Can Aadhaar card data be misused to open bank accounts?

Can your Aadhaar Card data be misused by fraudsters to open bank accounts? Don’t worry! Aadhaar Card holders often ask what will happen if some fraudster tries to open a bank account against their names without their knowledge by obtaining a copy of their Aadhaar. People have raised apprehensions about whether they would be harmed or not. The Unique Identification Authority of India (UIDAI), the nodal authority for issuing Aadhaar, claims that Aadhaar Card data is completely safe and secured.

UIDAI has clearly stated that one can not open a bank account merely by presenting or submitting a physical Aadhaar Card or its photocopy. As per Prevention of Money-laundering (Maintenance of Records) Rules, 2005, and Reserve Bank of Indian circulars, a bank will go through a certain process of security checking. The process involves banks to perform verification through either biometric data or OTP authentication. Apart from this, there are another due diligence that need to be done by the bank before the Aadhaar Card can be accepted for banking transactions or KYC, says UIDAI. So as per the rules, no fraudster can open a bank account against your name using your Aadhaar Card details without verification through biometric or OTP.

However, if someone manages to open an account in a bank using your Aadhaar Card details without biometric or OTP authentication and other verification, then the bank will be held responsible for the loss, says UIDAI.

If you are still not sure about the security of your Aadhaar Card, then UIDAI provides another option for the verifiable 12-digit identification number. The Masked Aadhaar card is a viable option if you want to secure your Aadhaar Card details. While downloading Aadhaar Card details, you can opt for a more safer option of Masked Aadhaar card. This Masked Aadhaar Card only shows the last 4 digits of the 12-digit Aadhaar number. So, instead of carrying a phyiscal copy of your Aadhaar Card or a photocopy, it is advisable to have a Masked Aadhaar card, which in case of being misplaced or stolen is less likely to be misused. However, the Masked Aadhaar card does display other key details such as photograph, smart QR Code and demographic info.

Aadhar Data of More Than 2 Crore Punjab Residents Found on Hard Disks



The ongoing investigation by The Special Investigation Team (SIT) on the Aadhaar data theft of around 7.82 crore people residing in Telangana and Andra Pradesh has led to the discovery of a hard disk containing the Aadhaar data of 2 crore Punjab residents, as per The Tribune reporting.

The hard disk containing data has been recovered from a Hyderabad based IT company, It Grids (India) Pvt Ltd and consequently it has been registered for unlawfully possessing the Aadhaar data of 7.8 crore residents and exploiting the same. The company is also known for building the official TDP app, "Seva Mitra".

With the further discovery of 2 crore Aadhaar data records, the breach which initially estimated around 7.8 crores, went up to 9.8 crores. The investigating agency is looking into the obvious question which arises— why would a Hyderabad based IT company want to store Aadhaar data of Punjab residents? Notably, the Unique Identification Authority of India (UIDAI) has already reasserted the secure condition of its data servers. Though UIDAI  stood strong for the security of its servers, Police seemed to have contrasting opinions and filed a case where the theft of Aadhaar data has been proven scientifically.

Defending their stand, “Mere possession and storage of Aadhaar numbers of people, though it maybe an offense under the Aadhaar Act under some circumstances, does not put the Aadhaar holders under any harm in any manner whatsoever. For accessing any Aadhaar-based service, biometrics or one-time password (OTP) is also needed,” the UIDAI said.


Hacker breaks into Telangana’s TSPost website, exposes flaw

Indian government sites are often criticized for their lack of cyber security and safety of people’s information. Pointing out a flaw in Telangana government’s NREGA portal, French hacker and independent security researcher Robert Baptiste hacked into the state government’s website.

He reportedly contacted the site owners regarding the issue and after receiving no response for some time, published his results on social media.


The website (http://tspost.aponline.gov.in) was vulnerable to one of the most basic web hacking technique, an SQL injection. It has now gone offline in the wake of this news.

“A basic SQL injection allows an attacker to access the database of the website,” Robert said. “To be clear, all the data on this website can be a dump. Telangana government officials say they are working to fix it. For this website, they have to hire decent web developers to protect it from attacks.”

TSPost, Telangana’s government benefit disbursement portal, contained the account details and Aadhaar numbers of over 56 lakh NREGA beneficiaries and 40 lakh beneficiaries of social security pensions.

Using the SQL injection, Robert was able to access not just the Aadhaar and account details from the website but also the API keys of UIDAI’s Aadhaar database, the access of which can enable anyone capable enough to make a fake Aadhaar app that could be uploaded to Google Playstore for malicious use.

This is one of the many cases pointing out how vulnerable the Aadhaar system is to hacking and security breaches.

2 Gujarat Ration Shop Owners Held for Aadhaar Fraud

The Gujarat Police on Friday arrested two owners of government-funded ration shops, or “fair price shops”, in Surat for allegedly committing fraud using stolen biometric data to pilfer subsidised foodgrain.

They reportedly bought a software for ₹15,000 which contained a list of stolen Aadhaar numbers, ration card numbers, and thumb impressions.

The accused, Babubhai Boriwal (53) and Sampatlal Shah (61), were arrested on Friday and taken into police custody for five days.

"The state government had in April 2016 launched the Annapurna Yojana under the National Food Security Act-2013,” said Crime Branch Inspector BN Dave. “Fair price shops, renamed as Pandit Deendayal Grahak Bhandar, were computerised so that subsidised food items reached the actual beneficiaries."

He said that under the scheme, shop owners were, through an application called E-FPS, given access to biometric data bank of the beneficiaries to “create an electronic record of beneficiaries availing subsidised grains from their shops.”

According to Inspector Dave, to gain access to the data, the accused used a duplicate version of the software, the source of which is yet unknown.

Boriwal and Shah have reportedly been booked under various sections of the Indian Penal Code (IPC) including section 406, 409 (criminal breach of trust), 467, 468, 471 (forgery), as well as sections of the Information Technology Act and the Essential Commodities Act.

The police are investigating into the source of the duplicate software as well as the biometric data.

UIDAI Addresses Security And Privacy Concerns

The issue of protection of citizen data has once again picked up steam in the most recent week after The Tribune revealed that an unknown WhatsApp number was pitching access to the whole Aadhaar database for as low as Rs 500. So in an attempt to address security and privacy concerns around the leakage of Aadhaar numbers and information data, the Unique Identification Authority of India on Wednesday introduced two new measures - virtual ID and limited KYC.

The Aadhaar-card holder can utilize the idea or most likely the 'concept' of the virtual id through its website which can take into consideration different purposes, including SIM verifications, and save them the trouble of sharing the actual12-digit biometric ID.

The Virtual ID would be an arbitrary 16-digit number, complete with biometrics of the user and would give any authorised agency like a mobile company, restricted or limited details like name, address and photograph, which are more than sufficient for any confirmation and verification.
Then again the idea of 'limited KYC' will just give need based or finite details of a user to an authorised agency that is providing a specific administration or service.

From 1 June, 2018 it will be obligatory for all organizations and agencies that attempt verification to acknowledge the Virtual ID from their clients. Agencies that don't relocate to the new framework to offer this additional alternative to their clients by the stipulated due date will confront financial disincentives.

"Aadhaar number holder can use Virtual ID in lieu of Aadhaar number whenever authentication or KYC services are performed. Authentication may be performed using the Virtual ID in a manner similar to using Aadhaar number," a UIDAI circular said.

Clients (users) can go to the UIDAI website to create their virtual ID which will be valid for a definite time frame, or till the user decides to transform it. Since the system generated Virtual ID will be mapped to a person's Aadhaar number itself at the back end, it will get rid of the requirement for the user to share Aadhaar number for validation and decrease the collection of Aadhaar numbers by various organizations.

According to the UIDAI, organizations that attempt validation would not be permitted to generate the Virtual ID on behalf of the Aadhaar holder.The UIDAI is also instructing all agencies utilizing its authentication and eKYC services to ensure Aadhaar holders can give the 16-digit Virtual ID rather than Aadhaar number within their application. 


Needless to say the move mainly focuses to reinforce the protection and security of Aadhaar data and comes in the midst of uplifted concerns around the collection and storage of personal and statistical (demographic) information of individuals.