UIDAI claims that the Aadhaar database can’t be breached even by the world’s fastest supercomputers, but it appears that you don’t need a supercomputer to steal Aadhaar data, and in turn, someone’s identity. All you need is internet access to watch YouTube videos, a few hundred rupees in your pocket and some cunning skills, and you can create your own Aadhaar database to do as you want.
A SIM card distributor in Hyderabad recently discovered this trick and exploited it to activate around 6,000 SIM cards in the names of people whose biometrics and identification details he obtained by 100% legal means.
According to a report from The Wire, a SIM card distributor named P. Santosh Kumar obtained identity details and fingerprints of random people from the Telangana government’s property registration database. The documents are available online on the body’s website and can also be obtained as a hard copy from the registrar’s office at just Rs 210, or a maximum Rs. 235. Each property documents contains the name, date of birth, address and fingerprints of four people (buyer, seller, two witnesses), which brings down the cost of obtaining a person’s personally identifying data to just around Rs. 50.
The accused scanned these fingerprints, printed them on a polymer plate and then used the identity and biometric data to activate around 6,000 SIM cards to earn a commission for new subscribers from Vodafone, the telecom operator whose SIM cards he distributed. According to a report from Times of India, Kumar supposedly learned the technique by watching videos and hatched the plan to earn some quick money.
The average cost of printing a person’s identification and biometric data runs between Rs. 125 and Rs. 135, which means the accused could have pocketed Rs. 385 per SIM card he activated after selling them in the black market. The accused was nabbed only after UIDAI grew suspicious when he kept using the same biometric scanner (e-KYC device) for thousands of registrations in a single month, a mistake which eventually led to his arrest.
It must be noted that the state government has since restricted the access to the property document database, but this data is trivial to obtain from Indian government offices if one has the right contacts.
The incident has laid bare more vulnerabilities of Aadhaar-linked data, which despite the government’s insistence has been breached multiple times through such unsecured government websites.
However, the implications of obtaining one’s Aadhaar data is not merely limited to activating a SIM in their name, it can also be used to link a mobile number with the data, get a PAN card issued, open a bank account, etc. In such cases, the victims can even get direct government subsidies to bank accounts or Paytm accounts, as detailed by the author of The Wire’s report on Twitter.
I retraced the entire process used and it is so cheap to do it at as a home business with Guaranteed 3X return in 2 days. #Aadhaar is now the guaranteed income/job project for every single 2 bit fraudster with a fully functional Direct Benefit Transfer via @PayTm.
— V. Anand "Screeching Minority" | வெ. ஆனந்த் (@iam_anandv) July 2, 2018
It’s highly unlikely that the arrested SIM distributor has come up with this idea by himself, even though many of the reports paint him as self-taught. In fact it’s all the more likely that such illicit sign-ups are more common than one thinks, especially given the frenetic competition in the telecom market.
The stark reality is that identity takeover can take as little as Rs. 125 in today’s India, and if UIDAI keeps making hollow claims about Aadhaar’s virtues and turns a blind eye to such alarming incidents, a bigger data breach or digital catastrophe is not far away.