Be careful! Your Aadhaar may be safe, but you aren't from cybercriminals

Over the weekend, Ram Sewak Sharma, chairman, Telecom and Regulatory Authority of India(Trai), created quite a flutter on Twitter when he gave out his Aadhaar number 

and challenged anyone to ‘harm’ him. Within the next few days, many Twitter users posted his email, phone number, date of birth and someone even tried to deposit Rs 1 in his bank account. While the Unique Identification Authority of India (UIDAI) has claimed that its servers have not been hacked to get such information, on Tuesday, 

it issued an advisory asking individuals not to reveal their Aadhaar number in the public domain as the unique number has sensitive information like bank account details, the passport number and the permanent account number. 

However, security experts and cyber law experts say that those who revealed Sharma's private information are good hackers (white hat), who always work within legal boundaries and hence, did not do anything to jeopardise their legal standing. Those who may cause harm could be laying low for now and gathering information. “I won’t be surprised if black hat hackers are working out plans for an attack,” says Professor Sandeep Shukla, head of computer science and engineering department, Indian 

Institute of Technology, Kanpur. Shukla believes that either Sharma does not realise the full potential of the threat or he may have a very potent cybersecurity specialist advising him to secure his assets right now. However, for a commoner, leaking of even basic information can lead to financial fraud.

Aadhaar number alone can harm: Aadhaar number is a good starting point for cybercriminals to get your other details, which can lead to fraud. “Even if hackers cannot get access the UIDAI system directly, there are many intermediaries which are vulnerable. The data can be compromised through them, and there have been such cases,” says Prashant Mali, an advocate and international cyber law and cybersecurity expert.

Karan Saini, a security researcher and analyst based in New Delhi, has posted a method on his website to demonstrate how someone with basic knowledge of hacking can get the mobile number linked to Aadhaar if the person has the unique identity. “In March, a data leak on a system run by Indane allowed anyone to download private information on all Aadhaar holders, exposing their names, their unique 12-digit identity numbers, and information about services they are connected to, such as their bank details and other private information,” says Saini.

Access to personal details such as date of birth, residential address, email address, phone number, etc makes a person a sitting duck for social engineering frauds. In social engineering, fraudsters psychological tricks to make victims giving away sensitive information, which is prevalent at present. A person calls up a banking customer posing as the bank’s executive. Then, he makes the victim reveal his one-time password (OTP) that enables transfer of funds to the fraudster's bank account or wallet. “Social engineering frauds are easier when you have a lot of personal information about a person. It’s easy to trust someone who has all your genuine personal details, says Pavan Duggal, a Supreme Court lawyer and cyber law expert.

Mobile number can be misused: A Twitter user claimed to have transferred Re 1 to Sharma’s bank account. Cybersecurity experts say that using Aadhaar-Enabled Payment System money can be transferred to another person based on his unique identity if he has signed up for it. In the Unified Payment Interface (UPI), it’s easy to transfer money to a bank account if you have the other person’s phone number and he’s using the same UPI app. Some apps also reveal the email addresses linked to them. 

Cybersecurity experts say this is alarming. If someone wants to malign your reputation, he can transfer money can to your bank account. Government servants can be accused of bribery, or it can lead to an inquiry under the Prevention of Money Laundering Act for unaccountable funds. “In such a case, the onus is always on the recipient to prove that he has nothing to do with the funds received,” says Mali.

Aadhaar plus mobile number – a deadly combination: Cybersecurity experts say that there have been many cases where scammers went to telecom operators with identity proofs of individuals they want to target along with forged authority letters to get a new SIM with victims’ numbers. Then, transactions were made using the victims’ bank accounts. By the time the account holders get to know, it’s already too late.

Remember, one detail leads the other: As Twitter users got the one personal information of RS Sharma, they were able to get additional details. Based on his date of birth, name, mobile number, users claimed to have obtained his PAN Card details, Voters ID, and even frequent flyer number. With such information obtainable, anyone can easily fall prey to identity theft. One of the users claimed to have created a fake Aadhaar of Sharma and availed online services using it.

If someone manages to steal another person’s identity, there are numerous ways a fraudster can misuse it. A fake bank account can be opened with those identity proofs. 

A scamster can start accepting money on your behalf. Loans can be availed for which all liability will fall on the person whose documents are submitted to the lender. 

A fraudster can run schemes and businesses using the fake identity and swindle others. There have been attempts to sell property using forged documents of the owners. 

How identity theft can harm you depends on the imagination, intelligence and data available with the fraudster.

Further, personal information can be used in numerous other ways to victimised individuals. It makes stalking a woman easier. It can lead to blackmailing if some sensitive information falls into the hands of criminals.

 

Profiling a victim is easy
 

There are multiple sources that cybercriminals use to profile their victim. Your banking, credit card, insurance, online shopping, mutual fund and stock market data is available online for cheap – anywhere from 10 paise to Re 1 for one person's profile. It is the first step towards creating a profile. Using a few details, cybercriminals can further extract more information about you. Date of birth, Name and mobile number can reveal PAN, add the address to it and one can get Voter's ID. Sophisticated cybercriminals can profile you further by visiting your social media profile and finding out where you vacationed last, where do you work at present, and if you had a problem with any service provider lately about which you had posted a message. If you had an issue with your insurer, they would pose as insurer’s executive. If you are unable to seed Aadhaar with a service, fraudsters will call under the garb of helping you with it. Armed with your personal data and claiming to resolve the issue you are facing, they can harm you.