[Karupan]

As an Indian developer, I cringe every time the government claims a system is un-hackable. Especially when contracts are handed to one of the big Indian IT companies. Having started my career in one of those companies, I saw firsthand how most of the development process was just filling in gaps. Security through obscurity was thought to be “highly secure” and security experts were non existent.

No surprises that the database was compromised. Aadhar is a fundamentally flawed system and nothing will ever be done about it.

[kamaal]

No amount of 'security' will help here. That's because every one including the people don't give a dime about 'security' in India.

In Aadhar enrollment centers, passwords are shared. You might like to introduce an OTP like concept, but phones are shared too. 2FA? nice try, but then people also share answers to security questions. Next what? DNA authentication? Biometrics? guess what none of those are any where near reliable and they are mostly identity related things and not authentication related things.

There is also government policy. Which is lapse. Mostly run by civil servants who understand nothing about technology. IAS is largely a trivia testing exam with focus on things like meeting and group discussion skills. The head of UIDAI recently claimed that data could not have been possible stolen as the data was still in their database :)

This is a phenomenal lapse at every level.

Software is one thing, but if your people have decided to work around it, its basically all over.

[vishnugupta]

+1.

We also need to consider the motivations for working around 2FA or any such authentication systems. One is convenience as you've pointed out.

The other, much bigger motivation IMO, is opportunity to make money. As the article points out once enrolment was outsourced (Rs30/enrolment) it was immediately seen a money making venture so a whole bunch of these centres with dubious credentials surfaced. They were entrusted with document verification too so they would happily accept just about any piece of paper as proof of address. Then there was a business of charging desperate people money to create Adhaar account without which they wouldn't get subsidies.

And then they shut down (50,000 or so) these enrolment centres. Did they expect that all those employed at those centres who lost their jobs to not do anything about it!? Of course they would figure out ways to enrol people!!

[throwaway_tvs1]

Apparently, the bill passed in the Indian Parliament does not limit the right of the state apparatus to 'bio-authenticate' you. A scientist at CSIR apparently blurted out earlier that DNA authentication was under consideration. The amount of money spent on this BS project is absurd.

[Aeolun]

You mean security experts were found all around, but patted themselves on the back after preventing a single SQL injection attack.

[Bhilai]

A single SQL Injection has pretty huge potential, specially if its in an application that deals with sensitive data. I would not downplay it.

[Aeolun]

I completely agree. But it is the absolute basic level at which you start to secure your application.

I’d expect security experts working on a government ID program to be a bit more distinguished.

[LeonM]

This happens in every country, not just India. And the database has not been compromised.

[andyjohnson0]

> And the database has not been compromised.

The database is not known to be compromised.

[DoofusOfDeath]

> The database is not known to be compromised.

The database is not known by the general public to be compromised.

[MrEldritch]

The database is known by the general public to be compromised.

https://thewire.in/government/data-breach-aadhaar-details-gr...

The reason this article didn't mention it is because one of the authors is still in hot water with the police for trying to report on it.