Fresh concerns after cops bust gang cloning fingerprints of Aadhaar operators

The arrest of 10 men for allegedly cloning fingerprints to subvert Aadhaar’s vaunted biometric-based security system has revealed fresh vulnerabilities in India’s controversial identity project.

On Sunday, the Uttar Pradesh police announced they had busted a Lucknow-based gang, which stole the fingerprints of authorised Aadhaar enrolment operators.

These fingerprints were cloned and used to access the Unique Identification Authority of India (UIDAI)’s enrolment service to create “fake” Aadhaar numbers.

“The gang hijacked the fingerprints and login-ids of Aadhaar enrolment operators, and also bypassed UIDAI’s iris-scan based security,” Uttar Pradesh’s additional superintendent of police for cybercrime, Dr Triveni Singh, told HT, describing a modus-operandi that sounded like the plot of a sci-fi movie.

The arrests were made on the basis of a complaint filed by the Unique Identification Authority of India on August 16 this year. In a press note, the UIDAI said “the attempt to generate fake Aadhaar card was foiled by the robust UIDAI system”.

However, experts say the arrests point to the inherent vulnerability of Aadhaar’s architecture.

Modus operandi

Enrolling a fresh user to the Aadhaar database requires the presence of an authorised enrolment operator, who accesses the UIDAI system using his fingerprints and a scan of his retina.

In the Lucknow case, the police said, the gang acquired images of the fingerprints of Aadhaar enrolment operators, printed these images on butter-paper, and placed these prints on a sheet of a light-sensitive resin which was then exposed to ultra-violet light.

The cloned fingerprint obtained at the end of this process, Dr Singh said, looks like an office rubber-stamp that can be pressed down on a biometric reader.

When the police raided the gang’s premises, they confiscated 46 such fingerprint stamps.

The hackers also devised a way to subvert the retina-scan requirement. “We are on the lookout for the software developer who helped them bypass the retina-scan,” Dr Singh said, adding that fingerprint stamps and technical knowhow was widely distributed to allow multiple logins and enrolments using the stolen credentials.

Security experts have repeatedly pointed to the inherent vulnerability of systems like Aadhaar that rely on biometric security.

“Biometrics are public information as they can be captured and replicated using a high resolution camera,” said Subhashis Banerjee, Professor of Computer Science Engineering at IIT Delhi, “Using biometrics alone as a passcode is conceptually flawed.”

However, many new applications like the Aadhaar-Enabled Payment System (AEPS) use biometrics as the sole authenticator for financial transactions.

Prof. Banerjee said biometric theft was likely to increase as the widespread adoption of aadhaar, particularly for financial transactions, would increase the incentives for criminal activity.