Sunday 1 November 2015

How Safe Is Your Identity Under Aadhar?

How Safe Is Your Identity Under Aadhar?SUCHETA DALAL | 28/10/2015 02:14 PM





A lot of people believe that Aadhaar is just like – or even better than -- the Social Security Number system of US. This is a big myth

Awidely-held misconception in India is that the US social security number (SSN) is a perfect identity that simplified government administration. And that UIDAI’s (Unique Identification Authority of India) innovation of adding biometrics to the Aadhaar number has made it foolproof. Nothing could be further from the truth. Consider a few facts.

The US started issuing SSN in 1936 for social security programmes and retirement benefits; it quickly went on to become a national identifier and authentication number. It is now used for medical records, health insurance, bank accounts, credit cards, driving licences, utility accounts, marriage and death certificates and even private sector employee filings.

SSN’s problems arose because of the linkage to various national databases, especially when the information went online along with photos, numbers and other identification details. Identity theft exploded. Significantly, the US realised the problem and initiated safeguards way back in 2004. A memorandum titled “Safeguarding against and Responding to the Breach of Personally Identifiable Information” asked various government departments, including the military, to “examine and identify instances” where collection or use of SSN is unnecessary, in 2007. All government agencies that issued identity cards with SSNs displayed were asked to remove the number. SSNs embedded in the bar code of military cards were also phased out since 2011.

The US SSN website (www.socialsecurity.gov) has explicit warnings about identity theft and directions to a specialised national resource on how to fight the problem (www.idtheft.gov). Advocacy by www.theVirginiaWatchdog.com has now led to efforts to de-link various personal records from SSN. There is new legislation as well. The Intelligence Reform and Terrorism Prevention Act of 2004 prohibits display of SSN on drivers’ licences, state ID cards or motor-vehicle registrations. The Social Security Number Protection Act of 2010 prohibits the display of an individual’s SSN on cheques and payments. But it is, apparently, not enough.

An article by Christopher Burns in the bangordailynews.com says that, in March 2015, the office of the inspector general of SSN found that 6.5 million Americans appear to be over 112 years old. They have active SSN numbers but are most likely to be dead. This, it says, is a big factor in identify theft and leakage of government funds. Mr Burns says improper payments by a range of federal programmes cost the US government a whopping $124.7 billion in fiscal 2014 according to the government accountability office.

Clearly, a national identity number is not enough to prevent massive leakage of government funds, even in a rich and literate country like the US. All these learnings were clearly available even before the Aadhaar was born. Yet, the United Progressive Alliance (UPA) launched a massive and expensive Aadhaar programme, without proper legislation passed by parliament after a national debate on security measures, restricting its issuance to Indian nationals and linking of national databases. Worse, there is no clarity on costs, renewal of biometrics (which change ever three to four years) or clarity on dealing with identity theft. Instead, successive governments have tried to roll it out by stealth, making it mandatory for admissions, property registration and government services. This continued unchecked until a handful of public interest litigations (PILs) finally reached the Supreme Court. The apex court ordered that Aadhaar cannot be mandated for availing government benefits and services; but its orders have been repeatedly flouted.

Identity theft is new to India because most government records were not online or linked to a single identification. This will change. Unfortunately, most Indians, enamoured by the life-changing benefits of technology, are still to wake up to its dangerous flipside or the trauma of a stolen identity.



Does Aadhaar serve any Public Interest?
DR ANUPAM SARAPH | 12/10/2015 04:05 PM



The government claims that Aadhaar removes barriers to benefits, cleans duplicate and fraudulent beneficiaries and ensures benefits reach the beneficiaries. Are these claims justified?

The purposes of Aadhaar were laid out in the Government’s Strategy Document . Let us examine each of the purposes in turn. The Government asserts, “In India, an inability to prove identity is one of the biggest barriers preventing the poor from accessing benefits and subsidies.” More recently the UIDAI admitted that 99.97% of those now issued with Aadhaar numbers did not really need them because they were already in possession of adequate identification documents. If this is true, the inability to prove identity has not been the biggest barrier to access benefits.

The Government’s Strategy document also states “A single, universal identity number will also be transformational in eliminating fraud and duplicate identities, since individuals will no longer be able to represent themselves differently to different agencies.” This has come to be referred to as de-duplication of government databases.

While placing such unabashed trust on the use of Aadhaar, the government forgets to mention that no official certifies the identity or even the address associated with the Aadhaar number. In fact the data associated with the number has never even been verified or audited. It is unclear how a number that is not an identity card is a proof of identity, address, even existence or a basis to de-duplicate other databases!

The process of de-duplication does not require any new ID like the Aadhaar and certainly cannot be done with an un-certified, un-verified and un-audited database like the Aadhaar. In de-duplication, any two databases can be used for comparison with each other. The output of the comparison would be expected to be a list of records that matched and therefore deemed to be genuine, a list of records where the name matched but address did not and need verification, a list of records that are missing from one but present in the other and therefore deemed to have been excluded from one or likely to be fake in the other. The claim of de-duplication falls flat as we see no such lists, only exclusion of many amidst unverified claims of removal of fakes.

The Government’s Strategy document states, “It would enable the government to shift from indirect to direct benefits, and help verify whether the intended beneficiaries actually receive funds/ subsidies”. This means that as per the Government, to be deemed genuine, every bank account has to be linked to the Aadhaar and every transaction has to happen through the Aadhaar Based Payment System (ABPS) run by a private company, the National Payments Corp of India (NPCI). This implies that the Reserve Bank of India (RBI)'s own know-your-customer (KYC) and its own payment systems like National Electronic Fund Transfer (NEFT) and Real Time Gross Settlement (RTGS), in comparison to that of a private entity, the NPCI, facilitates fraud and cannot be used.

In implementation of this objective of direct benefit transfer (DBT), by using just a uncertified, unverified and unaudited number submitted remotely as e-KYC, the RBI did away with its own KYC standards, the recommendations of the Financial Action Task Force (FATF), the Basel Standards on keeping customer data and even the Prevention of Money Laundering Act.

Bank accounts opened solely with the Aadhaar number are indistinguishable and undetectable from hundreds of thousands or even millions of “mule” bank accounts to launder money, take bribes, park black money or siphon subsidy passed through DBT schemes. There is no existing mechanism to detect such fake accounts or trillions of fake money transfers effected through the ABPS.

The Government fails to explain how 94.7% of the villages without a bank branch or bank literacy will be served by DBT through Aadhaar. The deliberate policy of insistence on Aadhaar and DBT has created new barriers that exclude beneficiaries. Therefore the claim of ensuring benefits reach beneficiaries is also without merit.

The Aadhaar is often likened to the American Social Security number. The 2013 Identity Fraud Report released by Javelin Strategy & Research, found 12.6 million victims of identity fraud in the US, which equates to 1 victim every 3 seconds. The Treasury Inspector General for Tax Administration in the US projected that fraudsters would net $26 billion into 2017. The question being asked in the US is: Why are we still using social security numbers (SSNs) to identify taxpayers?

The method of enrolment of Aadhaar has exposed every Aadhaar number ever generated to being copied, distributed, modified and stolen many times over. Transactions through such Aadhaar will be wrongfully attributed to the person whose identity was stolen to do such transactions. Aadhaar thus exposes the entire country to theft of lakhs of crores.Hyderabad alone is reportedly getting 20 cases a day related to Aadhaar frauds. Aadhaar has exposed the identity of its residents to theft and misuse.

There is, therefore, no merit in arguing that Aadhaar removes the barriers to benefits, cleans duplicate and fraudulent beneficiaries and ensures benefits reach the beneficiaries. In fact, it does exactly the opposite. Technology should be an enabler, not a facilitator to build applications that serve as Trojan horses to compromise the fundamental rights of its citizens, the sovereignty of their decisions, national security, and thus enable the launching a cyberwar and in the process destroy law and order.

Aadhaar, therefore, not only serves no public interest, it actually destroys public interest.

(Dr Anupam Saraph is a Professor, Future Designer, former governance and IT advisor to Goa’s former Chief Minister Manohar Parrikar and the Global Agenda Councils of the World Economic Forum.)

http://www.moneylife.in/article/does-aadhaar-serve-any-public-interest/43653.html




Aadhaar Card Giving Rise To Increasing Online Frauds In India; Should Mobile Wallets Encourage Its Usage?





As of August, 2015, Indian Govt. has spend close to Rs 6000 crore to issue Aadhaar cards for 90 crore Indians. But it seems that a new breed of online fraudsters are fostering on the vulnerabilities of this identification tool, and siphoning off the hard earned money via illegal methods.

Considering that majority of these new Aadhaar card holders are new, first time bankers, they are falling easily for these tactics, and losing their money.

In fact, as per a report published by TOI, it was revealed that Hyderabad alone is getting 20 cases a day, related to Aadhaar card frauds. 40-50% of those who are scammed, are not even aware of this new cheating mode.

Cyberabad police’s Cyber Wing inspector Md Riyaz said, “We suspect that they could be either former or serving call centre employees. Using the confidential details of customers, money is siphoned off from the accounts of the victims,”
The Modus Operandi

As the investigative officials have discovered, there are two different ways these fraudsters are attacking Aadhaar card holders.

In the first case, a tele-caller will call you up with this script: “Hello, sir/madam, the bank has decided to link your Aadhaar number with debit card for better customer service.”

Gullible customers will happily provide them with the details they are asking; and very smartly, the fraudsters will extract details of CVV number and expiry dates (which are only known to the customer).

Immediately, these fraudsters will generate an OTP, which is received by the victim instantly. Now, the OTP will act as a further trust factor for the victim (especially the ones who have never done OTP based transactions), and they will share that as well. They think that the OTP will be used for linking their bank accounts with Aadhaar card.

Once OTP is generated and shared, the fraudsters use various ecommerce portals to purchase as many products as that 5 to 15 minute window of OTP validation provides. By the time the victims understand this, his/her bank account is debited with thousands of rupees.

The other way to trick bank customers is to ask their alternate number; and an OTP is sent to that in order to make the victim believe that indeed their bank accounts and Aadhar card is being linked.
Should Mobile Wallets Use Aadhaar Card As KYC Tool?

Freecharge has recently announced that they will be using Aadhaar cards as primary KYC (Know Your Customer) tool to validate and authenticate first time users. In fact, as an incentive, Aadhaar Card enabled wallets can have balance upto Rs 1 lakh, instead of Rs 10,000 for non-Aadhaar Card holders. Aadhaar Card holders would also be provided with door-step KYC verification by Freecharge.

Other mobile wallets such as Paytm and Oxigen have been using Aadhar card based verification since long.

In view of the recent frauds done on Aadhaar Card users, it may be advisable that mobile wallets in India display caution, while encouraging Aadhaar card usage. Although it’s not Aadhaar card which is in fault; but it’s the ignorance and vulnerability of the customers due to less information and awareness, which leads to the frauds and scams.

The customers, most of whom are first time bank and Internet users, need more training, information and awareness about the digital payment structure, and methods.

Here are some more instances of Aadhaar card frauds: Vadodara scam, Pension fraud, Another case in Hyderabad, Punjab fraud.



http://trak.in/tags/business/2015/10/08/aadhaar-card-increasing-online-frauds-india-mobile-wallets-usage/