The Unique Identification Authority of India (UIDAI) on Tuesday dismissed reports of hacking of Aadhaar enrollment software as “completely incorrect and irresponsible” and said some vested interests were deliberately trying to create confusion among people.
The denial came after an investigation by HuffPost India revealed that the Aadhaar database, which contains the biometrics and personal information of over one billion Indians, “had been compromised by a software patch which disables critical security features of the software used to enroll new Aadhaar users”. According to the report, any unauthorized person from anywhere in the world can generate Aadhaar ID using the patch which is freely available for Rs 2,500.
The UIDAI said the claims about Aadhaar being vulnerable to tampering lacked substance and were totally baseless. “Certain vested interests are deliberately trying to create confusion in the minds of people which is completely unwarranted,” a statement issued by the organization said. It added that the UIDAI matches all the biometric (10 fingerprints and both iris) of a resident enrolling for Aadhaar with the biometrics of all Aadhaar holders before issuing the unique ID.
“UIDAI has taken all necessary safeguard measures spanning from providing standardized software that encrypts entire data even before saving to any disk, protecting data using tamper proofing, identifying every one of the operators in every enrolment, identifying every one of thousands of machines using a unique machine registration process, which ensures every encrypted packet is tracked,” the statement said.
It said all measures to ensure end-to-end security of resident data were taken including full encryption of resident data at the time of capture, tamper resistance, physical security, access control, network security, stringent audit mechanism, 24×7 security and fraud management system monitoring.
Earlier, a report by the HuffPost said a software patch available for as little as Rs 2,500 lets a user bypass critical security features such as biometric authentication of enrolment operators to generate unauthorised Aadhaar numbers. It said the patch also disables the GPS security feature of the software allowing anyone from any location to enrol users.
UIDAI clarified that no operator can make or update Aadhaar unless resident himself gives his biometric. “Any enrolment or update request is processed only after biometrics of the operator is authenticated and resident’s biometrics is de-duplicated at the backend of UIDAI system,” it said.
It added that as part of its “stringent” enrollment and updation process, UIDAI checks enrollment operator’s biometric and other parameters before processing the enrollment or updates and only after all checks are found to be successful, enrollment or update of resident is further processed. “Therefore it is not possible to introduce ghost entries into Aadhaar database.”
UIDAI said that even in a hypothetical situation where a ghost enrollment or update packet is sent to the UIDAI by some “manipulative attempt”, the same is identified by the robust back-end system and all such enrollment packets get rejected and no Aadhaar is generated.
“Also, the concerned enrolment machines and the operators are identified, blocked and blacklisted permanently from the UIDAI system. In appropriate cases, police complaints are also filed for such fraudulent attempts,” it said. UIDAI said that the reported claim of “anybody is able to create an entry into Aadhaar database, then the person can create multiple Aadhaar cards” is completely false.
“If an operator is found violating UIDAI’s strict enrollment and update processes or if one indulges in any type of fraudulent or corrupt practices, UIDAI blocks and blacklists them and imposes financial penalty up to Rs 1 lakh per instance. It is because of this stringent and robust system that as on date more than 50,000 operators have been blacklisted,” UIDAI added.
It said that it keeps adding new security features in its system as required from time-to-time to thwart new security threats by unscrupulous elements.