During a recent workshop, one of the participants asked me whether it is a good idea to link his Aadhaar number to all his bank accounts. The idea of having a single point of existence (Aadhaar) and linking it with everything else appears good, on paper.
Going a step ahead, the government will also try to link this instrument or identification (ID) with everything like bank accounts, all types of connections, social media and various apps. There are news reports that WhatsApp, one of the most popular messaging apps in India, is planning to offer peer-to-peer payments from its platform. Some banks had already explored the idea of using other social media, like Facebook, for payments; but the response to this is not so encouraging. However, all this may prove costly, in case there is a data breach or somebody steals the single point, ‘everything’, ID.
At present, we have two-factor authentication (2FA) for financial transactions conducted online. This includes the user’s password and a one-time password (OTP) which help in protecting the customer. For example, if I want to buy and pay for something online, I will have to use my login ID, password and the OTP that is sent to my registered mobile number and/or email ID. This helps to avert misuse, to a large extent. Therefore, anyone who wants to misuse my credentials will need to know my login ID, password and access to my mobile phone or email ID. Obtaining all these details is difficult under normal circumstances.
However, when you use a single or random number assigned to you as login and use fingerprint as authentication, there is a big danger. This was exposed in a recent case, where some people looted around Rs25 crore from Bank of Maharashtra through the unified payment interface (UPI) app. Although, it was blamed on a bug in the app, the fact is that not one of the customers from the Bank had any presence during the transactions. Their bank account numbers and authentications were simply bypassed.
In an article, Anand Venkatanarayanan, a senior engineer at Netapp says, “...systems that use biometrics for authentication, usually are deployed in controlled environments, which limit their usage to two- or three-factor authentication and not as a primary means of authentication... How would a normal user know that their biometrics is being stolen by a fake, certified scanner from standardisation testing and quality certification (STQC) agency? The answer is probably ‘never’, until it is too late.”
This is exactly the danger; it multiplies several-fold when you interlink everything under the sun, be it your bank accounts, driving licence, permanent account number (PAN) or passport. With the flood of payment apps based on UPI and linking (all) bank accounts with Aadhaar, your Aadhaar number would be floating around and it is quite easy for a cybercriminal to steal money from your account. In addition, one can even receive or seek payment through the UPI apps. All you need to do is to send a request from the UPI app. Considering the literacy level, and our behavioural biases, a majority of people would happily touch the ‘Yes’ button for any such payment request. The person will come to know about the loss only when he reaches the bank or checks the account statement.
So, what is the solution? Try not to link every bank account of yours with a single ID. Make sure you enable email and SMS alerts for all your bank accounts and ask the bank to alert you for every transaction. Do not share your Aadhaar or mobile number, especially for financial transactions.