Presentation Material
Abstract
This talk would focus on how rapid digitization of every possible thing, brought in the need of digital KYC (know your customer) and with that it outsourced massive data risk. How our existing data is at potential risk, how it would leave persistent risk for the future and what are the gaps in current vaults, would be discussed. Payment Cards can be discarded once compromised, but that ain’t possible for KYC details. Moreover, the design implemented in current solutions allow replay easily, which makes end user more vulnerable and eventually national security as well. Not targeting any specific solution, but would prefer touching upon most prominent solutions & risk outcomes.
AI Generated Summary
The talk addresses critical security vulnerabilities within India’s electronic Know Your Customer (eKYC) ecosystem, framing it as a systemic crisis. eKYC, used across banking, fintech, telecom, and governance, relies on digital submission and verification of identity documents like Aadhaar, driving licenses, and vehicle registration certificates.
Key findings demonstrate that official portals and applications are fundamentally compromised. Attackers can forge documents within official apps by intercepting and modifying API responses via proxy tools, making falsified data appear legitimate. More severely, unauthorized individuals can download sensitive documents belonging to others using minimal or publicly guessable information—such as the last five digits of a vehicle’s engine/chassis number for an RC, or just a date of birth for a driving license—due to absent or weak validation logic. Verification applications themselves fail, often accepting both forged documents (with fake QR codes and validation ticks) and legitimate documents they cannot properly authenticate, rendering them useless.
The permanence of leaked identity data is a core risk; unlike a lost credit card, a compromised ID proof cannot be revoked. The talk distinguishes between movable assets (e.g., vehicles, which are easily transferred and require stringent, recurring KYC) and immovable assets (e.g., bank accounts, where frequent re-verification is less critical), arguing current practices misapply this logic. Additional threats include deepfake-powered video KYC bypasses and the exploitable simplicity of the Central KYC (CKYC) number, which grants access to multiple financial accounts with no secondary authentication.
Practical implications are severe: widespread identity theft, financial fraud via mule accounts, and national security risks from document misuse. Proposed solutions include purpose-bound, time-limited digital documents with unique identifiers, mandatory audit trails for all document access, server-side verification by recipients (not just display on a user’s device), and stricter enrollment processes to prevent self-service alterations. The speaker concludes that without coordinated security community action and systemic redesign, the crisis will deepen.