What cheating in Rajasthan police recruitment exam exposes about Aadhaar security
It is remarkably easy to clone biometric data, the very premise of Aadhaar’s infallibility.
A constable recruitment exam in Rajasthan has been postponed after four cheating rackets were busted during its first phase, the police department said on March 17.
This year, the exam was being held online for the first time, ironically, in a bid to curb cheating. However, enterprising groups across the state saw opportunity, and used multiple ways, including gaining remote access to a candidate’s computer, to cheat.
However, the modus operandi of one of the groups has raised questions with implications far more wide-ranging. According to the police, one of the groups cloned thumbprints of the examinees and sent fake candidates to appear on their behalf. The cloned fingerprints were used to verify the applicant’s Aadhaar card, and the forgery went undetected.
The government and the Unique Identification Authority of India (UIDAI) have for long claimed, in the face of consistent questioning and several data leaks, that there are no security problems with Aadhaar, and that it is perfectly safe.
But the Rajasthan case suggests that what is touted as the biggest security feature of Aaadhaar – biometric data – can be breached with the help of a simple YouTube tutorial and some busy minds.
The modus operandi
According to Medianama, “The accused learned to clone fingerprints on YouTube. First, they applied fish oil on the applicant’s finger. They then pressed the finger on a piece of warmed and softened wax to obtain the reverse of the thumbprint. Then, they applied a film of Fevicol on the reverse fingerprint to obtain the clone once the Fevicol had dried and could be peeled off.
Before the cloned fingerprints were used by the proxy candidates to sit for the exams, “they were tested by verifying the applicant’s Aadhaar number. To do this, they affixed the cloned prints onto another person’s thumbs and used them to verify the applicant’s Aadhaar. Only when the thumbprint was proved accurate in authenticating the identity of the applicant with Aadhaar was it used at examinations”.
Not the first case
This is not the first time that the biggest barrier between all our vital information has been breached. It has been done earlier too by people with far trivial motives. In May 2017, a group of students in Mumbai had reportedly cloned fingerprints to register attendance in college for their friends.
The students “used small layers of a widely-used resin adhesive and pressed their thumbs against them, embossing them with their fingerprints. These films were then used to mark attendance for their absentee friends”.
The dangers
What the Rajasthan case shows is that with not too much effort, people can clone your fingerprints, and have all the information you have linked with your Aadhaar card at their disposal.
Thanks to the aggressive push by the government over the past months to link literally everything with Aadhaar, a potential gold mine of information - your bank account details, PAN cards, SIM cards, health details, insurance policies - have been left open to misuse.
Retina scans, the other biometric data used by UIDAI, are also not foolproof, as scanners have been known to be duped by high-quality photographs.
Also, the damage once done can take quite long to be undone, because unlike passwords, biometric details cannot be changed once a breach has been detected.
Aggressive defence not the answer
With this latest proof of Aaadhaar’s fallibility, the Supreme Court’s recent order extending the March 31 deadline for mandatory linking of Aadhaar assumes greater significance.
However, the fact remains that even as the government has pressed on with and expanded the requirement of Aaadhaar linking, its response to security issues has been oddly defensive. While on one hand, it has insisted – as recently as the last month, in Parliament – that Aaadhaar is absolutely safe, it has taken adversarial positions against those exposing its flaws.
Forcing its citizens to link every aspect of their lives to a leaky, breach-prone system defies logic. Maybe, instead of thinking up new services to link with Aadhaar, the Centre can work on making it more secure.