Pakistan’s Federal Investigation Agency (FIA) has raised concerns about the country’s biometric database. However, there is some confusion as to the nature of the issue. The biometric database is maintained by the National Database and Registration Authority (NADRA), which has reported that its database is secure.
The FIA, on the other hand, told a National Assembly panel that the database had been hacked, and that the biometric data in it had been compromised. The agency has since revised that statement, while NADRA has asked the FIA to clarify its “wrong statement.”
The crux of the issue seems to stem from the ready availability of illegal SIM cards in Pakistan, and a vulnerability in the SIM verification process. Pakistan currently asks people to provide their fingerprints when registering for a SIM card. Fraudsters have managed to get their hands on the fingerprint data of real (and unknowing) victims, primarily through schemes that have targeted women and the elderly. The fraudsters have then used those fingerprint images to create silicone prints that are sophisticated enough to spoof the country’s registration system.
The silicone prints allow the fraudsters to obtain illegal SIM cards, which can in turn be used to perpetrate a range of other cybercrimes. The FIA recently seized 13,000 illegal SIMs during a raid in Faisalabad, and its cybercrime wing has received roughly 89,000 complaints from those who believe their data has been compromised. Even that does not capture the full scope of the problem. The Pakistan Telecommunications Authority (PTA) reported that 175,000 illegal SIM cards have been deactivated since November of 2020, while two mobile phone operators have received fines of Rs100 million and Rs50 million for failing to do their due customer diligence when issuing cards.
The PTA went on to state that more than half a million cards were shut down following a customer complaint, and that the sale of illegal SIMs is down 600 percent in the past year alone. It also suggested that mobile operators are planning to roll out a new liveness detection system that can thwart silicone spoofs. The FIA, meanwhile, claimed that it lacks the staff to address the full scope of the problem. The agency has 162 investigators tasked with resolving cybercrime complaints.
If the NADRA system has been compromised, it would likely make the public more wary of biometric databases, especially after Afghanistan’s biometric hardware was captured by the Taliban. Some members of the Pakistan National Assembly have argued that the country should implement stronger data protection and privacy laws. NADRA launched a mobile national ID app in September, while the country itself has previously used biometrics to distribute welfare, and to facilitate other social assistance programs.