The director RS Sharma literally posted his number on personal twitter saying no harm if this number is public. In few minutes people found his school transcripts, bank statements, call logs, amazon orders with cash on delivery were on its way to his house. Few days later official Twitter handle of Aadhar had to say please keep it safe the way you do your wallet or home key. Use it but don't flaunt it.
Cash on delivery just means address was qualified. But address is normally available from other services, and is not achieved by impersonating someone in authenticaiton.
Even if all you claimed is true, it just means that the school, the bank, and the telephone company shouldn't take adhaar id as authentication, which it was never intended t be. Use OTP/Biometrics for authentication.
A famous aadhar-opposing French Security specialist posted to his tweet with that aadhar, although Sharma deleted that tweet soon I think. It was on Twitter, I will try to find tomorrow the exact tweet.
Biometrics are highly problematic in this context. IF someone steals your private key, you can jump through some hoops and get a new one issued, and regain control over your identity.
If someone steals your biometric data (and that is a thing that can happen through a variety of methods), there's no form you can fill out be issued new retinas. Your identity is permanently compromised.
A moderate increase in security[1] in the average case in exchange for catastrophic failure modes isn't good tradeoff.
(And given the very, very troubled history of biometric security, I'm being charitable assuming it's even an increase.)
This is just wrong. They found that out using Google search and social engineering. A lot of his details like his phone number were available online and were available with a Google search. Amazon, being stupid, uses a copy of Aadhar as an authentication mechanism. The Aadhar number is not supposed to be secret. That's the reason you need to use biometrics along with your number to authenticate you.
