News CoWIN Data Breach

Status
Not open for further replies.
Data was never secure in today's world.
Correct
But governments need some form of law that applies to every entity and is liable for action. That's my opinion
So the thinking is if someone is liable for action they will take extra care that this does not happen.

But as you already admitted it's not 100%. So what happens? You never hear of it.

Why? Because the ransoms get paid. Most of the time.

Which means, profitable business compared to govt goes nya nya, i don't care.
It reminds me of something similar about AADHAAR Database and Koo App DB being weak and data publicly accessible, that happened a few years back and was reported by Elliot Alderson, the French WH Hacker
The fear that aadhar would get hacked is people thought it would lead to identity theft. Any cases of this identity theft happening in India to date?

Must be eight years now that aadhar is in service
 
Yeah, let's have some more of that thinking out loud from others and less of the gratuitous govt bashing
honestly - what will it achieve. Over time, I have seen all parties (pick any) do not care about this at all. I have seen data leaks in almost every govt be it state or centre no matter what party. What we really need is all party consensus and fast track to a data protection bill that has real consequences. Which will never happen.
 
honestly - what will it achieve. Over time, I have seen all parties (pick any) do not care about this at all. I have seen data leaks in almost every govt be it state or centre no matter what party. What we really need is all party consensus and fast track to a data protection bill that has real consequences. Which will never happen.
What are your expectations for such a bill? it gets held up as the holy grail to everything data.

It's not going to stop theft. It will reduce it.

What advantages do countries mostly in the EU have over us with their data protection bill?
 
@blr_p
> Any cases of this identity theft happening in India to date?

There have been reports on those lines.

For eg.:



 
  • Like
Reactions: blr_p
If private entities in EU leak data, there are heavy fines.
Leaking becomes harder what about hacks? those will happen
@blr_p
> Any cases of this identity theft happening in India to date?

There have been reports on those lines.
ok, let's look at these. There is one case of money being withdrawn and the other is about opening accounts. I find the second one less important if your aadhar data is leaked.

So we are left with just one link
For eg.:
I was wondering how with just aadhar info money can be withdrawn.

Aadhaar-enabled Payment Services (AePS) is a bank-led model which allows online financial transactions at Point-of-Sale (PoS) and Micro ATMs through the business correspondent of any bank using Aadhaar authentication. The model removes the need for OTPs, bank account details, and other financial details. It allows fund transfers using only the bank name, Aadhaar number, and fingerprint captured during Aadhaar enrolment, according to the National Payments Corporation of India (NCPI).
There's your hole right there.

The fix is to ensure none of your accounts qualify for this AePS business.

Or to put it in plain English Aadhar card should not be used/enabled to work as an ATM card
 
Last edited:
I have locked both the Aadhar and Biometric. I would use the Virtual ID instead. You can generate a new one from time to time.
 
Where do you use your VID?
I've generated a VID too, but all forms only have space for the 12 digit aadhaar and not the 16 digit VID.
Well the VID is supposed to be only a proxy for the actual Aadhar number when used for aadhar based authentication.
It is not supposed to replace the Aadhar number where it is being asked as POI as the VID can be changed at any time.
Locking the Aadhar and Biometric is "supposed" to prevent unauthorized usage. You can still go ahead and provide the Aadhar number as POI.
 
Seems I missed some basics. This is the bloody opposition jumping up and down and making their usual noises. Not a single govt source in any of those reports.

Pro tip dude. If the govt didn't say it then its worth nothing.


in my my personal opinion it looks to be very very premature to confirm that data breach has happened because when such a big system are in place in India, I would say the most data rich country in the world and we are managing the largest database anywhere in the world, 1.3 billion aadhar card data, similar amount of vaccination details and so many government programs going on so we handled huge amount of the data and that is not something on an Excel sheet or scattered where anybody can come and access So any database has a lot of security around, multiple layers of Security, multiple Access Control checks before someone can try to access the data, So if really someone can prove that this data has gone out it is a big big problem for overall security and data sovereignty of the country.

In other words, we don't know the extent of this so-called breach. But the impression I got is the entire shebang was out there. WHERE IS THE PROOF OF THAT?

There is a difference between a data breach and a few records. Has anyone seen the number of records that have come out? no

It's on the dark net bla bla, so someone must have a copy and done a basic count right.
they will just deny that there is a breach and go on as if nothing happened. No consequences for govt or pvt parties as there are not data protection laws in india
No, first confirm the extent then we can decide whether it's a breach or not. No need to be cynical.

Anyone can do select this and select that query and get a dump. How big is it.
 
Last edited:
In other words, we don't know the extent of this so-called breach. But the impression I got is the entire shebang was out there. WHERE IS THE PROOF OF THAT?

There is a difference between a data breach and a few records. Has anyone seen the number of records that have come out? no

It's on the dark net bla bla, so someone must have a copy and done a basic count right.
I am not pro government in matters of data policies they have taken or not taken. But on this, I agree with you.

One major thing that most people have overlooked is that all the bots on telegram must have ”bot” suffixed to their names. The name of the bot in the screenshot that went viral claiming CoWin leak doesn’t have that. It fails the first test of veracity.

It would be wise to let the excitement surrounding it settle down first.
 
Last edited:
  • Like
Reactions: blr_p

From article:

The Telegram bot was giving out information breached earlier as suggested by the Minister of State in his Twitter post. This begs the question on if there was a previous breach which went unreported.

Authorized users could access the database based on OTPs. It is possible that the breach could have happened after the authorized user accessed such data.

Third-party apps have API-based access to this data, again based on beneficiary OTP. They could have gained access to the data through some vulnerabilities.
 
I don't know if the Govt does any Bug Bounty program. If not they should at least do it in closed space. These hunters are mostly Indian college kids who can do better job identifying security issues than any Big consulting companies working for the Govt.
 

 
^^
I hope it was not a onetime activity.

With regards to this breach, its hard to judge or assess when we don't even know If/how/when the breach actually happened. Govt should make the citizens aware of such incidents and provide a comprehensive report of its actions, it should not be intertwined with politics as it impacts everyone.

But in the current setup, are they even legally obligated to notify its citizens, if yes what is the criteria ?
 
  • Like
Reactions: Kaleen Bhaiya
Seems to be a bit more informative article on how data leak happened.


"...There can be more sophisticated forms of hacking, including through architectural vulnerabilities in the application programming interface or API. Programmes exchange information with each other through APIs. An expert noted that an app or a service used by any one to update hospitals’ vaccine data can act as such a gateway.

A person writing on the Telegram group HT saw said that they had once secured the credentials to such API authorised to draw data from CoWIN.

Thus while drawing data in this manner does not promote the method to hacking, it does mean that the database is wholly or partially available for replication.

This would also need less technical prowess than a full blown hacking..."

Also, seriously concerning...!!! :

"...If any Aadhaar center operators are colluding gangs like this (remember 60k plus operator blacklisting by UIDAI in the past) only a phone number change is enough to take over your identity
You might own a shell company doing tax evasions..."

Hope the entire system evolves better after these kind of revelations.
 
Last edited:
With regards to this breach, its hard to judge or assess when we don't even know If/how/when the breach actually happened. Govt should make the citizens aware of such incidents
Which will take time given the scope of the system
and provide a comprehensive report of its actions,
I doubt we'll see that as it likely will be confidential. Only for the people in charge. We might get some declassified summary.
it should not be intertwined with politics as it impacts everyone.
No choice, anything the govt is involved in becomes fair grounds for the opposition to weigh in on. Which they do talking nonsense because they are unaccountable.

This is why the pandemic coverage was so contentious and not just in this country. It was contentious only if you did not apply the proper filters otherwise things were fairly clear.
But in the current setup, are they even legally obligated to notify its citizens, if yes what is the criteria ?
They say what happened in their own time and what remedial measures are being taken. Or they are more discrete as that also serves a purpose when it comes to security.
Thus while drawing data in this manner does not promote the method to hacking, it does mean that the database is wholly or partially available for replication.
This is more a conjecture than a statement of fact
"...If any Aadhaar center operators are colluding gangs like this (remember 60k plus operator blacklisting by UIDAI in the past) only a phone number change is enough to take over your identity
You might own a shell company doing tax evasions..."
We need to go more into depth as to what the consequences of Aadhar number out there actually means.

Right now, there is less of an idea and more fear.

Is that bolded bit even possible?

A while back someone told me if your PAN card number is known, people can take a loan with it. When I enquired as to the feasibility of this was informed it was not possible at all. In any case, taking out loans means you need to put up some sort of collateral and only after will the loan be disbursed.
 
Last edited:
Status
Not open for further replies.