A prime accused in the
data theft of Aadhaar card, Abhinav Srivastava, demonstrated investigators how
he used shortcuts to hack into the servers of NIC to retrieve the Aadhaar data.
While demonstrating he disclosed
that he used the modus operandi to hack into the government website. The cyber
crime recorded the entire process on a video camera. "He said the absence
of Hypertext Transfer Protocol Secure (HTTPS) from the URL helped him hack into
the e-hospital website. HTTPS is the secure version of HTTP (Hypertext Transfer
Protocol)," a source said. "All communications between the browser
and the website were not encrypted. HTTPS is often used to protect highly
confidential online transactions like banking and shopping order forms."
HTTPS is a basic security
feature, while HTTP does not have any security feature in it. All the government
websites are not hosted without mandatory HTTPS for eKYC agent. How come NIC/ eHospital/
UIDAI authorities didn’t notice this major flaw? Concerned authority should be
held for this rather than the hacker.
Srivastava is an MSc
graduate from IIT-Kharagpur, and was arrested for allegedly hacking into
e-hospital server hosted by the National Informatics Centre (NIC), a KYC user
agency (KUA) which has tied up with the Unique Identification Authority of
India (UIDAI) for Aadhaar authentication services.
"I developed the app
giving out e-KYC details, thinking it would help the common man access Aadhaar
information. I had no other intention," police said quoting the accused.
However senior officials
explained that hacking into the server itself was a criminal act. "He's
trying to convince us that he is not a hardcore criminal but that can only be
decided after the investigation is over."
CCB police has seized
four laptops and one hard disk from his home, and all of the seized gadgets
have been sent to the forensic science laboratory. "We need to carefully
examine the gadgets as they contain all the information of his
activities," a CCB cop said.