Banks OK with fake ID, mobile carriers not
2017/10/16: The crescendo of SMS, emails and even automated voice calls saying "link now to prevent mobile service disconnection or freezing of bank accounts" continues apace. People have started to wonder if there are sinister reasons for this desperation.
2017/10/03: Every Indian with a bank account or mobile phone is getting three email and text message reminders every day from their banks and mobile operators to link ("seed", in the fertile Indian version of English) their new national ID number (called "Aadhaar") to their bank and mobile accounts. Failing which their bank accounts will get locked up when 2017 ends, and their phones will turn into pumpkins by Feb 2018.
The interesting twist is, the banks only want to know the customer's ID number, to add to their record. Whereas, the mobile companies insist on capturing the customer's fingerprints, which they then send to Aadhaar's servers, to validate the customer's ID number. So the banks are OK if some people give them fake Aadhaar IDs, whereas the mobile companies need to know, then and there, that the IDs are legit.
Of course no one knows the reason why a bank should be so cavalier about an account that may store tens of thousands of times more cash than the typical balance in a mobile account. So one can only speculate. The linking of bank accounts to Aadhaar is to try to prevent financial malfeasance (in the worst case the account holder loses money, no big deal; or the government loses taxes, which is much worse, but not a calamity), whereas the linking of mobile accounts to Aadhaar has anti-terrorism overtones.
A substantial concern is that (unlike a bank worker with a permanent job, even extending to the next of kin in the event of untimely death) the random temporary or contract employee of a mobile company who is toting around a fingerprint machine can be bought off for a few thousand rupees. Aadhaar fingerprint readers are not special. They send the fingerprint in the clear over a USB cable to the computer which then encrypts it over HTTPS to Aadhaar's servers. It is trivial to tap the USB driver, and indeed Aadhaar software has been compromised.
If you don't trust Airtel with your fingerprint, but would like to prove to them that the Aadhaar number you submitted is legit, cryptologists have a host of protocols to help you. But only if you are semi-literate and not already pwn'd by the government. As matters stand, fingerprint "verification" by mobile companies may lead to further data breaches. If Equifax cannot protect their data, neither can Aadhaar. Breaches are guaranteed.
2017/10/03: Every Indian with a bank account or mobile phone is getting three email and text message reminders every day from their banks and mobile operators to link ("seed", in the fertile Indian version of English) their new national ID number (called "Aadhaar") to their bank and mobile accounts. Failing which their bank accounts will get locked up when 2017 ends, and their phones will turn into pumpkins by Feb 2018.
The interesting twist is, the banks only want to know the customer's ID number, to add to their record. Whereas, the mobile companies insist on capturing the customer's fingerprints, which they then send to Aadhaar's servers, to validate the customer's ID number. So the banks are OK if some people give them fake Aadhaar IDs, whereas the mobile companies need to know, then and there, that the IDs are legit.
Of course no one knows the reason why a bank should be so cavalier about an account that may store tens of thousands of times more cash than the typical balance in a mobile account. So one can only speculate. The linking of bank accounts to Aadhaar is to try to prevent financial malfeasance (in the worst case the account holder loses money, no big deal; or the government loses taxes, which is much worse, but not a calamity), whereas the linking of mobile accounts to Aadhaar has anti-terrorism overtones.
A substantial concern is that (unlike a bank worker with a permanent job, even extending to the next of kin in the event of untimely death) the random temporary or contract employee of a mobile company who is toting around a fingerprint machine can be bought off for a few thousand rupees. Aadhaar fingerprint readers are not special. They send the fingerprint in the clear over a USB cable to the computer which then encrypts it over HTTPS to Aadhaar's servers. It is trivial to tap the USB driver, and indeed Aadhaar software has been compromised.
If you don't trust Airtel with your fingerprint, but would like to prove to them that the Aadhaar number you submitted is legit, cryptologists have a host of protocols to help you. But only if you are semi-literate and not already pwn'd by the government. As matters stand, fingerprint "verification" by mobile companies may lead to further data breaches. If Equifax cannot protect their data, neither can Aadhaar. Breaches are guaranteed.
