Experts claim that the UID online authentication of identities through fingerprints is far from secure and can be hijacked through insertion of malicious software in the micro-ATMs and used to capture fingerprints. However, UID officials dismiss such possibilities by pointing out the presence of malware would be detected by the servers to which the ATMS are linked.
One school of thought believes the smart card is, indeed, a smarter option. S K Sinha, senior technical director with the National Informatics Centre (NIC), explains cards that use multi-factor authentication (MFA) are a better bet than those relying on fingerprints alone. MFA involves fingerprints, the authentication keys (the secret key or secure element built into an individual’s card that is used as a digital signature) and PIN or password which is known only to the cardholder. Thus, the security features of the RSBY and PDS smart cards make them tamper-proof.
The PIN, which applies only to PDS cards, is not compulsory at this stage and is used only in exceptional cases where people do not have fingerprints, says Sinha, whose team developed the standards and technology for most of the government’s smart cards, from driving licences and e-passports to the RSBY health insurance and PDS cards. The acknowledged tech whiz heads the smart card technology division and NIC Certifying Authority in the Ministry of Communication and Information Technology.
This is how the smart card works: When an individual goes to a fair price shop, he/she presents the family PDS card. Both the family’s smart card and fair price shop owner’s cards are inserted in the smart card reader. The card reader/hand-held device has software which would work only when both the smart cards are inserted and a card-to-card negotiation takes place to authenticate each other. A similar process occurs with RSBY cards and hospitals. But Sinha admits that there are always concerns since there is the possibility of software attacks. “Some malware can stop the system from working, and we need to be ahead of such attacks,” he told Down To Earth. Malware attacks might, in the worst case, result in denial of service but would not allow false transactions to take place as every transaction is digitally signed by the card holder’s secret key. And this is the strongest security which a smart card based system provides against any other system.
However, he makes it clear that the security is only a relative term. “A cyber system can either be weakly secure, moderately secure or strongly secure, but no one can claim that it is absolutely secure. Here, we are comparing a weakly secure (single factor authentication) and strongly secure (MFA-based) system.” Besides, what is strongly secure today, he admits, can prove to be weak tomorrow as hackers are always on the prowl.