Since UDAI's Aadhar was made mandatory to be linked with bank accounts, the governing body had announced an online service where users could enter their Aadhaar ID and check if any bank accounts were linked with their Aadhaar.
The process required the user to enter an OTP sent to the registered mobile number as a safety precaution but there is another way to check Bank Account Linking and sadly, no OTP is required to do that. This means that anyone with your Aadhaar ID can simply use the service to gather which Bank Account is linked ot your Aadhaar.
How does this service work?
UDAI, in December 2017, tweeted its followers with a number where users can check their Bank-Aadhaar linkage via SMS.
1. The user dials *99*99*1# for a minimal charge of 50 paisa
2. Follows a popup which asks the user to enter his/her Aadhaar ID
3. Another popup then confirms if the ID is correct
4. The Bank Accounts are then listed in return.
The Problem?
There are three major problems with this service:
* Firstly, anyone can dial this number and request any Aadhaar ID's details: This means that a malicious user can dial it from his phone, enter your Aadhaar ID and get your Bank Accounts.
* Secondly, no OTP is required: This is even more deadly as it makes it extremely easy for anyone with your Aadhaar ID to simply get your details without any authentication.
* Finally, you won't even be notified: This is the final one in the coffin. A user isn't even notified if his/her details were requested using this service. This means anyone, anywhere can do this any number of times without you ever coming to know.
Ankush Johar, director at Infosec Ventures, said: "Though getting a mere "Bank Account Name" might not sound like a massive breach of privacy or a security risk but imagine where hackers already have your Aadhaar ID (which allegedly, isn't so difficult as reported by the Tribune) and now extract your bank name too along with all your other private information including mobile number, address, etc.
"In such a scenario, it would be extremely easy to socially engineer victims over call or email as the attacker will have targeted information about his victim. This is called Spear Phishing and can be extremely dangerous.
"Moreover, this attack can also be carried at mass. This means after getting Aadhaar details of numerous users, attackers can then enumerate the Bank Accounts of all users via an automated tool and as the service costs half a rupee, it would be quite feasible to extract details of thousands of users for a phishing campaign.
"The UDAI and the Government must take extreme precautions before releasing such service to the public and proper security auditing must be done for any service before releasing, especially the ones that deal with Personally Identifiable Information(PII).
"A bug bounty program might be just enough to pick out all severe vulnerabilities efficiently and effectively as it has already worked amazingly well for tech giants like Microsoft, Facebook, Google etc., and Government bodies, such as The US DoD, Army, Airforce and the Pentagon, which surely aren't short of resources, but have accepted the power of crowdsourcing and bug bounty programs. Users, on the other hand, are suggested to be extremely cautious with Phishing Scams and Bank Frauds."
Following the given tips will help in being safe from such attacks:
* Never share your OTP/PIN/Card Details/CVV/Passwords over a call or Email. Your bank will never ask you such details directly.
* Think before you click on a link sent to you. Hover your mouse over it to see where it really is going to. Do not click if you don't trust the website.
* Always verify the sender cautiously before believing an email. Hackers generally replace/add few characters in the email to make it look real.
* Use 2-factor authentication wherever possible.
* Use strong alphanumeric passwords at least 8 characters long with symbols and avoid re-using the same password for multiple sites.