TelCos KYC procedures allow non OTP, non biometrics process too!

32°
Deal Newbie
risat
Recently
                    someone got a prepaid connection.
They gave the UIDAI issued (Aadhar) number aa ID proof.
No physical ID proof was shared, just the Aadhar 'number' was given.

The agent could fetch the data (father'sname and everything got populated in respective fields in the form/ company's application)
based solely on it, as usually. Nothing surprising till now.

But thereafter, this agent neither took finger/thumb print verification or retina scan (both of which UIDAI has).

The agent simply took the usual (in-app) photograph.. one more time (for what he called 'Face ID').

I am reporting this AFTER the number is successfully migrated (ported) and seamlessly in use with the freebie recharge for over 3-4 days.

I am not telling the (telecom) operator name on purpose. Everyone would say that they are like that only😄.
But in reality, we were told, 'Face ID' is now industry practice.

the risks as I see it

'Face ID' is NOT the biometric which the authorities (UIDAI, passport issuing authorities, driving licence issuing RTO) ever took.
I think all rose photographs are mere 2D photographs.
Based on those 2D photos, the telecom companies claim to have (¿A.I./ M.L.¿) capabilities to take an in-application 3D image of the face and verify it against the 2D image in Paasport, Driving Licence, Aadhar database .

⚠️risk of FALSE POSITIVEs is there⚠️


Secondly, in such cases.. no other control is given to the user.
Even if an OTP, e-mail was sent by UIDAI, telcom operator.. then user can at-least come to know of possible biometrics access attempt.

The person who took the ported number does not have their biometrics locked on the UIDAI portal.
This we are unaware of whether at all the telecom company requested for it.
Logically, they would not have, since no thumbprint/ fingerprint scanner was used.
No iris scan either.

When asked the other agent, why you never bypass the thumb impressions and directly do this 'Face ID' thing,
he openly said in front of his friend/the agent doing the MNP.. that risk of FALSE POSITIVE is there.. hence he does not.

⚠️meaning.. in good faith and under confidence.. you give your Aadhar number to me. I later go find someone whose face resembles yours. Tada!⚠️ no OTP or e-mail if by chance no biometric access. I can fill a new form. Use your ID proof number and take a photo of someone who looks like you or has make-up, prosthetics to match your facial features.

Lastly, when even financial institutions leak data to scammers, what if the 3D photograph and data taken by the telecom operators is permanently stored by them? It can later/soon reach the hands of unscrupulous elements.

So please beware be aware. Wearing face masks in public or putting tapes on fingertips.. while in public.. is a standard practice in Japan.. for MANY people there. (Now high end or specialised cameras can take macro zoom shots from really afar too.)
6 Comments  |  
5 Dimers
  • Sort By
Deal Newbie Deal Newbie
Link Copied
By '3D' photograph, I meant that the person was asked to move their head left to right, right to left and then blink too.
So the software/ mobile application in the agent's device/phone is designed to avoid chances of a statue (by asking to blink) and they seem to have "depth perception" too.. since taking multiple data points when head is being moved.. till ears.

I do not think Aadhar databases have our 3D (face) data. It used to be just a front facing photograph.
Aadhar data might have 'facial recognition' though.. even if it is a 2D image. Maybe the TelCos are mixing Machine Learning (3D facial recognition) with usual 2D facial recognition techniques.

Either way, scary for me to think of what can happen.
Benevolent Benevolent
Link Copied

Wait till AI can make ur head tilting video from a image u share on social media wink

Deal Cadet Deal Cadet
Link Copied

My JioAirFiber KYC process went like above last week - through video KYC with Aadhaar number. I didn't have to turn my face, just eye blinking. I think it uses UIDAI's AadhaarFaceRd app in the background that is used by pensioners for face authentication. 

Deal Newbie Deal Newbie
Link Copied
Thank you for confirming that it is industry practice and not a one off event.

Yes the usual agent (who refuses to do Face ID verification) asks for the head turns for BSNL KYC, even if taking thumb impressions.

I am unaware so such UIDAI software/ application.
In so far as I know, they use respective softwares, portals of the companies they are the agents of.

Either ways it shows how much of a grey area there is. Like on one side they do allow prepaid from rest of India to work in Kashmir, Jammu. And here one sees easy KYC.

I think my acquaintance might not have updated e-mail so he does not even get e-mails. Or maybe he does, I do not know.
But usually i see e-mails, OTPs sent to those whose biometrics are kept locked on the UIDAI site.
Flame Flame
Link Copied

Yes this is how it works. 

It is really scary. 

But I had received email from UIDAI after this that auth was carried with demographics and biometric. 

But most of the time UIDAI email is delayed and it can take up to 1-2 days. So, if someone scams with you then you will know after 1-2 days. 

Finance Mentor Finance Mentor
Link Copied

For face id, one has to blink to prove that it's a live feed/pic...

replyuser
Click here to reply
Reply