Read on Twitter
Proactive Defence for Financial Frauds:
Security practitioners online groups have been agog today in discussing two news reports.
The first story featured in the Delhi edition of The Times Of India mentioning that Delhi Police had written to the Unique Identification Authority
Security practitioners online groups have been agog today in discussing two news reports.
The first story featured in the Delhi edition of The Times Of India mentioning that Delhi Police had written to the Unique Identification Authority
of India (UIDAI) highlighting vulnearabilities in the #Aadhaar system. To summarise, these were as follows.
1. Aadhaar system was not carrying out facial biometric matching, while generating new IDs. This resulted in 12 bank accounts being opened under the names of different
1. Aadhaar system was not carrying out facial biometric matching, while generating new IDs. This resulted in 12 bank accounts being opened under the names of different
persons, even when the photographs on all the Aadhaar cards were of the same person, though fingerprints were different.
2. Credentials of authorised enrollers were handed over by them in the form of silicone fingerprints and printouts of iris scans, as well as the laptops
2. Credentials of authorised enrollers were handed over by them in the form of silicone fingerprints and printouts of iris scans, as well as the laptops
configured to them.
3. The geofencing control of pre-set GPS locations was defeated by moving the configured laptop to that location before being moved out again.
4. The system did not carry out any 'liveness check' to distinguish between silicone film and live finger. The
3. The geofencing control of pre-set GPS locations was defeated by moving the configured laptop to that location before being moved out again.
4. The system did not carry out any 'liveness check' to distinguish between silicone film and live finger. The
colour printout of IRIS scans passed muster for the real patterns.
5. Aadhaar system treated 10 finger prints as one identity and not as 10 different identities.
Fraudsters used mix-and-match to generate unique identities. While full details are not available, it appears that
5. Aadhaar system treated 10 finger prints as one identity and not as 10 different identities.
Fraudsters used mix-and-match to generate unique identities. While full details are not available, it appears that
some of the assumptions made in design of the Aadhaar project, particularly relating to standardisation and deduplication of fingerprints, as well as face matching (which anyway is known
to have high error rates)may not be fully valid.
Further,controls against first-party fraud,
to have high error rates)may not be fully valid.
Further,controls against first-party fraud,
where the insiders to the system (in this case the authorised enrollers) cooperate with bad actors,needed further strengthening.
This is not surprising: security practitioners know that assurance against risks is a dynamic concept,and nothing can be taken for granted. Prevention
This is not surprising: security practitioners know that assurance against risks is a dynamic concept,and nothing can be taken for granted. Prevention
is the primary goal, but continuous monitoring and system testing are required to ensure that bad. actors don't successfully adapt to the existing processes.
The other story (link) was filed by Parth M N from Beed, my home district. It makes some important points.
1. Users in
The other story (link) was filed by Parth M N from Beed, my home district. It makes some important points.
1. Users in
Small towns are more gullible and prone to being fraud victims.They also get hurt more given their modest incomes.
2. The international call-centre fraudsters,targeting anglophone countries,have now turned inwards Online scams have become an industry.
3. Expensive inter-state
2. The international call-centre fraudsters,targeting anglophone countries,have now turned inwards Online scams have become an industry.
3. Expensive inter-state
investigations only result in arrest of the money mules. In one case, it was found that the accumulated crime proceeds reached a legitimate garment exporter from Surat, who believed that the funds credited were towards the goods exported to Pakistan. "The man in Pakistan would
essentially get his embroidered clothes for free." It is essential that the problem of #payment #fraud is taken seriously and the countermeasures stepped up covering prevention, detection and response.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
