Tuesday, August 30, 2016

How an Enterprise can start using Aadhaar ESign?



In this blog we are going to explain possible options enterprise have to start using ESign and the pros and cons of each way.

Aadhaar eSign is a Govt. of India approved digital signing service that uses Aadhaar data of the Aadhaar holder to sign digital documents without using any other software. Financial organisations like banks, stock brokers, insurance companies etc. stands the make significant gains by implementing eSign solutions. With eSign these organisation will now be able make full utilisation of  their web and mobile infrastructure for providing services to their customers.

The possible options are as below.

  • Becoming ASP (Application Service Provider) with one of the ESP
  • Subscribe for a SaaS service of Aadhaar ESign


Becoming ASP (Application Service Provider) with one of the ESP

Becoming an ASP (Application Serice Provider) with one of the ESP's is best option to enter the ecoSystem. For this the enterprise need to have an ESign Server which should communicate with the ESP. This server needs to be audited by Security auditors approved by the ESP. There will be multiple levels of integration and the organisations needs to go through the process by either developing the ESing Server their own or purchasing from any of the vendors like us Finahub,


Pros / Cons
  • Purchasing Pre Audited ESign server from vendors will save time and money in onBoarding cost
  • Your data resides on your server only, and you have full control over the access of it.
  • Cost per sign will be cheaper.
  • Ideal for Big volume customers like Banks, NBFC's, Micro Finance companies etc

Subscribe for a SaaS service of Aadhaar ESign

The second option is to go for an ESign SaaS service providers. Here the advantage is that you can start using it very fast. Just integrate the API of the vendors who are already ASP like us Finahub, and you are ready to go live. But if you have big volumes of ESign transactions , it will be costly. Ideal for FinTech Startups who want to make everything work online.

Pros / Cons
  •     Easy to start using
  •     Costly if you have big volume
  •    Data resides with third party vendor



If you have any questions on Aadhaar ESign feel free to reach us. We are experts in Aadhaar related products and services lile ESign, Ekyc, Authentication etc. Call us @ 0484 2388285 or email us at info@finahub.com











Tuesday, June 21, 2016

Now Aadhaar holder have option to block his Aadhaar card



Did you know that individual aadhaar holder has the option to block his Aadhaar card?  As Aadhaar card is a voluntary card ,it also enable Aadhaar holders to block or unblock their Aadhaar card data including personal and biometric data. The option was introduced a while back following opposition from activists who stated that it did not give persons the choice to de-register once they enrolled. Individual also have the option to update information in Aadhaar card via Aadhaar update portal or Akshaya centres.

A Constitution Bench led by Chief Justice H L Dattu had sought to know from Attorney General Mukul Rohatgi about the nature of Aadhaar cards prepared under the aegis of the Unique Identification Authority of India (UIDAI). “The making of the card is voluntary. Using the card is voluntary and not only this, a card holder can block it too. If a person wants to block the information about him contained in the biometric database, he can do it voluntarily and nobody will be able to unblock it. Such information will be locked till he wants,” the report quotes Rohatgi as saying.

The UIDAI, established by the UPA-2 in 2009, issues Aadhaar cards to the citizens, who want to use the government welfare schemes. Under the programme, every resident in India is provided with a 12-digit unique identification number for which biometric information is collected.

The blocking and unblocking can be done by the individual itself using URL  https://resident.uidai.net.in/biometric-lock . The feature respects the privacy of the individual and gives him full control over his personal information and his choice on when to use it or not. We team Finahub are experts in Aadhaar Ekyc, Authentication and Aadhar E-Sign implementations. Feel free to contact us in case of any questions.

Ph: 0484 2388285, +91 9562162111
Email info@finahub.com

Saturday, May 21, 2016

How to secure your AngularJS application?



Securing your AngularJS application is always a concern for developers. Being a JavaScript framework, most of the things are done on the client side and thus people viewing the Source of the page usually get to know the business logic flow, security tokens, keys etc unless you took care of it.

We Finahub have recently developed an Aadhaar ESign application which had went through several round of security audits. We have used AngularJS as the front end framework, we have done many things to make sure our application is secure in every aspect. So we thought of sharing our experience with other fellow developers. Following are the security risks that may affect an Angular app and the solutions to each of them.


1. Cross Site Request Forgery

Description

When a web server is designed to receive a request from a client without any mechanism for verifying whether it was intentionally sent by the authenticated user or not, then it might be possible for an attacker to trick a client into making an unintentional request to the web server which will be treated as an authentic intended request. This can be done via a URL, image load, XMLHttpRequest, etc. and can result in exposure of data or unintended code execution.

Solution

Angular framework has a built in XSRF feature which can be used to prevent this.

 The Angular $http service will do these things automatically:


  • Look for a cookie named XSRF-TOKEN on the current domain.
  • If that cookie is found, it reads the value and adds it to the request as the X-XSRF-TOKEN header.

Thus the client-side implementation is handled for you, automatically! But this does leave the server side pieces in your hands. You will need to do the following parts:


  • During login: create the CSRF token (with a random, un-guessable string), and associate it with the user session. You will need to send it on the login response as the XSRF-TOKEN cookie.
  • Assert that all incoming requests to your API have the X-XSRF-TOKEN header, and that the value of the header is the token that is associated with the user’s session.


This small backend work will protect your application from CSRF attacks.


2. Improper Input Validation

Description

If you are using the validation framework of AngularJS , you might surely have this problem. The java-script validations can be easily turned off and people can submit unwanted content to input fields This weakness leads to almost all of the major vulnerabilities in web applications, such as cross site scripting, SQL injection, interpreter injection, locale/Unicode attacks, file system attacks, and buffer overflows.

Solution

The only fool prooof way to fix this is by do all input validations in server side too. Client side validation of Angular is helpfull for users , but for attackers who may alter the javascript, we need to make sure nothing get through the server side validation.


3. Business flow Vulnerability

Description

In Angular framework application we normally control the process flow or business flow by showing or hiding sections of page. Its very convenient for users to experience this as its very fast and require no page reload. But for attackers , they can easily alter the Javascript to show or hide sections of html page. They may also be able to skip various steps in a business flow and perform the final step directly. This is a serious security risk.

Solution

Server side business flow check is a must to prevent this. The application must have checks in place ensuring that the users complete each step in the process in the correct order and prevent attackers from circumventing any steps/processes in the workflow. Test for workflow vulnerabilities involves attempts to execute the steps in the process in an inappropriate order.


4. Vulnerable JavaScript Library

Description


Some older AngularJs JavaScript librarys are said to have reported vulnerabilities. Eg: Version 1.2.29

Solution

Make sure you are using the latest version of AngularJs library


We hope this blog was really helpful for making your Angular application secure. Feel free to get in touch with us via info@finahub.com.


Thursday, May 5, 2016

Digital signature an introduction


We are starting a series about digital signature and how organisations can  take advantage of using it. This is our first article on this topic.

Digital signature is a mathematical scheme for ensuring the authenticity of a digital message or document. If a document is digitally signed, it ensures that it is signed by a specific person.The person who signed cannot deny the authenticity of the document. Usually , organizations keep their documents as papers which are signed by people with ink, or they save them digitally by scanning these papers.
In our country(India) Digital signature has legal validity so that it can be employed in many areas where signed documents are to be saved. Digital signature can be effectively employed in customer on boarding especially companies in the financial sector. Please note that digital signatures are not valid in every scenario. To know more about where the digital signature can and cannot be used, please refer our blog post.

Tuesday, May 3, 2016

World Bank wants to take Aadaar Global


The real success of Aadhaar got the attention of world bank. Aadhar is being used for various subsidy programmes and is saving a lot of money to the government.
Seeing and understanding the real benefits of  a unique id is making the world bank advise other countries to come up with similar strategies. We feel this as a recognition to Govt of India for this well-crafted idea and precise execution.

Key highlights of Aadhaar ecosystem is as below.
  • More than one billion people have their Aadhaar now
  • Cost of issuing one Aadhar ID was less than $1
  • Supports token-less authentication , anytime , anywhere
  • Saves approx y $1 billion (Rs 6500 crores) a year by reducing corruption and leakage for the Indian government
  • Every Enterprise, both govt  and private can make use of Aadhaar ecosystem.

Tuesday, March 29, 2016

Where digital signatures (including Aadhaar eSign) can and cannot be used?



In India, the Information Technology ACT 2000, gives digital signatures the legal validity as a signature at par with physical signatures. Digital signatures enable digitization of processes making them more efficient and convenient for all parties involved. Until recently digital signatures have been used by a very limited set of people for a very limited set of activities. This is because digital signatures have been seen as a complicated piece of technology that required the use of specialized software tools and process for it work. This has kept the technology from getting mass adoption even though it has immense potential.

All this is going to change with the advent of Aadhaar based eSign technology that enables any Aadhaar holder to do a digital signature without having to install any software or purchase any signature/certificate from a certifying agency. A digital signature can be placed on a document by just an Aadhaar authentication using biometric authentication methods or by OTP.  

This is a great opportunity for businesses in India to digitize their process and take advantage of the operational efficiency and cost effectiveness offered by using fully digital processes. Businesses will have to look at the processes that are ideally suited for the use of digital signatures without causing a legal fallout. This brings us to our question, are there cases in which digital signatures cannot be used? 

Wednesday, March 2, 2016

UIDAI relaxes eligibility criteria for entitties to get KUA / AUA registration



UIDAI relaxes eligibility criteria for entitties to get KUA (Kyc User Agency)  /AUA (Authentication User agency) registration with the latest notification dated January 28 2016 . This makes onboaring as KUA /AUA easier for many regulated entitties. Earlier many regulated entities were not included in Category 2 (Regulated Service Providers), so only entities with lots of customer base and turnover were able to become KUA. Now with this new changes following type of regulated entities too were included in category 2 for easy access for KUA registration.

  • All types of Banks including Payment Banks , Small Finance Banks and Non Sheduled Urban co-operative banks
  • NBFC 's (Non Banking Financial Company)
  • Regulated by CCA - Certifying authority
  • Regulated by CCA - Digital Locker providers
  • Regulated by CCA - E-Sign Providers
  • Regulated by SEBI - KRA (KYC registration agency)
  • Regulated by SEBI - Depository Participant (DP)
  • Regulated by SEBI - Asset Management Company (AMC)
  • Regulated by SEBI - Trading Exchanges
  • Regulated by SEBI - Registrar and transfer agents
  • Regulated by National Housing Bank