Aadhaar number details: Yet another 'leak' UIDAI needs to fix
UIDAI allows you to check your bank account linking status by two means , one via the official website (www.uidai.gov.in) and also via your mobile device.
If someone knows your Aadhaar number, then they can find out with which bank you have an account easily by dialling a USSD code provided by Aadhaar helpline number.
UIDAI allows you to check your bank account linking status by two means , one via the official website (www.uidai.gov.in) and also via your mobile device. On calling the customer helpline number the UIDAI officials will give you a USSD code to check the linking status. .
While checking the status on UIDAI's website there is a security feature in the form of a one-time password (OTP) sent to the mobile number registered for that Aadhaar in the records of UIDAI. Therefore, only the actual holder of the mobile number registered with the Aadhaar can supply the OTP and then obtain the information of the bank where the account has been linked to the Aadhaar number.
However, if the same service is accessed using the USSD code provided by Aadhar officials there is no such feature of OTP or any other safety measure to ensure that no one apart from you (the actual owner of the Aadhaar number) is able to access the name of the bank where you have an account. .
Consequently, the result is that any person can simply dial the provided USSD number, input your Aadhaar number and get the reply which would state the name of the bank where you have an account.
We were given the USSD code by the customer care centre of UIDAI some months ago when we called the centre for information for another article which was on how people could check the status of the linkage of Aadhaar with various services.
The article giving the code was published on 14 December 2017. Click here to read the article.
However, we later found that the same code worked even when used by people other than the actual Aadhaar number holder.
Why is it a matter of concern?
For various purposes, we are required to give photocopies of our Aadhaar card to government agencies, banks, telecom service providers etc. Beside the KYC process of banks, mutual funds etc, the 12- digit unique identification number is needed to register for various exams, events too. Infact, a huge percentage of people would have already given photocopies of their Aadhaar to the above mentioned entities. Consequently, anyone with access to your Aadhaar can use the number and find out the bank where your account is.
While the name of the bank where you have an account may not pose a financial security threat in itself but it does add one more additional piece of personal information (apart from your Aadhaar number) that anyone can get to know about you and help a hacker build a database about you.
Though UIDAI has said that virtual ID will allow Aadhaar number holder a choice of either using virtual tag or Aadhaar number but the question remains about the security of these details available easily when photocopies of our Aadhaar card submitted to various private or government agencies.
However, it needs to be mentioned that only this Aadhaar information service is available using a USSD code. For other online services such as verification of e-mail/mobile number, Aadhaar authentication history etc. are available via website only which has OTP verification.