch: Firstpost test rides the new Thunderbird 500X in Goa and walks you through the Royal Enfield Garage Cafe
  • Tuesday, April 17, 2018 Varun Dhawan on Shoojit Sircar's October, 5-star reviews and working with Anushka Sharma in Sui Dhaaga
  • Saturday, April 14, 2018 Ambedkar Jayanti: Re-visiting Babasaheb's ideals exposes fake Dalit politics of Rahul Gandhi and Congress
  • Monday, April 9, 2018 48 hours with Huawei P20 Pro: Triple camera offering is set to redefine smartphone imaging
  • Monday, April 16, 2018 Rajyavardhan Singh Rathore interview: Sports can't be anyone's fiefdom, we need an ecosystem to nurture raw talent

Also See