Editor's note: This copy was published on 30 July, 2018. It is being republished in light of the Supreme Court's verdict on the constitutionality of Aadhaar likely being pronounced tomorrow.
The weekend saw a sharp exchange of tweets between our soon-to-retire telecom regulatory chief Mr R.S. Sharma and advocates of privacy. He is an unabashed believer in the security of Aadhaar. This, for the uninitiated, is like a social security number that is now being linked to everything under the sun — bank records, financial statements, income tax returns, phone numbers and even competitive examinations.
Sharma has claimed, and he’s probably right, that no harm could come to him if his Aadhaar details were to be made public. This has been consistently echoed by UIDAI, which claims a “security perimeter” around the collected biometrics of every individual in the Indian subcontinent. As such, Aadhaar represents the most massive honeypot of sensitive biometrics ever compiled on the planet. This author takes the government’s claims on the security of the biometric database, and the claims that said database has never been breached, at face value.
However, hacking the database is not really required for Aadhaar to be a privacy concern. It is unlikely that prominent public figures like Sharma or Amitabh Bachchan will “suffer” from identity thefts. It is the ordinary Indian who is spammed by text and email when their privacy is compromised. Worse still, they could get phished.
Knowing just the Aadhaar number isn’t the destination. It is a starting point to identity theft.
My Aadhaar number is 7621 7768 2740
Now I give this challenge to you: Show me one concrete example where you can do any harm to me!
— RS Sharma (@rssharma3) July 28, 2018
It is hardly to be expected that everyone in a nation that’s only now at the cusp of a digital revolution would be aware of the importance and need for protecting privacy. The intent of this write up is to document a robust need for safeguarding our data and own responsibility for it. In a democracy, everyone has the right to broadcast their details as they deem fit. However, for a vast majority, these come with severe real-life repercussions for which we must be adequately prepared. Indians have been cavalier about privacy because of prevailing socio-economic constructs. They open up to random strangers and freely discuss their medical issues. Phone numbers are given out quickly for offers and cashback. Privacy is an abstract concept (like health). Users don’t realise its value until it vanishes. However, by then, it is usually too late.
The scale of identity theft worldwide is mind-boggling; however, sparse data on this exists in India. We are close to finishing the first quarter of the 21st century, and scamsters have rapidly evolved with the times. The phone number has emerged as a single point of identification for most of us. We use it for everything from banks, who send a text message for one-time passwords, to online services like email and social media that use it to identify us and secure our accounts. Inherent to this trust mechanism is the assumption that the user in control of their phone number.
Herein lies the problem. Phone numbers can be cloned by a technique known as SIM hijacking. A phisher (as these scamsters are usually called) induce a state of panic by claiming that essential services will be blocked if they are not given your SIM card details, for example. These methods are not always successful, and they don’t always have to be. Going through a list of harvested phone numbers (often gleaned from WhatsApp groups) also takes persistence and time.
As such, this has rapidly evolved to sending a series of text messages with links to a fraudulent website (by using link shortening services to hide the fake address) and creating a look-alike website that captures your credentials details. A person is effectively “pwned”, their credentials stolen and subsequently, the victim's social media accounts and email is then at the mercy of the attacker.
Sorry for this Sir, But this is only for educational purpose.
I made a FAKE aadhar of yours and uploaded to Facebook and Amazon Cloud Services, And what both of them accepted this as a proof of identity. I may use Amazon Services and Facebook ads service on your name now. pic.twitter.com/pOP4heBNFJ
— Rahul Dhiman (@enggdhiman) July 29, 2018
Bank accounts are especially vulnerable points of failure. Most bank accounts do not provide a more robust two-factor authentication like YubiKeys, which are physical tokens for account authentication. Most banks deal with numerous third-party companies whose security credentials may not be as robust as the controlling entity itself as they lack the motivation to invest in secure and scalable systems. Phone numbers linked to WhatsApp and Instagram are even worse. After cloning the mobile phone number, these accounts can be switched to a new device with devastating results for the victim. With simple-to-setup payment systems now coming arriving on such apps, one can imagine the damage that could be caused. More commonly, women get affected by these scams where morphed pictures and false allegations are levied on them. This has a cascading effect on their psyche with often no recourse in the legal system. Long-term psychological effects are unknown. All of this with a simple phone number.
There is also a thriving market for pre-activated prepaid SIM cards that often sell for a higher value than the regular numbers. It is usually done by unscrupulous dealers who harvest the details from property records and convert existing biometric information (like thumbprints) to a polymer-based system) that is recognised by the fingerprint reader supplied for identity verification. Many users are unaware that Aadhaar offers a method to lock biometrics, but that is now moot.
[Editor’s note: Users on Twitter have claimed to have discovered Sharma’s phone number, gmail ID, PAN card, bank account number and a few other details using the Aadhaar number he gave out.]
Last but not the least is the proliferation of payment wallet apps. They require your phone number to get verified and linked to your bank account. These applications do not require two-factor authentication for transfers, nor are they have been mandated to do so. A spate of financial fraud has been perpetuated (which are out of scope here), but all of them are not reported in the public domain.
— Chandra R. Srikanth (@chandrarsrikant) July 29, 2018
As the thrust on digital India grows, it is essential to bring in stronger safeguards. In addition to legislation, the onus is on companies for fraud detection and reporting it in the public domain. Users should also understand the risks associated with phone numbers, or else we will soon see the digital apocalypse. A loss of privacy, however slight, is nothing to scoff at.
Thanks. By the way, were you able to cause any harm to me , because now you know my Aadhaar number? — RS Sharma (@rssharma3) July 28, 2018
What is the way out? A superior alternative to WhatsApp is Telegram that also ships with secure two-factor authentication. A user's phone number isn't displayed in random groups or channels (which work as a public broadcast feature). It would also be prudent to delete your social media profiles because these networks, despite their claims of “improving networking and productivity”, bring more harm than good.
The old-fashioned word of mouth recommendation works best. Users also need to learn about using unique passwords for every account with password managers like 1Password and physical token keys like Yubikeys. Be aware, while these recommendations may sound tedious, remember that the costs associated with identity theft are more onerous.
It all starts with a simple phone number!
Dr Abhishek Puri is a practising Radiation Oncologist with a keen interest in technology and privacy.