Tuesday, February 6, 2018

Proof that Aadhar biometrics-based authentication CAN be hacked : ration shop caught using digital duplicates

2 Surat ration shop owners held for biometric security breach

Traders buy biometric data for Rs 15,000, run scam; held

"The Titanic is Unsinkable", they said.

Simple technical reality : one has to send fingerprints or iris scans or whatever over to UIDAI in some digital format, and even UIDAI needs to store them at their end in some digital format. And that can be archived and duplicated anytime. Digital tech was invented FOR ease of duplication and transmission. So to keep things authentic there is like tilting a bottle downwards and praying the water doesn't spill out. It's because of this that passwords and 4-digit pin codes are considered more secure than biometrics : you can keep changing your password if you suspect it was duplicated at last use.

Combine this with the fact that ALL biometrics (including iris!) change over time and drop out of the probability tolerance window (change being much faster for youngsters and seniors), and if you widen the tolerance window then many other people's fingerprint/iris can be accepted as yours, and we'll soon have a situation where only the archived digital fingerprint copy will match and the real fingers won't.. so senior citizens esp will have to pay bribes to crooks to get their pensions etc. (by the way because of cataracts and other ageing effects, iris recognition simply can't be used on senior citizens)

My solution? Screw centralization of authentication. It was an inferior technology to begin with : a red herring that set us on a wild goose chase. Give the local residents committee (as practiced by Hiware Bazar nr Nasik, see the TED talks) the responsibility of authentication, still keeping it all digital and properly logged (like your netbanking logs your a/c withdrawals) but keeping the crucial yes/no decision decentralized to the local people's body. Or at least decentralize it to the MP or MLA level if nothing else. If they do fraud then they only will suffer by losing out collective quotas (and a smaller bucket makes the missing water more visible) and votes in next election, so there's an automatic incentive for honesty. Whereas centralized systems with large pools incentivize frauds.. kaun notice karega. Decentralized systems is what even Bitcoin runs on. The only "disadvantage" there is that anonymous babus sitting in Delhi won't have a huge database in hand to sell off to exploiters and foreign intelligence agencies.

And here's a challenge for those desperately seeking to dismiss this as a one-off : If a small ration shop can pull this off, what makes you think a Saudi-funded terrorist organisation can't? What makes you think a CIA-backed foreign agent can't? Remember that several of the companies and suppliers to whom handling this biometric data was contracted out to, have foreign connections and many of the companies whose fingerprint reading devices were bought have also worked with US intelligence agencies. You know from the Snowden leaks that US intelligence agencies have back door access to several privately owned companies' systems that they make lucrative deals with, and the same goes for Chinese made devices, which is why even our Army bans soldiers from using many China-made mobiles in sensitive areas. What makes you think NONE of them bothered to keep a digital copy of the valuable-as-gold data that passed through their systems? What makes you think a criminal gang making black political donations can't pull this off? Kidhar gaya tera nationalism? Do you not care about your country? Where does your loyalty lie : to India or to Aadhar?

No comments:

Gift Economy

Would you like to show your appreciation for this work through a small contribution?

(PS: there's no ads or revenue sources of any kind on this blog)

Related Posts with Thumbnails