India's Banks Must Move to Aadhaar-Based Biometric AuthenticationSecurity Experts Raise Concerns About the Challenges Involved
The Reserve Bank of India has mandated that all scheduled commercial banks, urban and state cooperative banks, payment banks, ATM operations and authorized card payment networks migrate to Aadhaar-based biometric authentication for electronic payment transactions by June 30.
Banks also must ensure that all new card-present acceptance infrastructure, including network security, deployed from Jan. 1, 2017, is enabled for processing payment transactions using Aadhaar-based biometric authentication.
RBI took this action, under the guidance of the finance ministry, to improve security as the nation continues its shift to cashless transactions. The new authentication method for transactions is far more advanced than the current two-factor method.
But some security experts question whether the Aadhaar technology can handle the potential volume of transactions.
The 12-digit Aadhaar number, which is linked to demographic and biometric information of all residents and a photograph issued by UIDAI on behalf of government of India, already is widely used as a proof of identity and address.
Nanda S. Dave, chief general manager at RBI, says the regulator originally set the transaction deadline as March 30, but that deadline was postponed due to a lack of available Aadhaar-enabled devices.
"Therefore, RBI extended the deadline to June 30. ... Banks may continue to make necessary arrangements, including changes like host-end, network level and device readiness, to ensure adherence to the biometric authentication process," Dave says.
A number of security experts, including Gurgoan-based Sriram Natarajan, COO at Quattro, a business process outsourcing company, say the authentication mandate will create difficulties.
"Banks must deal with two challenges - the size and volume of biometric data, a new element - and the sheer pressure of handling personal data that's static in nature," he points out.
He also contends that biometrics generate a high number of false positives for confirming identities.
How It Works
Dr. N. Rajendran, NCPI's CTO, says the three components of the Aadhaar multifactor authentication are:
- Demographic authentication. A user enters the 12-digit Aadhaar number into the authentication device attached to a payment terminal or a smartphone for authentication purposes. The number enables a link to a database storing the user's demographic attributes, such as name, address, date of birth and gender, for authentication.
- Biometric authentication. When using the Aadhar number, users also must provide biometric information - a fingerprint or iris scan, as another factor of authentication.
- One-time PIN authentication. Users of the Aadhaar number must also use a one-time PIN sent to their mobile device to complete the authentication process.
To complete a financial transaction using an Adhaar number, banks must connect to NPCI's APES using their payment service provider system, which interfaces with core banking systems, customers' authentication systems and fraud and risk management systems, Rajendran says. Banks can integrate APES with their mobile banking system, if they have one.
"The biggest benefits for banks are single-click two-factor authentication for subsequent transactions along with a universal application for transactions as they leverage existing infrastructure," Rajendran says.
While Aadhaar was already being used by bank customers to prove their identities, now banks will use it to help enable online transactions.
But some security practitioners fear the Aadhaar-authentication request could fail following errors, such as biometric data not matching the database or demographic details not checking out.
A CISO of a leading multinational bank, who requested not to be named, notes, "The channel is definitely a disruptive technology, but spotting the weakest link is difficult, as increase in volumes and integrating biometrics with digital payments could prove a security headache."
As Aadhaar's scope widens, some security experts fear new security threats may emerge, such as identity theft if a person's biometrics are compromised from the payment system, or phishing attempts, making it difficult to revoke access once biometric information is compromised.
User education can help minimize the risk of not using the biometric process correctly, says Sivakumar Krishnan of FIS Payment Solutions & Services Ltd. He formerly was CISO of Micro Finance Ltd.
Natarajan anticipates problems as the volume of Aadhaar transactions surges. And he fears that the new form of authentication may fail due to the lack of processing capacity and computing power of the platform.
The most vulnerable aspect this new form of authentication, he says, is point-of-sale systems at merchants.
Rajendran notes: "OS level risks arise in this mode; besides, challenges arise at the device level when the firmware's getting encrypted and during transcription if accurate methods are not followed."
Best Security Practices
To ensure the new authentication method for electronic transactions works, the RBI must prescribe strong privacy policies and an effective security framework, some security experts say.
Rajendran recommends that banks deploy device verification parameters, make sure they have effective risk and fraud management systems, and alert UIDAI of multiple transaction failures due to authentication failures.
UIDAI recommends key best practices for biometric authentication:
- Use end-to-end encryption of personal identity data to ensure data is not read, stored or tampered with for malicious purposes;
- Secure the network at multiple levels between front-end authentication points and the Central Identities Data Repository to ensure protection against network attacks;
- Securing CIDR at multiple levels through creation of a DMZ, application zone and data zones and protecting all zones using multiple firewalls, network intrusion prevention systems and strong access control and audit schemes.
Some security practitioners say periodic testing of biometric systems by ethical hackers can also help discover system vulnerabilities in advance.
"Continuous monitoring and continuous improvement are key for maintaining confidentiality, integrity and availability of the system," Krishnan says.