[Zak]

> Possibly a security measure?

What I read in the article sounded like the ID was required to submit an entry to the contest, not to be present in the area. I would need more information to comment on alternate reasons.

> You can't authenticate without Aadhaar OTP. And don't expect the government to send OTP to an unverified mobile number.

Authenticate what? Last time I needed a prepaid SIM card (in the US), I bought it on eBay and provided no information other than a mailing address (not mine).

[shripadk]

By authenticate I mean Aadhaar transaction authentication. Say you are filing your tax returns. There are currently three ways to authenticate that the tax return was indeed filed by you:

1. You take a print out of the acknowledgement, sign it and send it to a centralised tax processing unit.

2. You purchase a digital signature and sign it using the same (requires you to be slightly tech savvy). Not to mention the cost of acquiring the digital signature and the fact that you need to keep renewing it every few years.

3. Just authenticate using your Aadhaar number. An OTP will be sent to your mobile number and you just need to enter the same on screen. Once verified, you have digitally signed and submitted your tax return.

I find option 3 really appealing. This is just one practical example of where one can use Aadhaar and OTP for authentication.

[captn3m0]

I've filed my tax returns with just my PAN card and without using a DSC. This might be different for a registered organization where CAs must handle DSCs I think, but you could file your Individual taxes without printing/using a DSC/Aadhaar by just creating a new account linked to your PAN.

The fact that they used OTP (and tout it as a security feature) is so disheartening.

I am not the SIM card in my phone. Switching legal consent to a mere 6 digit OTP is a terrible idea. Even more so because SMS is unencrypted and terrible way of sending secrets. There is no recourse in the law for someone stealing your phone and signing away your entire property once e-Sign comes in force everywhere.

I'm just tempted to take a large strength antennae and build a Aadhaar-OTP Wardriving tool.

[shripadk]

> The fact that they used OTP (and tout it as a security feature) is so disheartening

I do not anywhere mention it as a security feature. I actually mention that I find it appealing as I don't want to go through the hassle of obtaining a DSC just to verify my returns. Everifying through Aadhaar is simpler. To expect someone to hack it is quite remote as it would require knowledge of multiple things: my Aadhaar number, access to my network, knowing the date and time of when I decide to file my returns, having to utilise the OTP before i use it or it expires. It's possible for a really concerted attacker but then I start to question his sanity. It's much easier to just break into my home and get me to sign at gunpoint. ;)

[shripadk]

I should have been more clear. I'm talking about after filing of returns. You have to verify it. It's either sending the signed acknowledgement to CPC or everify it digitally. Have you sent the signed acknowledgement to CPC? It's mandatory to send acknowledgement to CPC if you haven't digitally signed it using DSC or Aadhaar. Please check with your CA as the rules are same for personal and corporate income tax.

EDIT: Procedure to verify your submitted tax return: https://www.hrblock.in/guides/itrv-download-guide/

[captn3m0]

Ahh, thanks for the clarification. My bank supported e-Verify (EVC on the link you gave) via netbanking so it worked out.

Apparently, there are other EVC methods as well (ATM/mutual fund)

[shripadk]

> There is no recourse in the law for someone stealing your phone and signing away your entire property once e-Sign comes in force everywhere.

I agree with you on this. Currently however, this is how it is with everything online. Take any 2-FA service. It's either SMS based or through Google authenticator/yubikey etc. To expect non tech savvy people to use yubikey or Google authenticator is going to be a hardsell.

> I'm just tempted to take a large strength antennae and build a Aadhaar-OTP Wardriving tool.

Hahaha! Provided you know the Aadhaar number for the associated OTP as well ;)

[captn3m0]

I agree that the alternative is not great either. But when you design a system for a billion people, you need to take into account how easily people can be phished in India for OTPs.

Wardriving Plan:

1. Google for '"Mera Aadhaar, Meri Pehchaan" filetype:pdf'

2. Find someone working at UIDAI on that list

[iguy]

prepaid SIM card (in the US), I bought it on eBay

This is highly unusual now. For instance most countries in Europe will now need to see your passport to enable a SIM card. So India isn't an outlier. The stated reason, I believe, is terrorism. Whether this is Orwellian I leave for you to decide.

[Zak]

Yes, that's highly Orwellian and terrorism is an absurd justification. Anybody capable of pulling off a terrorist plot requiring a phone is likely to be able to find a way to get one without such a regulation making a problem for them.

What it does enable is surveilling a person's location and some of their communication without having to do something requiring resources and the possibility of alerting the person that they're a target.

For the record, it's not unusual to be able to buy and use a prepaid SIM card anonymously in the US. There have been a couple proposals to ban it, but they came nowhere near passing.

[iguy]

Sorry, by "highly unusual" I meant more an outlier among countries (in which I've bought sim cards).

I guess I now assume it's all so tracked as not to matter much one way or the other -- it's not like the NSA can't connect your ebay account to your name. Asking for ID just saves them a few CPU cycles, reducing everyone's carbon footprint :)

[Zak]

I think they'd have to work a bit harder than that.

Even assuming they have continuous access to ebay, telco and mvno systems, they probably don't have continuous access to the computers of the individual reseller who's selling preloaded SIM cards. This is almost certainly one guy working out of his house.

No doubt, the NSA could hack that guy, but they'd have to do so deliberately. The connection necessary for mass surveillance is broken at this point.