In 2009, I became extremely concerned with the concept of Unique Identity for various reasons. Connected with many like minded highly educated people who were all concerned.
On 18th May 2010, I started this Blog to capture anything and everything I came across on the topic. This blog with its million hits is a testament to my concerns about loss of privacy and fear of the ID being misused and possible Criminal activities it could lead to.
In 2017 the Supreme Court of India gave its verdict after one of the longest hearings on any issue. I did my bit and appealed to the Supreme Court Judges too through an On Line Petition.
In 2019 the Aadhaar Legislation has been revised and passed by the two houses of the Parliament of India making it Legal. I am no Legal Eagle so my Opinion carries no weight except with people opposed to the very concept.
In 2019, this Blog now just captures on a Daily Basis list of Articles Published on anything to do with Aadhaar as obtained from Daily Google Searches and nothing more. Cannot burn the midnight candle any longer.
"In Matters of Conscience, the Law of Majority has no place"- Mahatma Gandhi
Ram Krishnaswamy
Sydney, Australia.

Aadhaar

The UIDAI has taken two successive governments in India and the entire world for a ride. It identifies nothing. It is not unique. The entire UID data has never been verified and audited. The UID cannot be used for governance, financial databases or anything. It’s use is the biggest threat to national security since independence. – Anupam Saraph 2018

When I opposed Aadhaar in 2010 , I was called a BJP stooge. In 2016 I am still opposing Aadhaar for the same reasons and I am told I am a Congress die hard. No one wants to see why I oppose Aadhaar as it is too difficult. Plus Aadhaar is FREE so why not get one ? Ram Krishnaswamy

First they ignore you, then they laugh at you, then they fight you, then you win.-Mahatma Gandhi

In matters of conscience, the law of the majority has no place.Mahatma Gandhi

“The invasion of privacy is of no consequence because privacy is not a fundamental right and has no meaning under Article 21. The right to privacy is not a guaranteed under the constitution, because privacy is not a fundamental right.” Article 21 of the Indian constitution refers to the right to life and liberty -Attorney General Mukul Rohatgi

“There is merit in the complaints. You are unwittingly allowing snooping, harassment and commercial exploitation. The information about an individual obtained by the UIDAI while issuing an Aadhaar card shall not be used for any other purpose, save as above, except as may be directed by a court for the purpose of criminal investigation.”-A three judge bench headed by Justice J Chelameswar said in an interim order.

Legal scholar Usha Ramanathan describes UID as an inverse of sunshine laws like the Right to Information. While the RTI makes the state transparent to the citizen, the UID does the inverse: it makes the citizen transparent to the state, she says.

Good idea gone bad
I have written earlier that UID/Aadhaar was a poorly designed, unreliable and expensive solution to the really good idea of providing national identification for over a billion Indians. My petition contends that UID in its current form violates the right to privacy of a citizen, guaranteed under Article 21 of the Constitution. This is because sensitive biometric and demographic information of citizens are with enrolment agencies, registrars and sub-registrars who have no legal liability for any misuse of this data. This petition has opened up the larger discussion on privacy rights for Indians. The current Article 21 interpretation by the Supreme Court was done decades ago, before the advent of internet and today’s technology and all the new privacy challenges that have arisen as a consequence.

Rajeev Chandrasekhar, MP Rajya Sabha

“What is Aadhaar? There is enormous confusion. That Aadhaar will identify people who are entitled for subsidy. No. Aadhaar doesn’t determine who is eligible and who isn’t,” Jairam Ramesh

But Aadhaar has been mythologised during the previous government by its creators into some technology super force that will transform governance in a miraculous manner. I even read an article recently that compared Aadhaar to some revolution and quoted a 1930s historian, Will Durant.Rajeev Chandrasekhar, Rajya Sabha MP

“I know you will say that it is not mandatory. But, it is compulsorily mandatorily voluntary,” Jairam Ramesh, Rajya Saba April 2017.

August 24, 2017: The nine-judge Constitution Bench rules that right to privacy is “intrinsic to life and liberty”and is inherently protected under the various fundamental freedoms enshrined under Part III of the Indian Constitution

"Never doubt that a small group of thoughtful, committed citizens can change the World; indeed it's the only thing that ever has"

“Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.” -Edward Snowden

In the Supreme Court, Meenakshi Arora, one of the senior counsel in the case, compared it to living under a general, perpetual, nation-wide criminal warrant.

Had never thought of it that way, but living in the Aadhaar universe is like living in a prison. All of us are treated like criminals with barely any rights or recourse and gatekeepers have absolute power on you and your life.

Announcing the launch of the # BreakAadhaarChainscampaign, culminating with events in multiple cities on 12th Jan. This is the last opportunity to make your voice heard before the Supreme Court hearings start on 17th Jan 2018. In collaboration with @no2uidand@rozi_roti.

UIDAI's security seems to be founded on four time tested pillars of security idiocy

1) Denial

2) Issue fiats and point finger

3) Shoot messenger

4) Bury head in sand.

God Save India

Wednesday, February 28, 2018

12910 - French researcher uses simple hack to access Telangana government site with lakhs of Aadhaar details - Scroll.In


TSPost has account details, including Aadhaar numbers, of 56 lakh NREGA, and 40 lakh social security pension beneficiaries.
Published Yesterday · 10:41 am


                                     HT Photo

A French security researcher used a basic web hacking technique to breach the Telangana government’s benefit disbursement portal TSPost, which has the account details – including Aadhaar numbers – of 56 lakh National Rural Employment Guarantee scheme beneficiaries, and 40 lakh beneficiaries of the social security pensions.

“In theory, a government website is very secure but in India, it’s another story... http://tspost.aponline.gov.in is vulnerable to a basic SQL injection,” the researcher, Baptiste Robert said on Twitter, where he goes by the handle Elliot Alderson.
Hackers and researchers use SQL, or structured query language code, to attack the back-end of websites.


In theory, a government website is very secure but in #India it's another story...

 is vulnerable to a basic SQL injection...
“A basic SQL injection allows an attacker to access the database of the website,” Robert said according to The Times of India. “To be clear, all the data on this website can be a dump. Telangana government officials say they are working to fix it. For this website, they have to hire decent web developers to protect it from attacks.”

In a follow-up tweet about how the government fixed the problem, Robert said, “I don’t know if I have to laugh or cry.” He said the government had fixed the issue by putting the website offline.

“We are working on fixing the vulnerability after it was reported to us,” a TSPost official told The Times of India. “It was online due to certain dependencies. We have taken off the site from the web, and we hope by Tuesday evening we will be able to set it right.”


I don't know if I have to laugh or cry. 

 owners fixed the issue by putting offline the website 
This new breach comes just weeks after several cases highlighted how vulnerable the Aadhaar system is to security breaches.

In Surat, stolen biometrics were used to steal rations. The police arrested two fair price shop owners after busting the racket that involved diverting subsidised food items by using an illegal software that used the stolen data.

In the Rajya Sabha, the Minister of State for Finance Shiv Pratap Shukla had admitted that nearly Rs 1.5 crores in cash was fraudulently withdrawn from Public Sector Bank accounts using customers’ Aadhaar numbers.


We welcome your comments at letters@scroll.in.

12909 - Cakewalk for French tech-wiz, Aadhaar and Telangana portal easy hack - TNN


U Sudhakar Reddy | TNN | Feb 27, 2018, 06:44 IST

HYDERABAD: A French security researcher on Monday breached the Telangana government benefit disbursement portal ‘TSPost’ and lay bare its vulnerabilities. The portal has account details including Aadhaar numbers of 56 lakh beneficiaries of NREGA (National Rural Employment Guarantee scheme) and 40 lakh beneficiaries of social security pensions (SSP). 

The researcher, Baptiste Robert with Twitter handle ‘Elliot Alderson’, who has been highlighting data insecurity of the Aadhaar database posted on his Twitter as to how the site is vulnerable to basic SQL (structured query language) injection, a common web hacking technique. In this technique, researchers used SQL code for attacking back-end database of Telangana disbursement portal to access confidential information. 

The important application programming interface key (API key) of the portal and data tables of various beneficiary schemes like NREGA and SSP were breached thereby opening access to all the data of beneficiaries, including Aadhaar numbers. 

‘TSPost tries to fix breach and uplink’

Robert said, “In theory, a government website is very secure, but in India, it’s another story. http://tspost.aponline.gov.in is vulnerable to a basic SQL injection that allows an attacker to access the database of the website. To be clear, all the data on this website can be a dump. Telangana government officials say they are working on to fix it. For this website, they have to hire decent web developers to protect it from attacks.”

The researcher tweeted in the evening,” I don't know if I have to laugh or cry. http://tspost.aponline.gov.in owners fixed the issue by putting offline the website.”

TOP COMMENT
Arrey gee Frenchodu Seemandhrolla Poragaadaa yemannaa ?
Arey O Sambha

About the breach, a TSPost official said, “We are working on fixing the vulnerability after it was reported to us. It was online due to certain dependencies. We have taken off the site from the web, and we hope by Tuesday evening we will be able to set it right,”

Satish, COO of TSPost, said, “Our technical team is working on it. We can give an update on Tuesday.” 


12908 - Can India's Biometric Identity Program Aadhaar Be Fixed? - Electronic Frontier Foundation

BY JYOTI PANDAY

FEBRUARY 27, 2018

The Supreme Court of India has commenced final hearings in the long-standing challenge to India's massive biometric identity apparatus, Aadhaar. Following last August’s ruling in the Puttaswamy case rejecting the Attorney General's contention that privacy was not a fundamental right, a five-judge bench is now weighing in on the privacy concerns raised by the unsanctioned use of Aadhaar.

The stakes in the Aadhaar case are huge, given the central government’s ambitions to export the underlying technology to other countries. Russia, Morocco, Algeria, Tunisia, Malaysia, Philippines, and Thailand have expressed interest in implementing biometric identification system inspired by Aadhaar. The Sri Lankan government has already made plans to introduce a biometric digital identity for citizens to access services, despite stiff opposition to the proposal, and similar plans are under consideration in PakistanNepal and Singapore. The outcome of this hearing will impact the acceptance and adoption of biometric identity across the world.

At home in India, the need for biometric identity is staked on claims that it will improve government savings through efficient, targeted delivery of welfare. But in the years since its implementation, there is little evidence to back the government's savings claims. A widely-quoted World Bank's estimate of $11 billion annual savings (or potential savings) due to Aadhaar has been challenged by economists.

The architects of Aadhaar also invoke inclusion to justify the need for creating a centralized identity scheme. Yet, contrary to government claims, there is growing evidence of denial of services for lack of Aadhaar card, authentication failures that have led to death, starvation, denial of medical services and hospitalization, and denial of public utilities such as pensions, rations, and cooking gas. During last week's hearings , Aadhaar's governing institution, the Unique Identity Authority of India (UIDAI), was forced to clarify that access to entitlements would be maintained until an adequate mechanism for authentication of identity was in place, issuing a statement that "no essential service or benefit should be denied to a genuine beneficiary for the want of Aadhaar."

Centralized Decision-Making Compromises Aadhaar's Security
The UIDAI was established in 2009 by executive action as the sole decision-making authority for the allocation of resources, and contracting institutional arrangements for Aadhaar numbers. With no external or parliamentary oversight over its decision-making, UIDAI engaged in an opaque process of private contracting with foreign biometric service providers to provide technical support for the scheme.  The government later passed the Aadhaar Act in 2016 to legitimize UIDAI's powers, but used a special maneuver that enabled it to bypass the House of Parliament, where the government lacked a majority, and prevented its examination by the Parliamentary Standing Committee. The manner in which Aadhaar Act was passed further weakens the democratic legitimacy of the Aadhaar scheme as a whole.

The lack of accountability emanating from UIDAI's centralized decision-making is evident in the rushed proof of the concept trial of the project. Security researchers have noted that the trial sampled data from just 20,000 people and nothing in the UIDAI's report confirms that each electronic identity on the Central ID Repository (CIDR) is unique or that de-duplication could ever be achieved. As mounting evidence confirms, the decision to create the CIDR was based on an assumption that biometrics cannot be faked, and that even if they were, it would be caught during deduplication.

It emerged during the Aadhaar hearings that UIDAI has neither access to, nor control of the source code of the software used for Aadhaar CIDR. This means that to date there has been no independent audit of the software that could identify data-mining backdoors or security flaws. The Indian public has also become concerned about the practices of the foreign companies embedded in the Aadhaar system. One of three contractors to UIDAI who were provided full access to classified biometric data stored in the Aadhaar database and permitted to “collect, use, transfer, store and process the data" was US-based L-1 Identity Solutions. The company has since been acquired by a French company, Safran Technologies, which has been accused of hiding the provenance of code bought from a Russian firm to boost software performance of US law enforcement computers. The company is also facing a whistleblower lawsuit alleging it fraudulently took more than $1 billion from US law enforcement agencies.

Compromised Enrollment Scheme
The UIDAI also outsourced the responsibility for enrolling Indians in the Aadhaar system. State government bodies and large private organizations were selected to act as registrars, who, in turn, appointed enrollment agencies, including private contractors, to set up and operate mobile, temporary or permanent enrollment centers. UIDAI created an incentive based model for successful enrollment, whereby registrars would earn Rs 40-50 (about 75c) for every successful enrollment. Since compensation was tied to successful enrollment, the scheme created the incentive for operators to maximize their earning potential.

By delegating the collection of citizens' biometrics to private contractors, UIDAI created the scope for the enrollment procedure to be compromised.  Hacks to work around the software and hardware soon emerged, and have been employed in scams using cloned fingerprints to create fake enrollments. Corruption, bribery, and the creation of Aadhaar numbers with unverified, absent or false documents have also marred the rollout of the scheme. In 2016, on being detained and questioned, a Pakistani spy produced an Aadhaar card bearing his alias and fake address as proof of identity. The Aadhaar card had been obtained through the enrollment procedure by providing fake identification information.

An India Today investigation has revealed that the misuse of Aadhaar data is widespread, with agents willing to part with demographic records collected from Aadhaar applicants for Rs 2-5 (less than a cent). Another report from 2015 suggests that the enrollment client allows operators to use their fingerprints and Aadhaar number to access, update and print demographic details of people without their consent or  biometric authentication.

More recently, an investigation by The Tribune exposed that complete access to the UIDAI database was available for Rs 500 (about $8). The reporter paid to gain access to the data including name, address, postal code, photo, phone number and email collected by UIDAI. For an additional Rs 300, the service provided access to software which allowed the printing of the Aadhaar card after entering the Aadhaar number of any individual. A young Bangalore-based engineer has been accused of developing an Android app "Aadhaar e-KYC", downloaded over 50,000 times since its launch in January 2017. The software claimed to be able to access Aadhaar information without authorization.

In light of the unreliability of information in the Aadhaar database and systemic failure of the enrollment process, the biometric data collected before the enactment of the Aadhaar Act is an important issue before the Supreme Court. The petitioners have sought the destruction of all biometrics and personal information captured between 2009-2016 on the grounds that it was collected without informed consent and may have been compromised.

Authentication Failures
The original plans for authentication of a person holding an Aadhaar number under Section 2(c) of the Aadhaar Act, 2016 were meant to involve returning a "Yes" if the person's biometric and demographic data matched those captured during the enrollment process, and "No" if it did not. But somewhere along the way, this policy changed, and in 2016, the UIDAI introduced a new mode of authentication, whereby on submitting biometric information  against the Aadhaar number would result in their demographic information being returned.
This has created a range of public and private institutions using Aadhaar-based authentication for the provision of services. However authentication failures due to incorrect captured fingerprints, or a change in biometric details because of old age or wear and tear are increasingly common. The ability to do electronic authentication is also limited in India and therefore, printed copies of Aadhaar number and demographic details are considered as identification.

There are two main issues with this. First, as Aadhaar copies are just pieces of paper that can be easily faked, the use and acceptance of physical copies creates avenue for fraud.  UIDAI could limit the use of physical copies: however doing so would deprive beneficiaries if authentication fails. Second, Aadhaar numbers are supposed to be secret: using physical copies encourage that number to be revealed and used publicly. For the UIDAI whose aim is speedy enrollment and provision of services despite authentication failure, there is no incentive to stop the use of printed Aadhaar numbers.

Data security has also been weakened because institutions using Aadhaar for authentication have not met the standards for processing and storing data. Last year, UIDAI had to get more than 200 Central and State government departments, including educational institutes, to remove lists of Aadhaar beneficiaries, along with their name, address, and Aadhaar numbers had been uploaded and available on their public websites.

Securing Aadhaar
Can Aadhaar be secured? Not without significant institutional reforms, no. Aadhaar does not have an independent threat-analyzing agency: securing biometric data that has been collected falls under the purview of UIDAI. The agency does not have a Chief Information Officer (CIO) and has no defined standard operating procedures for data leakages and security breaches. Demographic information linked to an Aadhaar number, made available to private parties during authentication, are already being collected and stored externally by those parties; the UIDAI has no legal power or regulatory mechanism to prevent this. The existence of parallel databases means that biometric and demographic information is increasingly scattered among government departments and private companies, many of whom have little conception of, or incentive to ensure data security.

Second order tasks of oversight and regulatory enforcement serve a critical function in creating accountability. Although UIDAI has issued legally-enforceable rules, there is no monitoring or enforcement agency, either within UIDAI or without, to see if these rules are being followed. For example, an audit of enrollment centers revealed that UIDAI had no way of knowing if operators were retaining biometrics nor for how long.

UIDAI has also neither adopted, nor encouraged reporting of software vulnerabilities or testing enrollment hardware. Reporting of security vulnerabilities provides learning opportunities and improves coordination; security researchers can fulfill the critical task of enabling institutions to identify failures, allowing  incremental improvements to the system. But far from encouraging such security research, UIDAI has filed FIRs against researchers and reporters that uncovered flaws in the Aadhaar ecosystem.

As controversies over its ability to keep its data secure has grown, the agency has stuck to its aggressive stance, vehemently refuting any suggestion of the vulnerabilities in the Aadhaar apparatus. This attitude is perplexing given the number of data breaches and procedural gaps that are being uncovered every day. UIDAI is so confident of its security that it filed an affidavit before the Supreme Court in the Aadhaar case which claims that the data cannot be hacked or breached. UIDAI's defiance of their own patchy record hardly provides much cause for confidence.

The Way Forward 
The current Aadhaar regime is structured to radically centralize the implementation of Indian government and private digital authentication systems. But a credible national identity system cannot be created by an opaque, unaccountable centralized agency that chooses not to follow democratic procedures when creating its rules. It would have made more sense to confine UIDAI's role to maintaining the legal structure that secures the individual right over their data, enforces contracts, ensures liability for data breaches, and performs dispute resolution. In that way, the jurisdictional authority of UIDAI would be limited to tasks where competition cannot be an organizing principle.
The present scheme has created a market of institutions that use Aadhaar for authentication of identity in the provision of services with varying degree of transparency and privacy. The central control of the scheme is too rigid in some ways, as the bureaucratic structure of Aadhaar does not facilitate adaptation to security threats, or allow vendors or private companies to improve data protection practices. Yet in other ways, it is not strong enough, given the security lapses that it has enabled by giving multiple parties free access to the Aadhaar database.
By making Aadhaar mandatory, UIDAI has taken away the right of individuals to exit these unsatisfactory arrangements. The coercive measures taken by the State to encourage the adoption of Aadhaar have introduced new risks to individuals' data and national security. Even the efficiency argument has fallen flat, as it is negated by the unreliability of Aadhaar authentication. The tragedy of Aadhaar is that not only does it fail to generate efficiency and justice, but also introduces significant economic and social costs.

All in all, it's hard to see how this mess can be fixed without scrapping the system and—perhaps—starting again from scratch. As drastic as that sounds, the current Supreme Court challenge may, ironically, provide a golden opportunity to revamp the fatally flawed existing institutional arrangements behind Aadhaar, and provide the Indian government with a fresh opportunity to learn from the mistakes that brought it to this point.

12907 - Aadhaar Articles Dated 28th February 2018



EFF
The Supreme Court of India has commenced final hearings in the long-standing challenge to India's massive biometric identity apparatus, Aadhaar. Following last August's ruling in the Puttaswamy case rejecting the Attorney General's contention that privacy was not a fundamental right, a five-judge ...






Business Line
The next screen will ask your name as in the Aadhaar card. (If you don't have Aadhaar, you can complete your KYC through Passport, Voter ID,Driving Licence or NREGA Job Card.) In the next screen, you will have to enter the Aadhaar OTP received in your mobile. Once you enter the OTP, the next ...



Moneycontrol.com
If you are carrying a smartphone, you can link your EPF account with Aadhaar easily. ... The Employees' Provident Fund Organisation (EPFO) has now introduced UAN-Aadhaar linking facility for members through the UMANG Mobile ... To link your Aadhaar you need to click on the 'eKYC Services' tab.



Economic Times
"Out of 23 crore ration cards in the country, 82 per cent (19 crore) are linked with Aadhaar. We have removed 2.95 crore fake or duplicate ration cards in the country in the past three years which has resulted in a saving of Rs 17,000 crore annually. It has ensured that foodgrains are being delivered to the ...



Moneycontrol.com
The government is planning to link driving licences with Aadhaar number in order to weed out fake licences. CNBC TV18 @moneycontrolcom. Error loading player: No playable sources found. The government is planning to link driving licences with Aadhaar number in order to weed out fake licences.






NDTV
Want to change the information displayed on your Aadhaar profile on DigiLocker? Well, subscribers can now easily store their Aadhaar card with DigiLocker and in case he/she wants to make any changes to this data, it is advisable to visit nearest Aadhaar enrolment center, said official twitter handle of ...






Business Today
Tomorrow is the last day for mandatory KYC-compliance by prepaid wallet customers and the Reserve Bank of India (RBI) has refused to extend the deadline a second time saying "sufficient time has already been given to meet the prescribed guidelines". To remind you, the 55 non-banking prepaid ...



Times of India
HYDERABAD: A French security researcher on Monday breached the Telangana government benefit disbursement portal 'TSPost' and lay bare its vulnerabilities. The portal has account details including Aadhaar numbers of 56 lakh beneficiaries of NREGA (National Rural Employment Guarantee ...



Times of India
“Everyone asks to see our Aadhaar cards. We do not have access to any government benefit because we do not have valid identity proof. Without an education, what chance does my child really have?” asks the 30-year-old as she pulls out a tattered box containing her most valuable possessions.






Times of India
New Delhi, Feb 27 () IT and Law Minister Ravi Shankar Prasad today said he is in talks with Union Minister Nitin Gadkari to expedite the process of linking motor vehicle driving licences with biometric identifier Aadhaar. "I am taking with Nitin Gadkari ji to finalise the linking up all the motor mehicle driving ...






Times of India
NAGPUR: Aadhaar registration of newborns at Daga Memorial Hospital has stopped even as only 192 children were registered for Aadhaar since the pilot project began in April 2017 in collaboration with state health department, said medical superintendent Seema Parvekar. Over 1,200 deliveries take ...






Moneycontrol.com
IT and Law Minister Ravi Shankar Prasad said he is in talks with Union Minister Nitin Gadkari to expedite the process of linking motor vehicle driving licences with biometric identifier Aadhaar. "I am taking with Nitin Gadkari ji to finalise the linking up all the motor vehicle driving licences with Aadhaar," ...






Times of India
In her complaint, Mridula told officers that she got a call on her mobile phone from an unknown number and the caller told her that he will help her link her Aadhaar card with her bank account. “He asked me about my card details and after I gave him the information, he asked my mobile phone number for ...






MediaNama.com
Bangalore-based payments solutions company Ezetap has launched an open-platform, GPRS based point-of-sale (PoS) terminal called EzeSmart, which is Aadhaar Pay enabled and has eKYC (Know Your Customer) authentication option as well. EzeSmart also supports other payment modes such as ...






Hindustan Times
In a world where giving a unique identity to each citizen remains the avowed mission of the establishment, those unable to get the Aadhaar card themselves — even for reasons not under their control — are paying a heavy price. Consider this: Vijay Dhamija, 26, a resident of Ganaur block, in Sonepat, ...






Firstpost
Mumbai: The Bombay High Court has refused to defer the 31 March deadline imposed by the Union government for linking Aadhaar to ration card. A bench of justices Shantanu Kemkar and Rajesh Ketkar, however, directed the Maharashtra government to look into the grievances of technological ...

12906 - French Security Researcher Lays Bare Aadhaar Details Of Lakhs Of People In Telangana - OutLook India

https://www.outlookindia.com/website/story/french-security-researcher-lays-bare-aadhaar-details-of-lakhs-of-people-in-telan/308865

French Security Researcher Lays Bare Aadhaar Details Of Lakhs Of People In Telangana



The portal had account details including the Aadhaar numbers of 56 lakh beneficiaries of NREGA and 40 lakh of social security pension (SSP),
French Security Researcher Lays Bare Aadhaar Details Of Lakhs Of People In Telangana
Amid raging debate surrounding Aadhaar data security, another major breach has come to light.
A French security researcher Baptiste Robert, who goes by 'Elliot Alderson' on twitter, on Sunday lay open Telangana government's benefit disbursement portal 'TSPost' exposing biometric details of a huge number of beneficiaries.
The portal had account details including the Aadhaar numbers of 56 lakh beneficiaries of NREGA and 40 lakh of social security pension (SSP), reportedTimes of India.
Advertisement opens in new window
Elliot used a basic hacking technique to break through the security wall. In theory, a government website is very secure but in #India it's another story...
http://tspost.aponline.gov.in is vulnerable to a basic SQL (structured query language) injection," he wrote on twitter.
"To be clear, all the data on this website can be a dump. Telangana government officials say they are working on to fix it. For this website, they have to hire decent web developers to protect it from attacks," he further added.
Advertisement opens in new window
The researcher said that he tweeted the breach only after a "reasonable delay" after reporting the matter to the site owners.
The site officials, however, fixed the breach by putting the system in offline mode. Elliot tweeted in the evening: "I don't know if I have to laugh or cry. http://tspost.aponline.gov.in owners fixed the issue by putting offline the website."
A TSPost official, while talking to the paper, said that the site is expected to get back by Tuesday evening.
Advertisement opens in new window
This comes at a time when several data breaches have been reported from different quarters of the country.
An investigative report titled "Rs 500, 10 minutes, and you have access to billion Aadhaar details"by The Tribune had revealed that details of Aadhaar is easily accessible, that too just by paying Rs 500.
According to the newspaper, its reporter purchased a service by anonymous sellers on WhatsApp and paid Rs 500 via Paytm to an agent of the group running a racket. The agent then created a “gateway” for the reporter and gave a login ID and password, thus giving unrestricted access to details, including name, address, postal code (PIN), photo, phone number and email, of more than 1 billion Aadhaar numbers submitted to the UIDAI, the Aadhaar issuing body.