Fake Registrations on CoWIN, Aadhaar already used
Have you tried to register for your first shot of COVID vaccine and found to your dismay that your Aadhaar number has already been used by someone else? You are not alone. I faced this issue myself and as I discuss this issue, more and more people are coming forward with similar stories.
It started when I tried to register for Covaxin Dose – 1 for my wife using the Arogya Setu app. This happens to be the only mobile phone app available. Arogya Setu uses the mobile phone number for authentication and this process concluded quickly and efficiently (except the inordinate delay by BSNL to send OTP SMS messages). On switching to CoWIN tab in the app, we were prompted to select the “Photo ID” and type it’s identifier number. When we type the Aadhaar number, the app informed us that the Aadhaar number was already registered with CoWIN by a person unknown to us, using a mobile phone number unknown to us.
The CoWIN app / website software design and development has completely failed on several fronts and is an illustration of the lack of competence in Indian software developers and Project Managers engaged for this effort.
- CoWIN claims that several photo ID mechanisms can be used, but repeated sublime messages inform us that we must use Aadhaar number. The Government of India is also generating a Universal Health Identifier (UHID) for every citizen, which it is using to track the vaccination status. In future, this number could be tacked onto your medical insurance life insurance etc.
- CoWIN fails to verify Aadhaar / PAN / Voter ID / Passport number validity using the APIs that already exist and are in use by various agencies.
- UIDAI has gone on record many times that Aadhaar data must be collected only if authorised, and if authorised, such data should be verified using the API calls available.
- CoWIN does not have any mechanism to automatically detect incorrect Aadhaar <> Vaccine Beneficiary <> Mobile number linkage and raise exceptions to manually investigate and sort out such issues.
- CoWIN does not have any mechanism to detect potential misuse attempts such as Mobile / Aadhaar / PAN / Passport numbers being from different states versus the user’s geo-location.
- CoWIN does not have any mechanism to allow affected parties (such as myself) to raise a Support Ticket that urgently flags such falsification of data. There should have been at-least a SMS-based Complaint number.
- CoWIN does not have any mechanism to allow affected parties to raise a support ticket and get the issue rectified in a time-bound manner.
- CoWIN help-line is always busy with the voice message saying “Your call is important to us”, but really meaning “We don’t care about your time”. The help-line does not offer a Call-back option either. So much for user-friendly behaviour.
- CoWIN support system does not have a Form-based Ticket system with auto-acknowledgement; instead it uses an email ID, where the Support Agency can conveniently claim that “We never received your email”.
It was pointed out to me that a beneficiary may have inadvertently entered the wrong Aadhaar number (my Aaadhaar number). Since Aadhaar is a 12-digit number, and you have to enter every digit exactly to match mine, that is a 1-in-a-100-billion probability of making that mistake.
It was pointed out to me that I still could go ahead with registration by using an alternate photo-ID. This immediately brought to light a unique case from NCR. A young person, recently turned 19 years of age, tried to register for vaccination, only to discover that the person’s Aadhaar number had already been used by unknown party using unknown mobile number. At 19 years of age, this person obviously does not have a PAN card as its only when our salary reaches taxable bracket that we rush to make a PAN card. The person also does not have a Voter ID card, not having an opportunity to vote yet. The person does not have a Passport yet as they have not had the necessity to obtain it. In essence, the person was locked out of CoWIN and the opportunity to get vaccinated. This could be a life and death problem for the person.
If I were to hypothesize, a fake CoWIN registration using falsified Aadhaar presentation gives an opportunity to commit at-least two types of crimes:
- Attempt to vaccinate an ineligible person: While vaccination has only been recently opened up for 18+ years (and children below 18 are still not allowed), not until a few weeks back there was a crazy demand to get vaccinated by the largest demographic of India (between 18 – 45 years old) and they were still not eligible. In collusion with a vaccination site, such a loophole in CoWIN could have been used to vaccinate an ineligible person while the records reflected someone much senior in age. For this, collusion of the vaccination site would certainly be a requirement and possibly another agency that provided suitable Aadhaar numbers.
- Attempt to increase vaccination numbers: In the event a vaccination site is eligible to receive monetary benefits from the Govt, a corrupt site can use falsified Aadhaar presentation data to claim successful vaccinations. This can also be used if someone is trying to capture Vaccine stocks in an attempt to potentially smuggle them.
I have undergone my Vaccine-1st Dose and I can testify that the Vaccine Center only gave a cursory glance at my Aadhaar card; being more interested in collecting the Rs.250/- (that was the price for Covishield in April 2021 which has inexplicably become nearly Rs.800/- in June 2021). I did not receive any OTP from UIDAI to verify that my Aadhaar number was being used.
The Aadhaar card is not a ‘security enhanced’ document that cannot be faked. If you can generate a single random number from a set of 100-billion numbers, and you are reasonably proficient with MS Word, you can pretty much create a fake Aadhaar card; the only security challenge being OTP / Biometric verification – which not many agencies (including Govt services) undertake. If you can persuade a mobile phone shop owner to part with a few photocopies of the Aadhaar card copies he has received, your job is made even simpler. Now all you need, is a vaccination site that looks the other way while injecting your 16 year old party-loving son with the Aadhaar ID of someone else’s 61 year old Grandma.
The CoWIN system is a black-box. Contrary to it’s claims about being API-driven, open-source motivated, in reality the app was developed by ‘Unknown private parties’ at ‘Unknown cost’ on the behest of UN (United Nations) by using funding from ‘Unknown sources’. The CoWIN website does not list any specific information about the organisation structure, physical address, grievance officer contact details, resolution timeline, complaint form and acknowledgement mechanism. A report by Deccan Herald (and many other news papers) reveals that several RTI queries have failed to elicit any information.
The Govt may harass Twitter to hell with compliance requirements, but is unwilling to walk it’s own path.
CoWIN may have a vociferous champion in the likes of Dr RS Sharma, but in terms of software development standards, it is one of most badly developed products I have seen in a long time. For a short time, I worked as a Project Manager in a small e-learning company, whose experienced Chairman gave us an earful for daring to present to him a relatively small product that had not been thoroughly debugged in-house and security tested by an independent vendor. I am 100% sure that given a thorough audit, many more such issues will come to light in CoWIN.
In light of the gross issues with CoWIN regarding falsification possibilities, I seriously question if our vaccination numbers are as exaggerated as the COVID death numbers are under-reported?
If similar app development standards continue to be followed, how hard would it be for a criminal to take Medical Insurance on my name using falsified Aadhaar and Govt UHID, then rack up lakhs in bills that an unethical Hospital will claim from the insurance company? The resulting loot will be shared by all those colluding. Like the CIBIL score used by banks, my UHID Health Score will drop to such a low level, that essentially I will not be able to afford it any longer – for no fault of mine.
All for the lack of a simple OTP verification when using my Aadhaar for registration.