Flaw in USSD service leaves your Aadhaar vulnerable to hacking

Since UIDAI's Aaadhar was made mandatory to be linked with bank accounts, the governing body had announced an online service where users could enter their Aadhaar ID and check if any bank accounts were linked with their Aadhaar. The process required the user to enter an OTP sent to the registered mobile number as a safety precaution but there is another way to check Bank Account Linking and sadly, no OTP is required to do that. This means that anyone with your Aadhaar ID can simply use the service to gather which Bank Account is linked to your Aadhaar.

How does this service work?

UIDAI in December, Tweeted its followers with a number which the users could use to check their Bank-Aadhaar linkage via SMS. 

The procedure to do the same is as follows:

1. The user dials *99*99*1# for a minimal charge of 50 paisa

2. Follows a popup which asks the user to enter his/her Aadhaar ID

3. Another popup then confirms if the ID is correct

4. The bank accounts are then listed in return

The security loophole?

There are 3 major problems with this service:

1. Firstly, anyone can dial this number and request any Aadhaar ID's details: This means that a malicious user can dial it from his phone, enter your Aadhaar ID and get your bank accounts

2. Secondly, no OTP is required: This is even more deadly as it makes it extremely easy for anyone with your Aadhaar ID to simply get your details without any authentication

3. Finally, you won't even be notified: This is the final one in the coffin. A user isn't even notified if his/her details were requested using this service. This means anyone, anywhere can do this any number of times without you ever coming to know.

Comments from Ankush Johar, Director at Infosec Ventures - an organization that provides complete infrastructure security solutions for commercial and government clients of all sizes

Though getting a mere "Bank Account Name" might not sound like a massive breach of privacy or a security risk but imagine where hackers already have your Aadhaar ID (which allegedly, isn't so difficult as reported by the Tribune) and now extract your bank name too along with all your other private information including mobile number, address, etc. In such a scenario, it would be extremely easy to socially engineer victims over call or email as the attacker will have targeted information about his victim. This is called "Spear Phishing" and can be extremely dangerous and as these services are almost free of charge, malicious hackers can carry this out with mass phishing campaigns.

The UIDAI and the government must take extreme precautions before releasing such service to the public and proper security auditing must be done for any service before releasing, especially the ones that deal with Personally Identifiable Information(PII). A bug bounty program might be just enough to pick out all severe vulnerabilities efficiently and effectively as it has already worked amazingly well for tech giants like Microsoft, Facebook, Google etc. and government bodies, such as The US DoD, Army, Airforce and the Pentagon which surely aren't short of resources but have accepted the power of crowd-sourcing and bug bounty programs.

Users, on the other hand, are suggested to be extremely cautious with phishing scams and bank frauds. Following are the given tips which will help in being safe from such attacks:

• Never share your OTP/PIN/Card Details/CVV/Passwords over a call or email. Your bank will never ask you such details directly.
• Think before you click on a link sent to you. Hover your mouse over it to see where it really is going to. Do not click if you don't trust the website.
• Always verify the sender cautiously before believing an email. Hackers generally replace/add few characters in the email to make it look real.
• Use 2-factor authentication wherever possible.
• Use strong alphanumeric passwords at least 8 characters long with symbols and avoid reusing the same password for multiple sites.