India’s Aadhaar (National ID) Software Hacked, ID Database Compromised, Experts Confirm


#1

Source: https://www.huffingtonpost.in/2018/09/11/uidai-s-aadhaar-software-hacked-id-database-compromised-experts-confirm_a_23522472/

This is an amazing piece of investigative journalism that shows how the Indians with their mountains of talent could not prevent one of their critical national databases from being compromised.

This raises concerns about the integrity of the BVN database and to be honest, the systems run by many in the payment industry, who hide behind the meaningless term “PCI-DSS compliance” as some sort of proxy for security, but internally they know about the many skeletons and duck tape patches in their systems.

For example, one of the principal claims that is usually made about the BVN system is that no single individual cannot register twice. Claims are there to be refuted and I’ll like NIBSS to back that assertion up by creating a program that encourages security researchers to test those claims. We cannot continue to conflate obscurity with security.

I’ll also like to encourage Nigerian fin-tech companies to setup public, paid bug bounty programs as a way to expose new vulnerabilities. It will also go a long way to instill more confidence. A situation whereby a bunch of boys are defrauding the system to the tune of billions by exploiting a client-side, man-in-the-middle script hack is intellectually insulting. You all know who you are.

TLDR; Please establish and publish the guidelines for your bug bounty programs. If you are scared about what may be revealed, note this - it will get out anyway and it is far worse for your economic wellbeing if you can’t control how it gets out.


#2

Hey! Stop it, you are now in Nigeria.
On a serious most people given to do this are either : ignorant/reckless/negligent, I’m talking those at the top not even devs now. Because when there’s strong policy that is thoroughly monitored everyone will surely play along but you know - “my people”

[I feel your pain tho]


#3

Sorry, but I don’t get the point in your response.


#4

Bug bounty programs won’t really work out well over here tho. There are lots of factors geared by our selfishness that’d mar that kind of program, unless there’s a proper identification and surveillance system in place.

In fact, the same reason we’re stuck with debit based bank accounts is the same reason corporations won’t like the program.