Super Sloppy Security Gushes Aadhaar PII

In many respects, India’s 9-year-old Aadhaar national ID system is a global model for simplifying payments, banking and payroll operations. It was designed to be a comprehensive database allowing easy access to bank accounts and other payments mechanisms. As a concept, it worked brilliantly.

But according to data from a report from the Centre For Internet and Society, an Indian nonprofit that conducts research on the internet and digital technology, it also serves as a world-class example of security recklessness, with methods so sloppy that they could have exposed sensitive data about almost a quarter of a billion Indian citizens.

This massive PII (personally identifiable information) leak involved no cyberthieves (yet, but don’t worry. That’s coming) nor even a lack of protections against search engine spiders. No, what happened with Aadhaar was authentication and masking that was executed in such a slipshod way that a rudimentary understanding of how computers work was all that was needed to easily access sensitive data.

For example, on some consumer-accessible government pages, details were indeed masked or truncated. But it was designed to show everything in full detail when the user was logged in. Instead of logging in, all someone needed to do was to change a word in the URL from “nologin” to “login.” The system then proceeded as though the correct authentication password had been entered.

Even the data masking was ultra-sloppy, according to the report.

“The masking of Aadhaar numbers does not follow a consistent pattern. In some instances, the first four digits were masked while, in others, the middle digits were masked. Given the multitude of databases publicly available, someone with access to different databases could use tools for aggregation to reconstruct information hidden or masked in a particular database,” the report said.

“Further, most of the databases we encountered were also available for download as spreadsheets. The availability of the information in datafied formats also facilitates the use of data analytics to aggregate information from various sources, thus, increasing the risk of data points from different sources coming together to enable reconstruction of masked or undisclosed information.”

In another Aadhaar database, one created to provide relief to the families of unorganized workers in case of death or disability of the unorganized worker, “even though the details were masked while rendering, we found MS Access databases of all the data being published by the portal, negating the masking process. At the same time URLs which were used to get reports have Aadhaar numbers part of them making anyone familiar with web development [able to] access the details,” the report said.

What makes this case so disastrous is not merely the massive number of people involved nor the sloppiness of security. It’s the extremely sensitive nature of the data and how useful these flaws will be to cyber thieves as well as identity thieves.

As The Paypers noted in a story about this report, “The system assigns each Indian a 12-digit ID in the form of XXXX-XXXX-XXXX, and records information such as home addresses, information on all bank accounts, mobile phone numbers, and all the biometrics details you can imagine, ranging from eye colour to fingerprints, and from height to iris scans. When it was first launched, the program was advertised as a database of Indian citizens’ details, which the government could use to pay subsidies and other benefits…The Indian government has pushed the adoption of the Aadhaar system in almost every facet of day-to-day life.”

This kind of sloppy security begets headaches far beyond public Indian government databases. That data can then be used to crack into untold numbers of retail, banking, insurance, healthcare and other sites, leveraging the tendency of consumers to reuse passwords.

Even if the passwords weren’t reused, the Aadhaar sloppiness offers more than enough information to request a new password and to falsely authenticate oneself as someone else.

How can sensitive payment sites keep from falling into the same kind of trap? Other than the obvious—never allow access merely by tweaking a URL and follow consistent rules for masking—sites must make aggressive use of third-party penetration testing to identify these kinds of holes before sites are launched.

In some cases with Aadhaar, the government site that the report reviewed seemed to go out of its way to weaken its privacy protections. Again, from the report: “It is entirely unclear to us what the purpose behind making available a Data Download Option on the [National Social Assistance Programme] website is. This feature allows download of beneficiary details mentioned above such as Beneficiary [number], Name, Father’s/Husband’s Name, Age, Gender, Bank or Post Office Account [number] for beneficiaries receiving disbursement via bank transfer and Aadhaar Numbers for each area, district and state.”

All that a legitimate consumer would need would be visibility into those fields to check for accuracy. Why would they need to download the data? It’s pointless for almost all consumers and yet ultra-convenient for thieves. An outsider brought in to review the system would ask for answers to questions like “Is this wise? What’s the point?” before making the database world-readable.

Another headache: Even assuming that every single impacted Indian database is fully fixed tomorrow, that data is almost certainly already in the hands of evil ones.

Some will absolutely use the data directly, while many will try and resell the data in the Internet’s black market: the Dark Web. Therefore, even if just a dozen or so thieves have already grabbed this data, it will be shared everywhere.

This gets worse. Unlike bank account number or payment card details, much of the data stolen here can’t merely be changed and reissued. There are three kinds of data: that which can be easily changed (example: bank account numbers); that which can never be changed (biometric, address, date of birth, etc.); and that which can be changed with great difficulty (in the U.S., a good example would be Social Security numbers).

In the Aadhaar leak, thieves got access to plenty of all three. Indian consumers—and their banks—will be paying the price for this sloppiness for many years to come.