Aadhaar bio-metrics is completely broken now?

Status
Not open for further replies.
I don't buy that story about grievance redressal system being abused. In Hyderabad itself, I am seeing unauthorized aadhaar services providers sprouting all over the place. It looks like they are obtaining credentials as an enrollment agent and using that setup these businesses. Typically, they are offering services like linking phone number, update of aadhar details, printing PVC aadhar cards etc. In fact many of them are not even dedicated centers and just running it as a side business along with some other unrelated main business. Technically, they should be able to even enroll people if they have the rest of the equipment. Some time back, some people in UP were caught running unauthorized enrollment centers using similarly obtained credentials.

UIDAI and govt has been suppressing these sort of incidents. There are a lot of shady things going on.Just a few weeks back, there was a news item about how a person did not get enrolled because his finger print was matching with 6 other people in the system. He then went brought all those people to the UIDAI. There are a lot of unanswered questions around it like how did 6 enrollments with matching finger prints still exist in the system despite a massive purge and how this person got details of the people who whom his fingerprints were matching.
 
  • Like
Reactions: Crapmypants
Lord Nemesis said:
Typically, they are offering services like linking phone number, update of aadhar details, printing PVC aadhar cards etc.
Click to expand...
Nothing wrong with this. When trying to move an entire country online there are many people who cannot do any of this on their own.

I don't buy that story about grievance redressal system being abused.
Click to expand...
Why not, that's how the think tank obtained the info. Documented by an independent third party.

In fact many of them are not even dedicated centers and just running it as a side business along with some other unrelated main business. Technically, they should be able to even enroll people if they have the rest of the equipment. Some time back, some people in UP were caught running unauthorized enrollment centers using similarly obtained credentials.
Click to expand...
Way i've understood it is you need a token to get an appointment at a registered centre. Only a fixed number are given each day. These guys send their runners to stand in the line early in the morning. If you pay these people to get aadhar, they get you an appointment slip which you then take to an authorised centre. I'd have preferred if these guys came over but you have to go in person to the centre to get enrolled. Some might have tried to do it but its easy to catch them.

UIDAI and govt has been suppressing these sort of incidents. There are a lot of shady things going on.Just a few weeks back, there was a news item about how a person did not get enrolled because his finger print was matching with 6 other people in the system. He then went brought all those people to the UIDAI. There are a lot of unanswered questions around it like how did 6 enrollments with matching finger prints still exist in the system despite a massive purge and how this person got details of the people who whom his fingerprints were matching.
Click to expand...
Manual workers aren't going to have usable fingerprints or lets say they won't get a proper match. Maybe they have to use the best finger in that case. But these are exceptions.

As for incidents you only have to look at how the rest of the world deals with break-ins. Same way isn't it. You never hear about it because of the panic that always ensues. Take yahoo, i'm been with them since they began still am. Their breach only got revealed more than a year after it happened. everybdy said they were sinking and bailed out. I didn't bother.

Figured half a billion accounts got compromised. Odds of winning the jackpot in the UK lottery are half that. So risk is real low. I never changed my password for over a year until one fine day yahoo said i couldn't access my mail unless i changed my password.

What i'm saying is if anything happens we'll deal with it, online has been a thing for well over two decades now.
 
Last edited:
  • Like
Reactions: pratikb
blr_p said:
Nothing wrong with this. When trying to move an entire country online there are many people who cannot do any of this on their own.
Click to expand...

Are you saying that there is nothing wrong about people obtaining unauthorized access to the Aadhar systems and using that to run business? Just to be on the same page, none of these people are using the public aadhar portal in case you are thinking they use that for these services. You cannot link phone number from the public portal. You can only change the phone number and that too when you have access to the existing number and new number to get OTP. To link phone number to aadhar for the first time or when you lost the number, you need to go an authorized aadhar center who have the credentials to initiate that process. These unauthorized centers offer services like these too.

blr_p said:
Why not, that's how the think tank obtained the info. Documented by an independent third party.
Click to expand...

I am talking about the way that illegal aadhar centers are getting their enrollment agent credentials. I doubt the grievance redressal system has anything to do with it. Maybe there was some cases where it was used to gain access to data, but I am not referring to that. Even the tribune reporter who exposed the Aadhaar credentials sale on seems to have obtained access credentials like those the people running unauthorized aadhaar services are using.

blr_p said:
Way i've understood it is you need a token to get an appointment at a registered centre. Only a fixed number are given each day. These guys send their runners to stand in the line early in the morning. If you pay these people to get aadhar, they get you an appointment slip which you then take to an authorised centre. I'd have preferred if these guys came over but you have to go in person to the centre to get enrolled. Some might have tried to do it but its easy to catch them.
Click to expand...

No, I am talking about actual enrollments happening with unauthorized access. In Telangana, Aadhaar enrollment is authorized only at banks, Mee Seva centers and some dedicated centers. However there are other unauthorized people doing enrollment services. They would even come to your home for the enrollment process if you are ready to pay the fee.

This is old news from 2016, but I see similar centers every where in Hyderabad.

https://www.deccanchronicle.com/nat...aar-centres-spring-up-all-over-telangana.html


blr_p said:
Manual workers aren't going to have usable fingerprints or lets say they won't get a proper match. Maybe they have to use the best finger in that case. But these are exceptions.
Click to expand...

UIDAI performed an exercise in which all incomplete, duplicate enrollments were deleted. the purge also supposed to have cleared all the records where fingerprints were matching with another record. After that, the enrollment happens only if fingerprints do not match with anybody in the data base This guy got his enrollment rejected because his fingerprints matched 6 people. So, why are there 6 sets of people with matching fingerprints. Secondly, how did he obtain the details of the people whose finger prints were matching. I doubt any authorized center would provide you the list of names and addresses who fingerprints were matching. Yet, he visited these people and got them to the UIDAI offices to show that they are distinct people.

blr_p said:
As for incidents you only have to look at how the rest of the world deals with break-ins. Same way isn't it. You never hear about it because of the panic that always ensues. Take yahoo, i'm been with them since they began still am. Their breach only got revealed more than a year after it happened. everybdy said they were sinking and bailed out. I didn't bother.

Figured half a billion accounts got compromised. Odds of winning the jackpot in the UK lottery are half that. So risk is real low. I never changed my password for over a year until one fine day yahoo said i couldn't access my mail unless i changed my password.

What i'm saying is if anything happens we'll deal with it, online has been a thing for well over two decades now.
Click to expand...

If how rest of the world deals with thing is a baseline to go by, then US govt does not collect bio-metric data on citizens, UK killed their bio-metric data collection program because of potential security concerns.

The biggest problem here is the false perception of reliability. These people have regularly used words like unbreakable and hacker proof when such words have no place in security world.

In a crime scenario, if someone's finger prints are found on a murder weapon, nobody is going to consider the possibility that they might have been cleverly planted. Unless you have solid alibi, they will be considered the culprit. This is no different. Take this very example. If you are one of the beneficiaries and the records show that you already received rations and the transaction was authenticated though finger print. Who is ever going to believe you if you say that you didn't do that transaction. Similarly Aadhaar can be used for banking transactions (AEPS, AadhaarPay). If somebody swipes money from your account and the transaction was authenticated via bio-metrics, is anybody going to believe the possibility that there was foul play.
 
Last edited:
  • Like
Reactions: Crapmypants
Lord Nemesis said:
Are you saying that there is nothing wrong about people obtaining unauthorized access to the Aadhar systems and using that to run business? Just to be on the same page, none of these people are using the public aadhar portal in case you are thinking they use that for these services. You cannot link phone number from the public portal. You can only change the phone number and that too when you have access to the existing number and new number to get OTP. To link phone number to aadhar for the first time or when you lost the number, you need to go an authorized aadhar center who have the credentials to initiate that process. These unauthorized centers offer services like these too.



I am talking about the way that illegal aadhar centers are getting their enrollment agent credentials. I doubt the grievance redressal system has anything to do with it. Maybe there was some cases where it was used to gain access to data, but I am not referring to that. Even the tribune reporter who exposed the Aadhaar credentials sale on seems to have obtained access credentials like those the people running unauthorized aadhaar services are using.



No, I am talking about actual enrollments happening with unauthorized access. In Telangana, Aadhaar enrollment is authorized only at banks, Mee Seva centers and some dedicated centers. However there are other unauthorized people doing enrollment services. They would even come to your home for the enrollment process if you are ready to pay the fee.

This is old news from 2016, but I see similar centers every where in Hyderabad.

https://www.deccanchronicle.com/nat...aar-centres-spring-up-all-over-telangana.html




UIDAI performed an exercise in which all incomplete, duplicate enrollments were deleted. the purge also supposed to have cleared all the records where fingerprints were matching with another record. After that, the enrollment happens only if fingerprints do not match with anybody in the data base This guy got his enrollment rejected because his fingerprints matched 6 people. So, why are there 6 sets of people with matching fingerprints. Secondly, how did he obtain the details of the people whose finger prints were matching. I doubt any authorized center would provide you the list of names and addresses who fingerprints were matching. Yet, he visited these people and got them to the UIDAI offices to show that they are distinct people.



If how rest of the world deals with thing is a baseline to go by, then US govt does not collect bio-metric data on citizens, UK killed their bio-metric data collection program because of potential security concerns.

The biggest problem here is the false perception of reliability. These people have regularly used words like unbreakable and hacker proof when such words have no place in security world.

In a crime scenario, if someone's finger prints are found on a murder weapon, nobody is going to consider the possibility that they might have been cleverly planted. Unless you have solid alibi, they will be considered the culprit. This is no different. Take this very example. If you are one of the beneficiaries and the records show that you already received rations and the transaction was authenticated though finger print. Who is ever going to believe you if you say that you didn't do that transaction. Similarly Aadhaar can be used for banking transactions (AEPS, AadhaarPay). If somebody swipes money from your account and the transaction was authenticated via bio-metrics, is anybody going to believe the possibility that there was foul play.
Click to expand...

They're obviously trying to cover it up for their gain
 
It looks like the fingerprints in question were taken from the state PDS system and used to authenticate with aadhaar. Its weird how UIDAI says that this is no different than forging signatures. Then what is the purpose of using fingerprints then? Now that their details of beneficiaries including fingerprints are out in the open to be abused, how do these people reset their bio-metrics? The govt's solution for this probably will be to exclude them from all schemes since they their data is compromised. A secure bio-metric system should not allow any inputs other than from a live person. Some secure scanners even check for blood flow and body vitals to ensure that its a dead persons finger is not being used.

https://twitter.com/UIDAI/status/960057593027637249

https://tech.economictimes.indiatim...ent-money-withdrawal-through-aadhaar/62814917

Govt admits to fraudulent money withdrawals using Aadhar. The scale is probably much higher than just this.

https://scroll.in/article/867875/fi...om-just-the-last-week-that-should-disturb-you
 
  • Like
Reactions: Crapmypants and onlyravi
Lord Nemesis said:
Are you saying that there is nothing wrong about people obtaining unauthorized access to the Aadhar systems and using that to run business? Just to be on the same page, none of these people are using the public aadhar portal in case you are thinking they use that for these services. You cannot link phone number from the public portal. You can only change the phone number and that too when you have access to the existing number and new number to get OTP. To link phone number to aadhar for the first time or when you lost the number, you need to go an authorized aadhar center who have the credentials to initiate that process. These unauthorized centers offer services like these too.
Click to expand...
Am referring to enrollmet which is what i thought you meant. Cannot enroll unless authorised.

I am talking about the way that illegal aadhar centers are getting their enrollment agent credentials. I doubt the grievance redressal system has anything to do with it. Maybe there was some cases where it was used to gain access to data, but I am not referring to that. Even the tribune reporter who exposed the Aadhaar credentials sale on seems to have obtained access credentials like those the people running unauthorized aadhaar services are using.
Click to expand...
I don't understand this. If they satisfy the requirements to be agents then what illegal things are they doing ?

No, I am talking about actual enrollments happening with unauthorized access. In Telangana, Aadhaar enrollment is authorized only at banks, Mee Seva centers and some dedicated centers. However there are other unauthorized people doing enrollment services. They would even come to your home for the enrollment process if you are ready to pay the fee.

This is old news from 2016, but I see similar centers every where in Hyderabad.

https://www.deccanchronicle.com/nat...aar-centres-spring-up-all-over-telangana.html
Click to expand...
heh, must be old news because i was looking for exactly people like this a while back to save the hassle of waiting in line but nobody could recommend any. In the end had to go to a bank or authorised centre. I thought this is the way it is everywhere in the country.


UIDAI performed an exercise in which all incomplete, duplicate enrollments were deleted. the purge also supposed to have cleared all the records where fingerprints were matching with another record. After that, the enrollment happens only if fingerprints do not match with anybody in the data base This guy got his enrollment rejected because his fingerprints matched 6 people. So, why are there 6 sets of people with matching fingerprints. Secondly, how did he obtain the details of the people whose finger prints were matching. I doubt any authorized center would provide you the list of names and addresses who fingerprints were matching. Yet, he visited these people and got them to the UIDAI offices to show that they are distinct people.
Click to expand...
Looks like they have some clean up to do. Should not be happening.

If how rest of the world deals with thing is a baseline to go by, then US govt does not collect bio-metric data on citizens, UK killed their bio-metric data collection program because of potential security concerns.

The biggest problem here is the false perception of reliability. These people have regularly used words like unbreakable and hacker proof when such words have no place in security world.

In a crime scenario, if someone's finger prints are found on a murder weapon, nobody is going to consider the possibility that they might have been cleverly planted. Unless you have solid alibi, they will be considered the culprit. This is no different. Take this very example. If you are one of the beneficiaries and the records show that you already received rations and the transaction was authenticated though finger print. Who is ever going to believe you if you say that you didn't do that transaction. Similarly Aadhaar can be used for banking transactions (AEPS, AadhaarPay). If somebody swipes money from your account and the transaction was authenticated via bio-metrics, is anybody going to believe the possibility that there was foul play.
Click to expand...
I have been against this system since 2007. Now they are forcing people into it. What am i to do. They won't let me file tax returns, and threaten to prevent access my bank account or use a phone. All this while a case winds its way through the supreme court

As for the last para, can it be treated like with cards. Fraudulent transaction and whatever means of redressal exists ? i expect there will be people playing around in the early stages, things will get better eventually
 
blr_p said:
I don't understand this. If they satisfy the requirements to be agents then what illegal things are they doing ?
Click to expand...

They don't go though the standard process for registering as agent which requires going though an exam in addition to paper work These illegal businesses either buy stolen credentials of some legitimate agent or get credentials created for them though operators like the ones that Tribune reporter got their their access. There is strong suspension that UIDAI employees and govt employees with access to the systems are themselves are facilitating these illicit operators. Whenever a breach gets reported, they sweep the issue under the carpet giving some excuse and then go on a access control drive. Even after the tribune reporter reveal, access of 5000+ UIDAI and govt officers was restricted.

blr_p said:
As for the last para, can it be treated like with cards. Fraudulent transaction and whatever means of redressal exists ? i expect there will be people playing around in the early stages, things will get better eventually
Click to expand...

No, its definitely not the same. As I said, bio-metrics gives a false sense of reliability. If a transaction has been authorized with fingerprints, what reasons do they have to even consider your complaint. They will promptly shut you out. SBI already operates this way even without bio-metrics. They believe that computer systems can't ever be wrong. Try dealing with SBI for a failed ATM withdrawal or fraudulent transaction. In fact, I expect things to get a lot worse in future.

UIDAI itself is very anti-people and refuse to help Their first instinct is to suppress and shutout anybody making a complaint to defend their sloppy system. Their toll free number rarely works and even when it works, agents don't even want to talk to you.

Some time back, I had a problem with receipt of OTP on my mobile number. It was clearly their server problem based on the symptoms. One agent didn't even let me speak and rudely told me to call the number again and talk to somebody else and cut the call. Another agent hung the call in the middle while I was explaining the problem. Apparently, there were number of people facing this sort of problem and their standard response is to shut out the person complaining. One guy that i know was apparently told to switch to a different number. This is exactly what I had to end up doing to sort the problem.
 
Lord Nemesis said:
Some time back, I had a problem with receipt of OTP on my mobile number. It was clearly their server problem based on the symptoms. One agent didn't even let me speak and rudely told me to call the number again and talk to somebody else and cut the call. Another agent hung the call in the middle while I was explaining the problem. Apparently, there were number of people facing this sort of problem and their standard response is to shut out the person complaining. One guy that i know was apparently told to switch to a different number. This is exactly what I had to end up doing to sort the problem.
Click to expand...

This is the reason why such centers come up. No one wants the hassle of going and talking to extremely stupid government employees and come back dejected. It's faster to just go to such centers where they will update your details in few minutes for a small fee. There are some centers near my house and all of them do everything in minutes. Hardly any line or frustration. They charge 200 rupees though.
 
Yeah, the system is so insecure and devoid of support that i would not be surprised if somebody starts offering to fix back end server problems too. IMO, the whole system should be made open source.
 
  • Like
Reactions: cute.bandar
Status
Not open for further replies.
Top Bottom