ELI5 How can somebody misuse my Aadhaar number?

Fintech guy checking in. For most financial and relatively secure transactions, we need two factors of authentication. Aadhar's authentication system allows this by:

  1. What user is: Biometrics

  2. What user has: OTP to registered number

  3. What user knows: Pin/password

There are many reasons why this is done, but suffice it to say that it's a security requirement. Problem is, in most systems today (Including the proposed UPI 2.0), Aadhar number is being taken as a 'secret' as though it were a password, assuming that the detail won't be shared. So if your aadhar is leaked and tagged to your name..It is possible that one factor of Auth has been compromised.

Moving ahead, to change your aadhar details, and to do many authentication/e-KYC, you just need aadhar number and a mobile OTP. Now say that your aadhar number is known to me, I can attempt to find your phone number, use social engineering to get a cloned SIM(pretty easy, use Photoshop on aadhar card, submit to your telco operator), then use it to do what I want. This is especially a problem in cases where less tech savvy and uneducated people are given aadhar cards, as they may not realise threats. Having used your details to do Auth/KYC, I can now use it for illegal purposes.

Moving on..A recent attack on UPI comprised of a system where people would send unsolicited payment requests, and unwitting users would accept, resulting in a fund transfer. Under UPI, aadhar can be used as a virtual ID, so i can spam a large number of people with payment requests and be paid by those who are unaware.

Moving on..Imagine a non-tech/finance savvy man getting a call from someone stating that he is a tax officer, he asks him to confirm his name and aadhar number. Then he tells him he is under investigation for depositing too much money during demonization and asks him to send x sum of money to y account.

TLDR: Aadhar is being used along with OTP or biometric for Auth, it is being used as a user id in UPI, this pages the way for a social engineering attack where i can deceive you and profit.

Note: There are far more insidious attacks that are possible, including biometric cloning, but since you asked what can i do with ONLY aadhar..Social engineering is the easiest answer.

/r/india Thread