Aadhaar-based POS transactions raise privacy concerns

Chennai: The proliferation of Aadhaar-based payments has lead to a lot of questions being raised on privacy. Will your local mobile recharge vendor or a petty shop owner have access to all your data? What if your biometrics get hacked?

Such questions are among those that the UIDAI has to answer as it steams ahead with facilitating Aadhaar based transactions on India’s 25 lakh plus PoS terminals.

Data Security Council of India CEO Rama Vedashree flagged some concerns, when she told TOI, “When Aadhaar enabled payment systems proliferates, host of data is deployed at merchants of which some can be phone-based, some through PoS devices. When an entire ecosystem is so closely connected, security by design becomes default.”

Cyber-security experts have for long held that PoS machines are usually the easiest target for hacks. “For every one ATM hack, we see 20 PoS machine frauds. Many of the complaints we receive are from customers, who had their data compromised, by using their debit cards at petrol bunks, shopping malls and cinema theatres,” said P Ravi Sekharan, assistant commissioner, cyber crime cell, Chennai City Police.

Another issue is that an Aadhaar hack has far more grave implications than a debit card hack. “When debit card data is hacked, there is a considerable financial loss – but it stops there. Your entire life is not in someone else’s hands. But with Aadhaar now being linked to PAN, GST registration, civil supplies’ amenities, ration card, an Aadhaar data theft could have drastic impact and completely paralyse someone’s life,” said a cyber crime official, who did not want to be identified. With decoders, skimmers, machine readers stealing customer data has become all too easy. When Aadhaar was conceptualised, it was meant to facilitate direct benefit transfers. However, it has metamorphed into an enabler for digital payments and this has cyber secuirty experts concerned.

“If your Facebook or bank account is hacked, you can reset your password. But when your fingerprints are stolen, there is no reset. They are permanent identification markers, and once snagged, it is out of your control. When your gym, mobile phone company, and doctor all have your biometric details, remediation of the hack will prove difficult, if not impossible,” said Nitin Bhatnagar, cyber security consultant.

With NPCI, UIDAI pushing hard for en masse adoption for digital payments, many companies including IT majors like TCS have jumped on the bandwagon with its recent launch of MerchantPay, an Aadhaar based payment solution. And the pro-Aadhar adoption crowd is vehement that all security concerns have been addressed. “We looked at this solution during demonetisation. Existing payment solutions need one to have a debit card or an android phone. MerchantPay is built as a multi channel solution so it can support Aadhaar based payments or the standard gateways,” said Ravi Viswanathan, president – south markets, TCS, which has four banks onboard and is piloting the solution with 13 others.

From a security perspective, Viswanathan says these are in the realms of any technology. The system offers multiple levels of authentication to ensure secuirty. We are offering built in control for banks and their customers which will have checks in place,” he said.