Imperiled ‘locks’

In a world increasingly reliant on technology, the digital guardians of our lives, our smartphones, stand as formidable gatekeepers of our data. However, a recent tale of intrigue reveals that even the most trusted devices can fall victim to cunning cyberattacks. As a responsible citizen who took pleasure in his rigorous approach to protecting his personal information, you had confidence in the Aadhar Virtual ID (VID)-based biometric locking, since you thought it would provide robust security for your biometric information.

You are well-acquainted with the VID of Unique Identification Authority of India (UIDAI), introduced on March 1, 2018, and provided as an option for agencies to utilise by September 1, 2018. For the past few years, VID has been used in the biometric lock for Aadhaar. This innovative feature allowed users to generate a 16-digit VID, which served as a shield for their biometric data. For you, it was a beacon of security in an increasingly digital world. With the introduction of VID-based biometric locks, the Aadhar biometric system has been regarded as one of the most secure authentication techniques. To improve security and privacy, UIDAI created VID, which gave users the option of creating a temporary 16-digit random number as VID that could be used in place of their Aadhar number for authentication. To provide biometric data with an additional degree of security, this functionality was created. Users believed that their Aadhaar data would be safe from hackers once they had secured their biometrics with the VID.

On an afternoon, as you sat sipping your tea, a disturbing SMS notification landed in your inbox. It was a transaction receipt from your bank, confirming a withdrawal of a substantial sum of money using the Aadhar-enabled Payment System (AePS). The problem? You had not initiated any such transaction. Panicked, you checked your account, only to discover that your biometric information had been accessed without your consent. It was a baffling turn of events, as you had been meticulous in locking your biometrics using VID. How, then, had your data been compromised?

To fully understand the breach, it's important to keep in mind that users receive OTPs each time they create a VID, lock their biometrics, retrieve a VID, or unlock their biometric data. This junction point has attracted the attention of hackers, who are using it to their advantage. "How is this possible, especially when no OTPs are typically required for money withdrawal using AEPS?" you might be asking. The infected smartphone is the key, since users' routine security mistakes have made it easier for hackers to access it. Hackers exploit smartphone vulnerabilities to steal OTPs. The OTP needed to unlock the biometric data can be intercepted after an attacker seizes control of a smartphone. This remote access opened the door to a treasure trove of personal information, from photos and messages to financial data and passwords. Additionally, once they obtain the OTP, they can remotely delete it, erasing all evidence of their infiltration. This scenario raises important questions regarding the information that may be accessed if an OTP is hacked.

One day, while your smartphone lay unattended on your desk at work, a colleague with nefarious intentions seized the opportunity to access your device. In the brief moments of physical access to your smartphone, the attacker surreptitiously tries to install a seemingly harmless app that conceals a malicious payload. But because of your undeniable presence there, he was unsuccessful. One day, a colleague sent you a link to download the Aadhaar app. The malicious payload associated with this fake app is installed as soon as you download it with the necessary permissions. Once the app was installed and your device returned to your possession, it seemed like business as usual. However, the attacker's actions had far-reaching consequences. The malicious app, now nestled within the smartphone, gave the attacker remote access to your device. They could monitor your every move, access your messages and files, and even tap into your calls. Whether through the installation of a malicious app with a hidden payload or through physical access, these cybercriminals have found ways to compromise the once-secure fortresses of smartphones.

This incident serves as a stark reminder that even the most secure systems can fall prey to determined hackers. The breach of your Aadhar biometric data, once considered impenetrable, has left you with a lingering sense of vulnerability. Citizens must remain vigilant, stay informed about potential risks, and take measures to protect their digital assets. Safeguarding your mobile device, whether it's Android or iOS, from potential hacks and security breaches is crucial in today's digital age. Here are some essential steps to help protect your mobile device: keep your operating system up to date, install apps from trusted sources, review app permissions, use a secure lock screen, enable Find My Device, use Multi-Factor Authentication (MFA), be cautious with public Wi-Fi, regularly back up your data, be wary of phishing attempts, install a reliable security app, and turn off Bluetooth, Wi-Fi, and GPS when you're not actively using them.

Numerous frontline workers championing financial inclusion in rural areas encounter challenges with fingerprint-based biometric authentication due to the rough skin on the fingers of many customers, often a result of their manual labour. An alternative approach involves iris-based or face-based scans, but these methods aren't widely accessible due to their cost, and in some regions, cultural considerations deter women from using them, as they would need to lift their "ghoonghat."

Given that Aadhaar and other centralised ID systems also grapple with security and privacy vulnerabilities, it is imperative to seek innovative solutions to address these biometric-related issues. To this end, embracing cloud-based blockchain technology for verification and authentication emerges as a promising avenue. Such an approach can effectively safeguard the privacy of sensitive data and enable customers to access their Direct Benefit Transfer (DBT) funds through the AePS without the inconvenience of visiting separate locations with specialised iris scanners.

For any AePS fraud, file a complaint online at www.npci.org.in on the National Payment Corporation of India (NPCI) website. For any other type of financial fraud, contact 1930. Don't forget to report any cybercrime at www.cybercrime.gov.in. Create a report at www.ceir.gov.in to track and disable your lost or stolen device. Additionally, you may use the Know Your Mobile (KYM) app to determine the authenticity of your mobile device by entering the International Mobile Equipment Identity (IMEI) number. Using the *#06# sequence is the simplest method for checking an IMEI on any phone.

AePS is enabled by default for the majority of bank account holders because Aadhaar is the preferred way of KYC for financial institutions. By following these precautions and staying vigilant, you can significantly reduce the risk of hacking or security breaches. Remember that cybersecurity is an ongoing effort, and staying proactive is key to maintaining your mobile device's security.

The writer is an HoD and Assistant Professor of Dept of Computer Sc & Electronics, Ramakrishna Mission Vidyamandira. Views expressed are personal