CoWIN Data Breach

blr_p · Jun 12, 2023

Paradoxical95 said:
Data was never secure in today's world.

Correct

Paradoxical95 said:
But governments need some form of law that applies to every entity and is liable for action. That's my opinion

So the thinking is if someone is liable for action they will take extra care that this does not happen.

But as you already admitted it's not 100%. So what happens? You never hear of it.

Why? Because the ransoms get paid. Most of the time.

Which means, profitable business compared to govt goes nya nya, i don't care.

Paradoxical95 said:
It reminds me of something similar about AADHAAR Database and Koo App DB being weak and data publicly accessible, that happened a few years back and was reported by Elliot Alderson, the French WH Hacker

The fear that aadhar would get hacked is people thought it would lead to identity theft. Any cases of this identity theft happening in India to date?

Must be eight years now that aadhar is in service

karanssh · Jun 12, 2023

blr_p said:
Yeah, let's have some more of that thinking out loud from others and less of the gratuitous govt bashing

honestly - what will it achieve. Over time, I have seen all parties (pick any) do not care about this at all. I have seen data leaks in almost every govt be it state or centre no matter what party. What we really need is all party consensus and fast track to a data protection bill that has real consequences. Which will never happen.

blr_p · Jun 13, 2023

karanssh said:
honestly - what will it achieve. Over time, I have seen all parties (pick any) do not care about this at all. I have seen data leaks in almost every govt be it state or centre no matter what party. What we really need is all party consensus and fast track to a data protection bill that has real consequences. Which will never happen.

What are your expectations for such a bill? it gets held up as the holy grail to everything data.

It's not going to stop theft. It will reduce it.

What advantages do countries mostly in the EU have over us with their data protection bill?

TEUser2K1 · Jun 13, 2023

@blr_p
> Any cases of this identity theft happening in India to date?

There have been reports on those lines.

For eg.:

Explained | Gaps in Aadhaar-enabled Payment System (AePS) abused by cybercriminals

Gaps in Aadhaar-enabled Payment System (AePS) are being abused by cybercriminals. To learn more, read the full story on The Hindu.

www.thehindu.com

Government, UIDAI helpless as instances of Aadhaar misuse reach terrifying new levels

One of the most serious concerns about the Aadhaar card has been the safety aspect, both in terms of the mismanagement of data as well as the misuse of the...

timesofindia.indiatimes.com

'Crooks Exploiting Tech Vulnerabilities in Aadhaar System,' Delhi Police Writes to UIDAI

In an instance cited by Delhi Police, it notes that as many as 12 bank accounts were opened under the names of different persons, even though the photographs on the Aadhaar cards were all of the same individual's.

thewire.in

How crooks are exploiting gaps in Aadhaar system in Delhi | Delhi News - Times of India

Delhi Police is learnt to have detected and flagged numerous vulnerabilities in the Unique Identification Authority of India (UIDAI)'s system. These h

timesofindia.indiatimes.com

karanssh · Jun 13, 2023

blr_p said:
What advantages do countries mostly in the EU have over us with their data protection bill?

If private entities in EU leak data, there are heavy fines.

blr_p · Jun 13, 2023

karanssh said:
If private entities in EU leak data, there are heavy fines.

Leaking becomes harder what about hacks? those will happen

TEUser2K1 said:
@blr_p
> Any cases of this identity theft happening in India to date?

There have been reports on those lines.

ok, let's look at these. There is one case of money being withdrawn and the other is about opening accounts. I find the second one less important if your aadhar data is leaked.

So we are left with just one link

TEUser2K1 said:
For eg.:

Explained | Gaps in Aadhaar-enabled Payment System (AePS) abused by cybercriminals

Gaps in Aadhaar-enabled Payment System (AePS) are being abused by cybercriminals. To learn more, read the full story on The Hindu.

www.thehindu.com

I was wondering how with just aadhar info money can be withdrawn.

Aadhaar-enabled Payment Services (AePS) is a bank-led model which allows online financial transactions at Point-of-Sale (PoS) and Micro ATMs through the business correspondent of any bank using Aadhaar authentication. The model removes the need for OTPs, bank account details, and other financial details. It allows fund transfers using only the bank name, Aadhaar number, and fingerprint captured during Aadhaar enrolment, according to the National Payments Corporation of India (NCPI).

There's your hole right there.

The fix is to ensure none of your accounts qualify for this AePS business.

Or to put it in plain English Aadhar card should not be used/enabled to work as an ATM card

ibose · Jun 13, 2023

I have locked both the Aadhar and Biometric. I would use the Virtual ID instead. You can generate a new one from time to time.

Crazy_Eddy · Jun 14, 2023

ibose said:
I would use the Virtual ID instead.

Where do you use your VID?
I've generated a VID too, but all forms only have space for the 12 digit aadhaar and not the 16 digit VID.

ibose · Jun 14, 2023

Crazy_Eddy said:
Where do you use your VID?
I've generated a VID too, but all forms only have space for the 12 digit aadhaar and not the 16 digit VID.

Well the VID is supposed to be only a proxy for the actual Aadhar number when used for aadhar based authentication.

What is Virtual ID (VID)? - Unique Identification Authority of India | Government of India

UIDAI is mandated to issue an easily verifiable 12 digit random number as Unique Identity - Aadhaar to all Residents of India.

uidai.gov.in

It is not supposed to replace the Aadhar number where it is being asked as POI as the VID can be changed at any time.
Locking the Aadhar and Biometric is "supposed" to prevent unauthorized usage. You can still go ahead and provide the Aadhar number as POI.

blr_p · Jun 14, 2023

MadAxe said:
CoWin Data breach: Personal data of Covid vaccine recipients leaked on Telegram

CoWin Data Leak: Crucial information like a person's phone number, gender, ID card information and date of birth can be received from a Telegram bot just by entering a person's name

www.business-standard.com

CoWIN data leak! Aadhaar, PAN Card info of Covid vaccine receivers on Telegram

Personal information of Indian citizens, including Aadhaar and PAN card details, are reportedly available on Telegram due to a data breach caused by the CoWIN portal

www.livemint.com

Major data breach: Info of Indians who took Covid vaccine made public by Telegram bot

The private information of the lakhs of citizens, who registered on the CoWIN app to get their COVID-19 vaccination, appears to have been leaked to private play

www.thenewsminute.com

Seems I missed some basics. This is the bloody opposition jumping up and down and making their usual noises. Not a single govt source in any of those reports.

Pro tip dude. If the govt didn't say it then its worth nothing.

in my my personal opinion it looks to be very very premature to confirm that data breach has happened because when such a big system are in place in India, I would say the most data rich country in the world and we are managing the largest database anywhere in the world, 1.3 billion aadhar card data, similar amount of vaccination details and so many government programs going on so we handled huge amount of the data and that is not something on an Excel sheet or scattered where anybody can come and access So any database has a lot of security around, multiple layers of Security, multiple Access Control checks before someone can try to access the data, So if really someone can prove that this data has gone out it is a big big problem for overall security and data sovereignty of the country.

In other words, we don't know the extent of this so-called breach. But the impression I got is the entire shebang was out there. WHERE IS THE PROOF OF THAT?

There is a difference between a data breach and a few records. Has anyone seen the number of records that have come out? no

It's on the dark net bla bla, so someone must have a copy and done a basic count right.

karanssh said:
they will just deny that there is a breach and go on as if nothing happened. No consequences for govt or pvt parties as there are not data protection laws in india

No, first confirm the extent then we can decide whether it's a breach or not. No need to be cynical.

Anyone can do select this and select that query and get a dump. How big is it.

karanssh · Jun 15, 2023

I will believe it only when it shows up on have i been pawned site.

mayank11280 · Jun 15, 2023

blr_p said:
In other words, we don't know the extent of this so-called breach. But the impression I got is the entire shebang was out there. WHERE IS THE PROOF OF THAT?

There is a difference between a data breach and a few records. Has anyone seen the number of records that have come out? no

It's on the dark net bla bla, so someone must have a copy and done a basic count right.

I am not pro government in matters of data policies they have taken or not taken. But on this, I agree with you.

One major thing that most people have overlooked is that all the bots on telegram must have ”bot” suffixed to their names. The name of the bot in the screenshot that went viral claiming CoWin leak doesn’t have that. It fails the first test of veracity.

It would be wise to let the excitement surrounding it settle down first.

alekhkhanna · Jun 15, 2023

A pattern of mismanagement: What data breaches tell us about the state of Indian cybersecurity

There is a lot that the governments reaction to the alleged CoWIN breach, as well as previous breaches including Kudankulam nuclear power plants malware issues in 2019 and last years AIIMS ransomware attack, reveal about the state of cybersecurity in India.

m.economictimes.com

TEUser2K1 · Jun 15, 2023

COWIN- Alleged Breach & Concerns About Enforcement Of Data Privacy

Some newspapers have reported that there has bee

www.livelaw.in

From article:

The Telegram bot was giving out information breached earlier as suggested by the Minister of State in his Twitter post. This begs the question on if there was a previous breach which went unreported.

Authorized users could access the database based on OTPs. It is possible that the breach could have happened after the authorized user accessed such data.

Third-party apps have API-based access to this data, again based on beneficiary OTP. They could have gained access to the data through some vulnerabilities.

Demon_Ryu · Jun 15, 2023

NDA

No Data Available

Darth Vader · Jun 15, 2023

I don't know if the Govt does any Bug Bounty program. If not they should at least do it in closed space. These hunters are mostly Indian college kids who can do better job identifying security issues than any Big consulting companies working for the Govt.

TEUser2K1 · Jun 15, 2023

UIDAI seeks 20 ethical hackers to protect its Aadhaar data, plug security bugs

Amid increasing cyber attacks against key infrastructure and government websites in India, the Unique Identification Authority of India (UIDAI) has quietly announced a

www.moneylife.in

Ashwini Vaishnaw invites ethical hackers to break India’s first quantum communication network

According to a presentation made by a senior DRDO official at the conclave, more than $30 billion has already been invested globally in the novel technology and that wars of the future will be fought on the quantum front

www.moneycontrol.com

Darth Vader · Jun 15, 2023

^^
I hope it was not a onetime activity.

With regards to this breach, its hard to judge or assess when we don't even know If/how/when the breach actually happened. Govt should make the citizens aware of such incidents and provide a comprehensive report of its actions, it should not be intertwined with politics as it impacts everyone.

But in the current setup, are they even legally obligated to notify its citizens, if yes what is the criteria ?

TEUser2K1 · Jun 15, 2023

Seems to be a bit more informative article on how data leak happened.

Two Days After CoWIN Data Leak Report, Concerns Mount

The Computer Emergency Team (CERT-in) has not released an update on its assessment of the leak yet, nor has it issued advisory on how impacted people should act to secure themselves.

thewire.in

"...There can be more sophisticated forms of hacking, including through architectural vulnerabilities in the application programming interface or API. Programmes exchange information with each other through APIs. An expert noted that an app or a service used by any one to update hospitals’ vaccine data can act as such a gateway.

A person writing on the Telegram group HT saw said that they had once secured the credentials to such API authorised to draw data from CoWIN.

Thus while drawing data in this manner does not promote the method to hacking, it does mean that the database is wholly or partially available for replication.

This would also need less technical prowess than a full blown hacking..."

Also, seriously concerning...!!! :

"...If any Aadhaar center operators are colluding gangs like this (remember 60k plus operator blacklisting by UIDAI in the past) only a phone number change is enough to take over your identity
You might own a shell company doing tax evasions..."

Hope the entire system evolves better after these kind of revelations.

blr_p · Jun 17, 2023

Darth Vader said:
With regards to this breach, its hard to judge or assess when we don't even know If/how/when the breach actually happened. Govt should make the citizens aware of such incidents

Which will take time given the scope of the system

Darth Vader said:
and provide a comprehensive report of its actions,

I doubt we'll see that as it likely will be confidential. Only for the people in charge. We might get some declassified summary.

Darth Vader said:
it should not be intertwined with politics as it impacts everyone.

No choice, anything the govt is involved in becomes fair grounds for the opposition to weigh in on. Which they do talking nonsense because they are unaccountable.

This is why the pandemic coverage was so contentious and not just in this country. It was contentious only if you did not apply the proper filters otherwise things were fairly clear.

Darth Vader said:
But in the current setup, are they even legally obligated to notify its citizens, if yes what is the criteria ?

They say what happened in their own time and what remedial measures are being taken. Or they are more discrete as that also serves a purpose when it comes to security.

TEUser2K1 said:
Thus while drawing data in this manner does not promote the method to hacking, it does mean that the database is wholly or partially available for replication.

This is more a conjecture than a statement of fact

TEUser2K1 said:
"...If any Aadhaar center operators are colluding gangs like this (remember 60k plus operator blacklisting by UIDAI in the past) only a phone number change is enough to take over your identity
You might own a shell company doing tax evasions..."

We need to go more into depth as to what the consequences of Aadhar number out there actually means.

Right now, there is less of an idea and more fear.

Is that bolded bit even possible?

A while back someone told me if your PAN card number is known, people can take a loan with it. When I enquired as to the feasibility of this was informed it was not possible at all. In any case, taking out loans means you need to put up some sort of collateral and only after will the loan be disbursed.