Criminals managed to circumvent the “robust” security of India’s biometric database to issue over 8 million fake identity cards — which Indian citizens use for everything from opening bank accounts to getting married.
Police in the northern Indian state of Uttar Pradesh Sunday arrested 10 men as part of a crackdown on a sophisticated fraud scam which involved cloning fingerprints and cracking the security features of the Aadhaar enrollment system — which was described in August as “robust and uncompromised” by the authority charged with protecting it.
Indian police said they could not rule out the existence of a wider network of similar gangs operating in other regions of the country, and said they were still actively searching for the kingpin behind the operation.
The Unique Identification Authority of India (UIDAI), the agency charged with operating Aadhaar, uses a network of private enrollment centers around the country to register citizens on the system and issue identity cards.
The gang were able to fool the system into thinking they were operating as authorized enrollment centers by using fake fingerprints and a specially designed piece of software which bypassed the security systems UIDAI had in place.
“UIDAI has a security protocol authorizing third party vendors to access the main server for making Aadhaar cards,” Amitabh Yash from Uttar Pradesh’s special task force told reporters Sunday. “But the arrested men were doing so by bypassing the 3-layer security protocol involving biometric finger impression, retina scan and GPS system.”
UIDAI said it had initially flagged the suspicious activity to the police, and insisted the details stored in the central database were never compromised. According to a Times of India report on the arrests, the UIDAI recently cancelled 8 million Aadhaar cards — giving some indication of the scale of the problem.
The gang members used their own fingerprints and retina scans for the fake Aadhaar cards, and police said they recovered a range of devices used as part of the scheme, including fingerprint scanners, iris scanners, chemically prepared artificial fingerprints, rubber stamps, GPS devices, and printing material.
Just shocked at UP Aadhaar breach.
How long did UIDAI know fingerprint cloning on? Did they disclose facts to SC? https://t.co/OzSJHz0slV
— Anumeha (@anumayhem) September 11, 2017
Aadhaar is the world’s biggest biometric database with almost 1.2 billionregistered users, which sees each citizen issued with a unique 12-digit number linked to their fingerprints, iris scans and other personal details like name, address, date of birth, and gender. The system was initially designed to make the benefits system more streamlined, but in recent years the Indian government has sought to greatly expand its use.
This has led to strong criticism from activists who see the system today as a giant surveillance apparatus that could be used to monitor all aspects of their lives. As the number of people enrolled in Aadhaar nears 100 percent of the population, the government recently announced it is considering opening official registration centers and revoking the licenses of the private operators.
Usha Ramanathan, an expert on law and poverty in India, said the dependence on private registrars for enrollment has been a major concern for a long time. “The rampant outsourcing of enrollment has produced this mess – just as was anticipated,” Usha told VICE News. “But ruthless databasing of people could not accommodate such concerns. Now that the government says they are close to 100 percent enrollment, they are thinking about making it more secure. Really?”