With reports coming in of fraudsters creating fingerprints using laser printers and silicon, and using these to access part of the Aadhaar system—fraudsters slip on the silicon fingerprint to authenticate themselves—the worst fears regarding Aadhaar appear to be coming true. If the biometrics of those in charge of issuing Aadhaar numbers can be cloned, imagine what else can be done. Also, some have argued, hi-res photographs can also be used to create fake retinas to fool the system. Uttar Pradesh’s special task force may have arrested this gang, but the fact that they got so far is worrying.
Certainly, fraudsters will continue to evolve, and it is the job of a good system, not just Aadhaar, to stay one step ahead, to catch fraudsters and come up with solutions. By this yardstick, UIDAI which is the repository for Aadhaar, is doing a good job. The Kanpur bust, after all, was based on a UIDAI complaint. In order to ensure only authorised agents collect biometrics, UIDAI requires them to biometrically authenticate themselves. In this case, one agent created silicon copies of his own biometrics and gave these to various people who used them for authentication and then collected the biometrics of others. When UIDAI’s computers found the same biometrics being used in different places, possibly even simultaneously, they threw up an alert and the gang got busted and the biometrics collected were junked. It was, similarly, an alert UIDAI’s network threw up that resulted in the complaint being registered against Axis Bank/Suvidha/eMudra which was storing biometric data of one person and using this repeatedly to carry out transactions.
But if biometrics can be cloned, how will UIDAI stop/track this? For one, once person A complains of an unauthorised usage of his biometrics, UIDAI can track where it was used—at a ration shop or a bank—and linking all mobiles and bank accounts with Aadhaar means all transactions can be tracked. Two, last January, UIDAI decided that only biometric authentication requests that came from devices registered with it would be entertained. In the Kanpur case, another new feature came in handy—some time ago, in order to improve security, UIDAI insisted GPS trackers be used for each machine capturing biometric data; at some point in the future, even point-of-sale machines in ration shops or those with banks/merchants using AadhaarPay could also have GPS locators to help track users even more closely. Over time, fraudsters may develop ways around even this, and UIDAI will have to come up with more checks, but that’s what all security systems in banks and credit card companies do all the time. The fact that even Aadhaar’s biggest critics have not alleged the core database of biometrics has been breached must stand for something.