The government has been very persistent in pushing Aadhaar as the primary government ID and also in assuring that the system is very safe. Even after an exposé appeared in The Tribune of how easily one can get Aadhaar details of anyone for just Rs 500, UIDAI has been very adamant about the security of the Aadhaar system. Now, another flaw has been found in this "secure" system, where anyone can access the name of your Aadhaar-linked bank account via any phone. While this is certainly not as serious as a data breach, the flaw does open up anyone to social engineering attacks.
The flaw, according to a Hindustan Times report, is based on the USSD (Unstructured Supplementary Service Data) that was publically shared by UIDAI in December and tells the user if their bank account has been linked with their Aadhaaar number or not. Just Dial *99*99*1# from your phone, enter your Aadhaar number, confirm it and if your bank account is linked, the name of the bank is displayed. This sounds like a good system, but the problem is that you can enter anyone's Aadhaar number and find out the name of the bank linked to that account.
No authentication service has been provided for verifying whether the original Aadhaar user is trying to find out if their account is linked or not. Now, just knowing the name of the bank does not seem like a big deal initially, however, telemarketers, spammers and hackers can use this information for various nefarious purposes, including spear-phishing, as suggested by the HT report. Having your Aadhaar and bank account details just lends the attacker more credibility.
On 10 January In a bid to address privacy concerns, the UIDAI introduced a new concept of 'Virtual ID' which Aadhaar-card holders can generate from the UIDAI website and give for various purposes, including SIM verification, instead of sharing the actual 12-digit biometric ID. The Virtual ID will be a temporary and a revocable 16 digit random number mapped to a person's Aadhaar number and the Aadhaar-issuing body will start accepting it from 1 March, 2018.
With inputs from PTI