Ethical Hackers Dig Out TRAI Chief’s Personal Data, Deposits Re 1 In Bank Account Too
Twitter, over the past two days, has been raging, all thanks to a 12-digit Aadhaar number, that was made public by Telecom Regulatory Authority of India (TRAI) Chairman and a former CEO of UIDAI, R S Sharma. After posting his Aadhaar number, he challenged people on twitter to try and harm him by misusing the number.
What followed his tweet was a series of back and forths between the TRAI Chairman and ethical hackers who claimed to have revealed his personal data. However, UIDAI has since then released a statement on July 29 stating that no data has been fetched using UIDAI’s database. Here’s a look at what has happened till now:
R S Sharma’s challenge on Twitter
R S Sharma’s in a bid to quash a twitter users’ challenge that Aadhaar data is insecure, the former UIDAI Chairman published his Aadhaar no. on July 28. In the tweet, which probably flouts UIDAI norms as well, Sharma asked the twitter user to give one concrete example of the harm that could be done to him.
Sharma’s tweet received thousands of likes and shares, while some tech-savvy Twitter users and ethical hackers started digging personal information of Sharma and started posting his personal data on Twitter. According to News 18, by the evening of July 29, ethical hackers had managed to dig out 14 personal details which included his mobile number, PAN number, residential address, date of birth and even his current WhatsApp display picture. The hackers also claimed to have details of six banks accounts.
Ethical hackers make his personal data public
A French security researcher who goes by the name Elliot Alderson (@fs0c131y) has taken a keen interest in the case and since then has been tweeting data of Mr Sharma. He calls himself the ‘worst nightmare of UIDAI’ and has previously taken to Twitter to talk about serious glitches in Aadhaar website and app.
If your phone numbers, address, dob, bank accounts and others personal details are easily found on the Internet you have no #privacy. End of the story.
— Elliot Alderson (@fs0c131y) July 28, 2018
PAN number pic.twitter.com/yKwtT7QuCh
— Elliot Alderson (@fs0c131y) July 28, 2018
To prove the inefficiency of the Aadhaar number in maintaining privacy, some hackers even sent Re. 1 to Sharma’s bank account using the Aadhaar Enabled Payment System (AEPS). Furthermore, ethical hackers also posted his Demat account details and also showed his payment history.
To show how Aadhaar can be misused, one Twitter user photoshopped Sharma’s Aadhaar details on another Aadhaar number and then used it as authentication for Amazon Web Services and Facebook. If all the data, which has been made public so far, is authentic and genuine, only seeks to show how by using the 12-digit number information can be dug out.
Like Sharma, many made their Aadhaar number public on Twitter and dared hackers to harm them.
Aadhaar data still secure
However, through multiple talk-backs, R S Sharma on Twitter told ethical hackers that he had talked about ‘harm’, and nothing of that sort has been done so far. Refuting claims of ethical hackers that Sharma’s personal data has been hacked, UIDAI in a statement has said, “Aadhaar database is totally safe and has proven its security robustness over the last eight years.” It further added that the data that has been made public has not been hacked from the UIDAI database.
It is reiterated that in this case of Sh. Sharma, no data has been fetched using his Aadhaar number from UIDAI’s servers or Aadhaar database. One could have just googled his name (without Aadhaar number), visited a few other websites and got most of the details. 13/n
— Aadhaar (@UIDAI) July 29, 2018
According to senior government officials quoted by Economic Times, “They got his date of birth from Civil List of IAS Officers which is kept in public domain, his address from TRAI Website because he is TRAI Chairman right now, his email id from IIT Delhi alumni portal which is also in public domain. Using his mobile number they got his Whatsapp and downloaded his profile photo. They clubbed all these inputs and claimed that they have managed to breach the Aadhaar database and get his personal details.” They further stated that personal information could be hacked in the digital world even without the Aadhaar number.
Interestingly the Twitter challenge comes at a time when the Supreme Court of India is deliberating on various aspects of Aadhar, primarily concerns over a possible breach of security and as well as legality. Just a day before the Twitter challenge on July 27, an expert panel headed by Justice BN Srikrishna proposed amendments to the Aadhaar Act to bolster data protection of Aadhaar users.
The Logical Indian take
The issue of Aadhaar data being leaked gained notoriety when The Tribune in their investigative reportage allegedly found out that anyone can gain access to billions of Aadhaar details just by paying Rs 500 to an anonymous seller over WhatsApp.
Keeping this specific case of R S Sharma’s case aside, the multiple breaches only show that Aadhaar related frauds are not isolated incidents, and the UIDAI should be more careful in making public data as secure as possible to protect it from possible misuse.
One more thing to keep in mind is the fact that Sharma’s move was probably wrong since, some people after him have made their Aadhaar data public, which is not only an example of flouting UIDAI norms but dangerous as well.