Several Founders, Co-Founders, CXO Bankers, CXO Fintech professional & people who participated in the ePanel discussions:
- Mr. Sunil Kulkarni, Fintech Advisory & M&A, Alamak Capital Advisors
- Mr. Sanjay Swamy, Managing Partner & Co-Founder, PRIME Venture Partners
- Mr. Vikas R Panditrao, Co-Founder, Forum of Industry and Academic Knowledge Sharing (FIAKS)
- Many other CEO/CXO Bankers & Fintech professionals on FIAKS Forum requested to remain anonymous
In the world of data breaches and cyberattacks, how secured is the customer data and information? With growing digitization, privacy concerns are always on the rise. So here, particularly FIAKS community questions the use of the connector that is used for doing biometric authentication while issuing SIM cards or while opening the bank account. Check the blue color connector in the image below. If you walk into any electronic outlet then several such connectors with storage capacity are available. The KYC official with intent to fraud can easily store customer details in this blue device. Isn’t this risky?
First, let’s under understand few Jargons
- ASA (Authentication Service Agency): An organization or an entity providing secure leased line connectivity to UIDAI’s data centers for transmitting authentication requests from various AUAs.
- AUA (Authentication User Agency): An organization or an entity using Aadhaar authentication as part of its applications to provide services to residents. Example: Bank
- CIDR (Central ID Data Repository): CIDR is the data centre/s where data of resident enrolled is stored and accessed from.
- KSA (KYC Service Agency): A valid ASA who has been approved and has signed the agreement to access KYC API through their network
- KUA (KYC User Agency): A valid AUA who has been approved and has signed the agreement to access KYC API
- OEM (Original Equipment Manufacturer): These OEMs produce and resell products or equipment that is marketed by another manufacturer under their own branding and name
- VID is a virtual ID that is used in place of or in lieu of Aadhaar number while doing any authentication or e-KYC services. It is a 16-digit random number that is temporary and revocable [1])
- SDK is a Software Development Kit that collates together a group of tools to enable the programming of mobile applications
- RD means Registered Devices
Now here are some concerning questions:
Question 1: Why can’t we eliminate these blue color connecting devices?
- Well, yes we can replace the blue device for sure but what are the options available for us? There are Bluetooth fingerprint devices (check the image below) available in the market, which can be integrated with a smartphone. OEM needs to develop the devices with micro USB inputs.
Question 2: How can telcos or banks say that this device can’t store customer details? What safeguards are put to de-risk?
- Firstly, the customer enters Aadhaar number/VID in the smartphone & place fingerprint on the scanner.
- Then while capturing the biometric, RD service gets invoked and it encrypts and encodes the biometric at the SDK level before even interacting with any additional application installed at the smartphone along with a timestamp. Encryption happens with UIDAI’s public key & key rotation takes place on fixed intervals between UIDAI & OEM’s RD manage server.
- Then this encrypted & encoded biometric makes a packet along with other details that have been sent out from the smartphone to KUA switch to KSA to UIDAI.
- UIDAI then decrypts the packet with a private key and matches the fingerprint along with Aadhaar number/VID.
- If it’s a match, UIDAI responds with the customer’s KYC details in a signed XML format. (XML usually stores data in plain text format and it is a flexible format to share structured data electronically via public internet and corporate networks)
- These details will flow back to a mobile application via, KSA to KUA. So, the details will be presented on the screen.
Now let’s ascertain the details about the risk and data security:
REGISTER and READ the complete discussions