• Welcome to Tamil Brahmins forums.

    You are currently viewing our boards as a guest which gives you limited access to view most discussions and access our other features. By joining our Free Brahmin Community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content and access many other special features. Registration is fast, simple and absolutely free so please, join our community today!

    If you have any problems with the registration process or your account login, please contact contact us.

Aadhaar website has basic security flaws, blogs Aussie expert

Status
Not open for further replies.

prasad1

Active member
Australian information security expert Troy Hunt on Thursday pointed out a bunch of basic security flaws with the Aadhaar website uidai.gov.in. These included a vulnerability to "man in the middle attacks," outdated security certificates, and inadequate encryption of data.


In a blog post titled "Is India's Aadhaar System Really 'Hack-Proof'? Assessing a Publicly Observable Security Posture," Hunt clarified that he wasn't against the idea of Aadhaar, but he said the agency's "attitude of 'there cannot possibly be a security problem' is reckless and needs redressing."



On analysing the website, Hunt found that it blocked certain users based on their geographical location (a feature known as geo-blocking). Hunt says this can keep basic unauthorised automated attacks out but was a weak measure that was "easily circumvented." He also found the website vulnerable to what are called "man in the middle" or MitM attacks.

These attacks typically involve a hacker taking advantage of the gaps in security when data travels from an access point to the website server. Another security concern Hunt flagged was the security certificate being used by the Aadhaar website. The one currently in use is due to expire for those using the Chrome browser in March this year.



"Aadhaar is complex and it will have flaws just like any other complex software product does. Some of them may be quite serious and they must be treated as such. That will require an open and receptive attitude from the government and above all, acknowledgment that Aadhaar is not 'hack-proof,'" Hunt wrote, exhorting the Indian government to "move the needle in the right direction" in securing Aadhaar while appreciating the UIDAI's move to introduce virtual tokens.



Hunt is a regional director with Microsoft and regularly holds workshops and hosts courses on information security. He is also the person behind the popular website haveibeenpwned.com where users can key in their email address to see if it has been compromised.

https://timesofindia.indiatimes.com...-blogs-aussie-expert/articleshow/62465993.cms
 
Adding 16 digit virtual ID is good...But here too some 300 million people are illiterate..How will they use virtaul ID..They would require some help..The ID can be compromised..I am against linking anything & everything with Aadhaar...It will open a pandora's box...We already have the Airtel case which opened Bank account of its subscribers who went for Aadhaar based SIM verification!!
 
"Aadhaar" has become a play thing in the hands of Government. Every day a change is proposed by one Ministry or other in its operation. Common law abiding citizen is tired of running from pillar to post to get his Aadhaar usage updated !

The Government which started with good idea of abolishing excess paperwork, now transferred the burden to the people.

It is time that PMO should look into the working of Aadhaar and set right the working once for all.

Brahmanyan
Bangalore.
 
hi
?
india like to follow ....looklike social security number in USA....is it safe aadhar number in india?.....
 
hi
?
india like to follow ....looklike social security number in USA....is it safe aadhar number in india?.....

Most of the Western Countries and USA, they follow well established social security procedures. Dr Manmohan Singh's Government introduced Aadhaar under the able guidance of Mr Nandan Nilkeni. But they were introducing Aadhaar in phased manner. When the present Government was in a hurry to introduce Aadhaar for all welfare schemes of Government, the trouble started. Now they are changing the procedures by introducing Virtual ID, which will put pressure on the public.

Brahmanyan
Bangalore.
 
Virtual ID: another Aadhaar eyewash?


The Unique Identity Authority of India's (UIDAI) move to build a firewall around Aadhaar with a virtual ID, or VID, may not solve the problems of misuse, leakage and theft of data which are increasingly associated with the identity marker. The move is a response to the persistent criticism of Aadhaar's technical vulnerability and proneness to misuse. There have been several cases of breach of privacy, with the data of people stored in the Aadhaar system coming into the public space or being misused for unauthorised purposes. The credibility of the system and the ability of the UIDAI to effectively address all security challenges came to be seriously questioned last week when a case was registered against a newspaper which exposed how easy it was to procure anyone's Aadhaar data for a meagre consideration. The authority now says virtual IDs, authentication tokens and the tiered KYC requirements will ensure fool-proof security.

Virtual ID is a 16-digit random number which the Aadhaar-holder can generate and use in place of his UID. The idea of this shadow ID has come too late, and may not ultimately amount to much. It adds another layer of complexity, an extra need for communication to generate the virtual ID every time it is needed, and generally confuses the user. About 120 crore people have been issued Aadhaar cards, and many millions have already shared their details with service providers. Since several databases have already been linked to Aadhaar, the possibility of misuse and the resulting vulnerability continues even now. And it will not go away with VID. Illiterate and barely literate people will not be able to get a VID produced easily. There is even a suggestion, though not from the government, that all the existing Aadhaar numbers should be replaced with new numbers which should be better protected with fail-safe measures. That shows the enormity of the problems we are faced with now.


Even the best technical systems are not invulnerable, and the way they are used and managed can make them more vulnerable. There is no system that can withstand attacks by determined hackers. In the case of Aadhaar, the government's authoritarian approach, coercive tactics, use of deadlines and opaqueness of intentions has created serious doubts. The absence of a privacy and data protection law in the country has made it worse. The latest steps have come soon after the government told the Supreme Court in an affidavit that Aadhaar is completely safe. Was that affidavit wrong then? Are the steps now being taken merely another eyewash, only intended to convince the court, before this week's likely hearing on the matter, that the government is doing everything to secure Aadhaar data?

http://www.deccanherald.com/content/653977/virtual-id-another-aadhaar-eyewash.html
 
Last edited:
The aggressive response of the Unique Identification Authority of India (UIDAI) to a journalistic expose of the flaws and vulnerability of the Aadhaar architecture shows that the concern of the authority is to prevent any such disclosures and punish those who make them. Ideally, it should be investigating any such failing which has come to light and take action against those who actually compromised the system. A recent report in the newspaper The Tribune showed how easy it is to get at the so-called confidential information on our Aadhaar cards. The report said that it took just 500 rupees and 10 minutes for the correspondent to get a login name and password, gain entry into the Aadhaar portal and access the particulars of any individual. The money was paid to a group running a racket related to Aadhaar. The UIDAI has filed an FIR against the newspaper and the reporter but skirted the issue brought to the fore by the report.


The two issues that have dominated the debate on Aadhaar are privacy and security of data. They are interrelated. Despite repeated claims by the UIDAI and the government, doubts over these issues have not been cleared. This is not the first time that a security breach has been noticed. Last year, the Aadhaar numbers along with bank details of a large number of people were leaked through government portals. The UIDAI says that biometric data was not accessed though the reporter could obtain demographic data. But no Aadhaar detail should be available to unauthorised persons. The dangers of such access were seen recently when Aadhaar data was misused by a telecom company. Neither should the government and UIDAI forget that the constitutional validity of Aadhaar is still to be finally decided by the Supreme Court.

http://www.deccanherald.com/content/652857/uidai-dont-shoot-messenger.html
 
Status
Not open for further replies.

Latest ads

Back
Top