In the last post, I talked about how people unknowingly give away the data which can be used to draw statistical inferences to a large degree of accuracy for a particular region or a country. There is another bigger threat to our data - ‘Data Breaches’.
You store photos in the cloud and you save storage, you use online platforms that save your details and you are okay with it, you buy something online and all your online transactions are stored in a database.
A data breach is the intentional or unintentional release of secure or private/confidential information to an untrusted environment. How bad can it be you ask? Well, it depends if you are getting affected or not. Chances are your data has already been leaked in one of the previous leaks and you are just unaware of your data floating around in the vast and deep trenches of the internet, probably on the deep web too. Your name, passwords, address and all your likes and dislikes are there for anybody to see, except you because you just got to know about it.
And things can really seem pretty scary if it is your financial data we’re talking about, wouldn’t you like it if your credit card details can be easily looked up and your bank accounts accessed and emptied in a matter of seconds?, Exactly!. If you are carrying out a transaction at a store using your credit or debit card, just take a moment and consider how insecure that is.
And when it comes to breaches you can’t do much about it, it happened with Yahoo and Uber and it will not stop, because there is no one-time solution to it, everytime it happens it is different, a data breach from the outside or a data leak or a data spill from the inside, it is almost impossible to predict it beforehand.
One thing that I know for sure is that tech firms doesn’t matter big or small, fear these breaches. They are called out immediately by the people and other firms. Eventually, they do not have any option but to issue an apology, which does no good in this case. They are always happening, just keep your eyes open, and you’ll see them, it is estimated that in 2015 alone a total of 707 million records were exposed as a result of data breaches, with a total of $2.1 trillion in damages.
Another very interesting case study is the Ashley Madison Data Breach. In July 2015, a group calling itself “The Impact Team” stole the user data of Ashley Madison, a commercial website billed as enabling extramarital affairs. The group copied personal information about the site’s user base and threatened to release users’ names and personally identifying information if Ashley Madison would not immediately shut down. On 18 and 20 August, the group leaked more than 25 gigabytes of company data, including user details. Because of the site’s policy of not deleting users’ personal information – including real names, home addresses, search history and credit card transaction records – many users feared being publicly shamed. Read about it here.
Then comes our very own - Aadhaar. This ID database is packed with identity and biometric information like fingerprints and iris scans of more than 1.1 billion registered Indian citizens. Anyone in the database can use their data or their thumbprint to open a bank account, buy a SIM card, enroll in utilities and schemes, and even receive state aid or financial assistance. Even companies, like PayTM, Amazon, and Uber, can tap into the Aadhaar database to identify their customers popularly known nowadays as a KYC (Know Your Customer).
The idea when implemented slowly in the early stages was great, at least on paper. As it gained momentum, people started using to its limits as I should say, and as with everything in our country, it’s limit were tested and eventually shattered. Turned out, it was a great way to convert this country’s 130 Crore Indians into a database. And as we have seen databases have ‘security issues’. Fast forward to today and you just need Rs 500, 10 minutes, and you have access to billion Aadhaar details all through a ‘Racket’ paid through PayTM, you could enter any Aadhaar number in the portal, and instantly get all particulars that an individual may have submitted to the UIDAI (Unique Identification Authority of India), including name, address, postal code (PIN), photo, phone number and email. More on this here.
When ZDnet, an online technology, and IT blog wrote about all this and tried to reach to the authorities about it, ‘but nobody responded’. After the people read the post and started asking questions the UIDAI replied. In another series of tweets, Elliot Alderson, who calls himself French security researcher, went on to expose dorks and scripts to extract database details from the UIDAI and the Aadhaar data shared with other organizations and the UIDAI called Alderson’s revelations and the subsequent media reports “irresponsible” and “far from the truth” yet again. In response, he even released a video showing the process to bypass the password protection in the mAadhaar android app within just a minute.
The UIDAI continues to maintain that one cannot harm a person just by knowing his or her Aadhaar number and that it would require biometric data to authenticte a person’s identity so as to cause further damage. Meanwhile, in February, stolen biometrics were used in Surat to steal subsidised ration items. And in a written response to the Rajya Sabha, the Minister of State for Finance Shiv Pratap Shukla admitted that close to Rs 1.5 crore were withdrawn fraudulently from Public Sector Bank accounts using Aadhaar numbers.
How to bypass the password protection of the official #Aadhaar #android #app in 1 minute.— Elliot Alderson (@fs0c131y) March 13, 2018
For this attack, the attacker need a physical access to the phone, rooted phone is not needed and yes this is the latest version of the app.
cc @uidai @ceo_uidai pic.twitter.com/7aZ0fvr0Wv
In another one of Elliot Alderson’s tweets, he posted -
In #India, the voter lists are public. Election commissions release pdfs with name, father's name, age, sex, address, voter id. Due to "poor" security practices by @CeodelhiOffice, it's possible to gather all the Delhi voters data in one database. pic.twitter.com/c7DV2wMqh7— Elliot Alderson (@fs0c131y) February 11, 2018
As I already said, you cannot do much after it happens, but to choose the safest store or platform is always in your hands, you may call it some precautionary measures.
- For starters - Research. Search about popular data breaches and be aware of them, you can go to the Wikipedia Page here.
- You can also check if your data has ever been compromised in the past here.
- Vigilante.pw lists over 2,100 websites which have had their databases breached, containing over 2 billion user entries in total.
- You can also take a look at this cool interactive chart of the worst data breaches here.
- And check out the biggest data breaches of the 21st century here.
- If you are good till now, always keep your eyes peeled from the next time onwards.
Considering how little control we have of our own data once it gets stored in the databases of tech firms, it is high time we start analyzing which services to use and which ones to avoid. Or else we will lose control of our own data and politicians and hackers will definitely leave no stones unturned to use that data for egocentric and self-centered unhuman deeds.