What more can we do when our data is already leaked?
Yes, I agree we can’t do much about what has happened. But, there is a point people are missing out. Aadhar isn’t just about your data. It is also your digital signature. If you are not careful about it someone can use it buy sim card in your name, transact from your bank account, sign documents on your behalf, etc
Most of these steps are difficult for me. It makes life inconvenient. I have to do it because I don’t have an option. Please follow it for your own safety.
Lock Your Biometric
Let’s understand how locking your biometric can help.
Ashok approaches an Airtel store to purchase a sim card. He provides his Aadhar number. Customer service executive asks him to verify his biometrics(fingerprint). These details are sent to the UIDAI’s computers which verifies that produced information is correct. Ashok walks out with his sim card.
Here is the problem. Think of Aadhar number as Ashok’s username and biometrics(fingerprint) his password. He has given away this information to Airtel’s customer executive. Now, the customer executive can reuse this information to issue another sim card in Ashok’s name without his consent.Just like, giving away your Facebook’s username and password to someone can lead to its misuse.
If you lock your biometric details when someone tries to send your biometric for authentication, it would be rejected. Virtual ID was another security layer made to prevent this issue. It will be only functional from June 1.
You can lock your biometric by visiting https://resident.uidai.gov.in/biome.... Remember, whenever you need Aadhar for authentication, you need to unlock it. This is a hassle but better than keeping your biometric un-secure.
Monitor Aadhar Logs on Your Email/Phone
Whenever you authenticate through Aadhar, you get an email from UIDAI. Make sure you have provided the correct email/phone number on your Aadhar. If you notice any authorisation you are unaware, report it to UIDAI immediately. If you receive OTPs when you didn’t request for it, that is also a bad sign. Report it immediately.
Don’t Use the mAadhar App
It stores your profile information (Name, Date of Birth, etc). It allows certain functionality such as biometric locking/unlocking and time-based OTP generation.
When you open the app for the first time, it asks you to set a password. Later, you can use the same password to unlock its functionalities. Hence, even if someone steals your phone, they can’t access the app.
A French security researcher downloaded the app. He found something strange.
The password you set while registering is stored in a safe box. Every time, you open the app, it asks you to enter your password, the app then unlocks the safe box and check if they match. If it does, you get access to the app. There exists a key to the safe box where your password is stored. The key is simply a set of characters like “A233ASD”. If this key is compromised then anyone can access your password and access the app’s functionalities. The key to the safe box must be unique. Your key and my key shouldn’t be the same. If it is same, I can unlock your phone’s safe box with my key and get access to its functionalities. The French security researcher found out that all mAadhar customers have the same key.
It’s like the Indian government giving its citizens a lock and key to secure their houses. The problem is every citizen has the same exact lock. Anyone can open anyone else’s house with their own key.
Your mAadhar app is presently vulnerable. If you have installed it, delete it.
Use Passcodes to Lock Your Phone
If your phone is compromised, your Aadhar can also be compromised. Since Aadhar sends OTPs via mobile. If a hacker gets access to your mobile, he can request an OTP to unlock your biometric. Don’t use biometric authentication on your phone instead use passcodes. All phones allow you to set a 4/6 digit pin.
Limit Message Details on Lock Screen
By default all phones allow you to see the full message on your lock screen. The problem is when your phone is compromised and even if it is locked, someone can read your OTP on the lock screen.
Don’t Believe Authorities Who Say They Are ‘Hack-Proof’
There is nothing in this world which is ‘hack-proof’.
During the Second World War, the Germans used Enigma machine to protect their messages.They could punch in a message (eg.“Food supplies coming from the west”). The machine would produce gibberish, (eg.”A1B2# C3D4$#ED JD@#KK #$%%#”). This is broadcasted over the radio. On the receiving end, when you type the same gibberish, you get back the original message. It was only a matter of time. Alan Turning cracked the Enigma code which played a key role in the defeat of the Nazis.
The inventor of the Enigma machine made some mathematical assumptions. Alan Turing broke those assumptions which enabled him to crack the code. Security is built around such technical assumptions. We have a lot of Alan Turings(hackers) who challenge those assumptions and break them. Such incidents occurred numerous times during in the past. It will continue to happen, that is how we advance. Considering past events how can one call their system ‘hack-proof’?
Follow #Aadhar on Twitter
If any vulnerabilities are found, you would be informed immediately. You can use this information to protect yourself.