Aadhaar could also be a security feature to check data theft: UIDAI

Asymmetric encryption norms of Aadhaar are suitable for weaker security environment of ATMs & other places where OTP is not used

To draw the right lessons from the largest ever leak of debit and credit card data from several Indian banks that happened last week, the Aadhaar authorities feel it is time to integrate the same with bank account numbers.

Ajay Bhushan Pandey, director-general of Unique Identification Authority of India (UIDAI), says the Aadhaar authentication protocol can be overlaid on the card systems. Talking with Business Standard, he said it would mean every time a person swipes her debit card on relatively insecure points such as automated teller machines (ATMs), she will be prompted to provide the Aadhaar number along with her PIN provided by the bank.

The two will act as double verification for her.

Pandey said he would discuss this option with the finance ministry. The ministry will have to engage in talks with the National Payments Corporation of India and the Reserve Bank of India (RBI), subsequently. Right now, while banks do insist on Aadhaar number for opening of savings accounts, they do not insist on the same when they offer customers netbanking rights or credit and debit cards.

Since there are nearly 1,070 million Indians, who already have an Aadhaar number and each is seeded with their biometric details, including iris and fingerprints, Pandey said matching of the card population with those holding Aadhaar should not be difficult. “It need not be essential but an additional option every time a transaction is carried out by the card owner, as a safety device.” He said with a massive influx of Indians into the digital age, adding the security provided by the Aadhaar network with the ramped-up checks banks are introducing would be seen as a powerful safety net for the population.

“Adding Aadhaar could, however, add to the time for processing each transaction,” says Shefali Dash, former deputy director-general of National Informatics Centre. She said the two-stage authentication would have to work, as it does for identification of government employees rolled out across the nation over the past two years. It will take a few seconds more, she said, even as she agreed the proposal was viable.

One problem with the addition of Aadhaar is that as of now, ATMs are not Aadhaar-enabled. Yet, they are the points where people use their debit card the most and security breaches happen the most since there is no provision for a one-time password (OTP) to secure the transaction. The PIN numbers are subject to copying by malware in the systems since they are used repeatedly. In the present case, it is suspected that some of the ATMs of a private banking network were invaded first by the malware, which then spread through the financial system.

From January 2017, RBI has mandated making all ATMs across the nation Aadhaar-enabled. But, that has been done to make life easy for the Jan-Dhan account holders. To match the ATMs with the card environment would need the banks to do further tinkering with them. It will cost money.

“In fact, if Aadhaar is added to the current soup, costs will rise for everyone. The banks will have to make changes in their software and even the UIDAI will have to make their system ready to face the sharp spike in transactions, which will happen,” said Dash. Each of them has a cost.

Banks use 128-bit Secure Sockets Layer encryption to secure the net environment for their customers, and technically it is impossible as of now to break the lock. But the weakness like in this case stems from ATMs, which are not as secure. Pandey said the asymmetric encryption standards of Aadhaar are suitable for the weaker security environment of ATMs and other places where OTP is not used, to block theft of security.