INDIA: 13-FEET WALLS NOT ENOUGH: STEALING YOUR AADHAAR DETAILS COSTS JUST RS 125

Anand Venkatanarayanan

 

That the central Aadhaar database has never been breached and can’t be breached is an often-made claim, especially by the Unique Identification Authority of India (UIDAI) and its CEO.

 

According to the UIDAI, sharing your Aadhaar number is also not an issue, since biometric authentication is required for misuse.

 

There is, however one place, where both Aadhaar numbers and fingerprint scans are available freely outside the central database — your local sub-registrar office.

 

If you have at any point of time been a buyer or seller of property (or even a witness), it is ridiculously easy for anyone who can access registered property documents to create their own Aadhaar database and then become “you”.

 

Last month, a SIM card distributor in Hyderabad discovered this by accident and managed to activate 6,000 SIMs using fingerprints and Aadhaar numbers harvested from property registration documents.

 

The modus operandi of the crime is devastating as it brings down the cost of stealing your identity to only Rs 125. It also can’t be stopped unless you are tech-savvy, which automatically leaves millions of Indians defenceless.

 

But how did a SIM card distributor possess the technological and financial means to create his own CIDR?

 

Obtaining Aadhaar and fingerprints

 

Property registration documents submitted in a sub-registrar’s office, by law, need to have the following information:

 

1) Names and addresses of buyers, sellers and witnesses.

2) Their fingerprints.

 

There are also states which ask for Aadhaar during property registration and also print them in the documents. These can be obtained by a simple Google search (as shown below). In some cases, you will find a few state governments leaking this data through an online dashboard (for example, Andhra Pradesh).

 

An example of how Aadhaar is asked for a deed of simple mortgage. The personal details in this deed have been blurred out by The Wire.

 

They also contain demographic information (like a scan of PAN copy) and fingerprints.

 

These fingerprints are merely a sample taken from NIST Image database for illustration purposes only.

 

The cost to obtain these documents legally through the registration department in Telangana is only Rs 210-235.

 

Every property document will contain at the least one buyer, one seller and two witnesses. Hence the cost to create an Aadhaar database (name, date of birth, address, fingerprints) for one person is only Rs 50-60.

 

Converting fingerprints to moulds

 

Now, it’s difficult to use a mere scan of a fingerprint to cheat a biometric reader. The devices need moisture to recognise fingerprints.

 

So the prints on the property document need to be converted to a mould.

 

The Times of India article on the Hyderabad SIM seller makes reference to polymer printing using a special printer that purchased online. Incidentally, polymer printing was also used in the Uttar Pradesh Aadhaar hack case to create fingerprint moulds.

 

This practice is very similar to printing photographs on a film as described below:

 

1) The negative of the image to be printed is first created (a simple color inversion of scanned fingerprints will do).

 

2) The negative is then printed on a transparency film and is then submerged with the photopolymer resin solution with the polymer plate.

 

3) The polymer plate is then exposed to UV light for 90 seconds, which will create the fingerprint.

 

The materials generally used are:

 

1) Printo print enhancer (to increase the depth of the printout), at Rs 114 per litre.

2) Polymer plates on which the fingerprints are etched (Rs 2 per square centimeter)

3) LaserJet Transparency papers to print the negative (Rs 70 a sheet)

4) LaserJet printer (Rs 9,000)

5) UV Exposure Unit with Lamps (Rs 15,000).

 

If a single transparency sheet is used to print a fingerprint of an Aadhaar holder into a single polymer plate, the running cost for replicating a fingerprint is approximately Rs 75.

 

Incidentally, this method of using online scans or even photographs to replicate fingerprints is an age-old technique. In 2013, the Chaos Computer Club made waves by producing a physical fake fingerprint and using to cheat Apple’s biometric TouchID security system.

 

The table below outlines the business model that was created by the SIM card distributor to take over the identities of thousands of Aadhaar holders.

 

ItemCost (in rupees)

Capital Cost24,000

Cost to get Fingerprints of an Aadhaar holder50 – 60

Cost to print the fingerprints75

Effective Operating CostRs 125 – Rs 135

Commision from the telco paid to the dealer for every prepaid SIM cardRs 15

Maximum SIM cards allowed per Aadhaar number9

Maximum Possible CommissionRs 15 * 9 = Rs 105

 

Economics of fingerprint forging

 

If the dealer committed the forgery only for getting commissions from the telecom companies, then the business itself is not viable, since the cost exceeds the benefit.

 

However pre-activated SIM cards without the need for e-KYC activation are very much sought after in the black market, for a going rate as high as Rs 500.

 

If this is taken into account, the economics however change dramatically for the forger and even with a single pre-activated SIM, he makes a profit of Rs 385 and the initial capital cost of Rs 24,000 can be recovered by activating and selling just 62 SIM cards.

 

According to news reports, the SIM card distributor in question, one P. Santosh Kumar, managed to activate 6,000 SIM cards. And if it were not for his incredibly naive approach of using the same biometric scanner (e-KYC device) in one month, which is what tipped off the UIDAI, he would have made 23 lakh activations eventually.

 

Furthermore, he could have used these Aadhaar numbers and fingerprint moulds to link a mobile number with these Aadhaar numbers, get PAN cards issued using the e-PANapproach or even open bank accounts.

 

The only solution that UIDAI currently offers against identity takeover attempts using publicly available documents is what it calls “biometric locking”, which requires a permanent phone number always attached to the Aadhaar number.

 

This is why SIM phone clone frauds are on the rise since an identity take over is now possible if one’s phone is either lost (OR) cloned with no possible recourse.

 

The cost of a full Aadhaar identity takeover has now fallen to Rs 125. In other words, the cost of creating a parallel Aadhaar database is now within the reach of common conmen, with a 3X guaranteed return if they play the game low and slow. The Telangana and Andhra Pradesh governments are now scrambling to restrict access to online property documents, but the cat is already out of the bag.

 

While UIDAI and it’s CEO, Ajay Bhushan Pandey, will keep insisting that “Aadhaar is safe”, it is far more pertinent to ask whether the people of this country are safe from Aadhaar.

 

For P. Santosh Kumar, SIM distributor and collector of fingerprints, that safety can be breached by spending Rs 125.

https://www.business-standard.com/article/current-affairs/13-feet-walls-not-enough-stealing-your-aadhaar-details-costs-just-rs-125-118070200133_1.html

The Wire

Top - Home