Can De-Linking Aadhaar From Banks, E-Wallets Reduce Security Risks

With the Supreme Court declaring Section 57 of the Aadhaar Act as unconstitutional, it is no longer mandatory for bank account-holders, e-wallet users and mobile subscribers to use their Aadhaar number. Experts believe this is a landmark decision by the Supreme Court in relation to the overall cyber security landscape, which is increasing becoming complex. Hence, linking of Aadhaar to several accounts and confidential details raised the issue of privacy time and again.

India’s Aadhaar program, which has been criticised due to its centralization of sensitive biometric information, is now under fire from a different quarter. This time the possibility of a breach into the Aadhaar system has emerged from the end point—the enrolment system that was deployed across the country and managed by private entities responsible for collecting people’s biometric and demographic information.

A report by Huffington Post has revealed a vulnerability created by running a patch derived from an earlier, less secure version of the software. The vulnerability targets essential technical oversight for enrolment officers, allowing an individual to spoof the software’s login with a high quality photograph instead of an iris scan.

 enrolment officers (and their proxies) are now able to log in and run multiple versions of the software at the same time and at unauthorised locations.

In fact, those who have already linked their Aadhaar number with bank account and mobile numbers can delink it. Some banks have already started allowing customers to delink Aadhaar number from their account numbers and others will soon follow suit.

This ability of unauthorised users being able to access the enrolment system has in turn opened up three possibilities. First, a resident with an existing Aadhaar number can seek to obtain a duplicate Aadhaar for fraudulent activities. Second, the information of an existing Aadhaar user may be altered by an unauthorised enrolment operator. Third, a non-resident may obtain an Aadhaar number by submitting forged/falsified documents to one of these unauthorised enrolment agents

“The Supreme Court’s judgment around the constitutional validity of Aadhaar Act shall be seen as a milestone in the ongoing journey and not an end by any means. This judgment clarifies the voluntary usage of Aadhaar but in reality it preserves the core aspects by stopping leakage of public money to unscrupulous elements by mandating the use of Aadhaar for availing any government subsidies and benefits, as well as stopping the money laundering by mandating the linkage of PAN cards with the Aadhar,” said Rana Gupta, Vice President – APAC Sales, Identity and Data Protection, Gemalto.

Ramesh Mamgain, Area Vice President, India and SAARC Region, Commvault India said, “The Supreme Court of India has made the right decision by de-linking Aadhaar data from mobile phone and bank accounts. This will go a long way in protecting user data and ensuring that there are fewer risks in data leakages. However, private enterprises will need to get their act together quickly to migrate to GDPR norms and ensure that secondary data is managed securely across locations.”

Despite the amount of data leaks and growing privacy concerns, the Aadhaar Card scheme has enrolled 1.2 billion Indians and allowed a lot of people to access government services. Last year, in August, the Supreme Court declared that privacy was a fundamental right. Experts believe, minimizing the use of Aadhaar in private sector businesses and institutions will reduce the risk of identity theft and other forms of forgeries.