Akram Mohammed By

Express News Service

BENGALURU:A day after Telecom Regulatory Authority of India Chairman R S Sharma shared his Aadhaar number online, web security experts are saying that it is not that difficult for hackers to extract one’s personal details from the number.

Sharma on Saturday had shared his Aadhaar number on Twitter and issued a challenge. Hours later, hackers published on public domain what they say are his personal details such as PAN number. Unique Identification Authority of India (UIDAI), however, vehemently denied that its data was compromised.

The incident could point to the risk of linking Aadhaar number with several services, as orders were placed online on his behalf and even a fake Aadhaar card with his name and number was circulated. Parallels are also being drawn to the CEO of LifeLock — an information security firm — whose identity was stolen 13 times after he made his social security number public.

Even before Sharma disclosed his number and issued a dare, web security experts had highlighted how phone numbers linked to Aadhaar could be extracted due to flaws in the implementation of text-based authentication mechanisms.

In May, Karan Saini, a web security expert had highlighted flaws in websites which make use of text-based Aadhaar authentication. These websites, including central government’s digital locker and National Food Security Mission, allow users to input both the Aadhaar number as well as verified phone numbers linked to it.

Writing on his website about such flaws, Saini says that such websites allow “computer-aided guessing and enumeration attacks”, which was the technique used to dig out Sharma’s mobile number. He notes that the last four digits of a phone number are revealed by some websites if the Aadhaar number is provided. Using the last four numbers and taking the first digit of the phone number as nine (most widely used or eight or seven), programmes such as intercepting proxies are used. “The script or toll would query any of the vulnerable websites repeatedly to extract the full phone number pertaining to any given Aadhaar,” Saini noted.

He estimated that it would take 51 minutes to find the phone number using the said method. Recommending a masking scheme to prevent such enumeration attacks, he noted that a lot can be learnt using a person’s phone number, such as full name, friends in social media sites and others.

People want action against TRAI chairman

After Sharma disclosed his Aadhaar number online, privacy rights campaigners have questioned whether the government will initiate action against him for disclosing the same. As per Aadhaar Act, one can be sentenced up to three years imprisonment for sharing an Aadhaar number. Among many who highlighted the same on Twitter was Nikhil Pahwa (@nixxin) who tweeted: “It is illegal for even R S Sharma to publish his Aadhaar number, under the Aadhaar act. UIDAI will not file a case (against) him, because of his privilege: rule of law applies differently to different people in India.”

another case of id thefts

There was also some buzz on Twitter regarding similarities between Sharma’s case and the identity theft of Todd Davis, CEO of data security firm LifeLock. The case found traction after French security expert Elliot Anderson shared an article. Davis, who had shared his social security number in an advertisement to market the credentials of his company, was subject to cases of 13 identity thefts, where people had used his social security number to avail loans and mobile phone services among others.