More flaws in Aadhaar: Anyone can access your bank details
Reports about the lack of privacy and safety in Aadhaar only keep getting worse. Now an SMS bug has come to light that allows anyone with access to your Aadhaar to find out which bank you have an account with. Though it might seem harmless at first glance, this could let frauds socially engineer victims and lead to cases of spear phishing. Here's more.
Here's what the glitch is about
You can check online if your bank is linked to Aadhaar, but that process will need an OTP sent to your registered mobile number. However, another process works without any kind of verification: dial *99*99*1# on your phone, then enter any random person's Aadhaar number. The next page will show you the name of the bank whose account has been linked to that number.
Is everyone vulnerable under this flaw?
This process doesn't involve an OTP, so anyone can check anybody else's details without restriction. The Aadhaar holder isn't even notified that their information is being checked. However, NDTV notes it might not work with all banks: Allahabad Bank's name was shown but Yes Bank's wasn't when they tried it with their colleagues. Also, if multiple accounts are linked, only one will be shown.
How exactly does it put me at risk?
This is a powerful tool in the hands of frauds who indulge in spear phishing: this is when they approach the target through email/SMS/call, gain their trust by revealing their personal details like Aadhaar number and bank name, and induce them to divulge confidential information. Apart from this, "there could be a myriad of ways vicious minds could use such sensitive information," reports HT.
UIDAI introduces new two-layer safety feature after criticism
A week ago, The Tribune narrated how their reporter gained access to the entire Aadhaar database at just Rs. 500, through "misuse" of an authorized service. After facing major flak, the UIDAI has come up with a new two-layer security system to protect privacy: virtual ID and limited KYC. The SC will conduct the final hearing in the mandatory Aadhaar case on January 17.
