In another exposure of Aadhaar’s cybersecurity weaknesses, over 70 subdomains under a Government of India website are providing access to demographic-authentication services without requiring identity verification from the requester. The websites allow users to access an application programming interface, or API, in which anyone can enter a person’s Aadhaar number, name, gender and date of birth, and be directed to a page that either reads “yes” or displays an error message, indicating whether or not the information corresponds to a valid entry in the Aadhaar database. Providing such unrestricted access to this API raises major concerns of privacy, and may be exploited by hackers seeking to uncover people’s Aadhaar numbers. It also violates the Aadhaar Act, the law governing India’s nationwide digital-identity programme.
Two security researchers—Srinivas Kodali and Karan Saini—independently found the vulnerability and reported it to relevant authorities.
The FBI recently published its 2017 Internet Crime Report highlighting trends and statistics compiled by the FBI’s Internet Crime Complaint Center (“IC3”) during 2017. The report compiles data from a total of 301,580 complaints which reported losses of over $1.4 billion. In addition to an explanation of the IC3’s history and operations, the report includes five “hot topics” from 2017: business email compromise (“BEC”), ransomware, tech support fraud, extortion, and the Justice Department’s Elder Justice Initiative.