Anti-Money Laundering (AML) , Endpoint Security , Fraud Management & Cybercrime

eKYC Under Fire: Security Gaps Could Fuel Strategic Crimes

The accelerated adoption of electronic know-your-customer solutions is exposing critical data to unprecedented risks, warned Kartik Lalan, a security researcher set to speak at Nullcon 2025 in March.

See Also: 2024 Threat Hunting Report: Insights to Outsmart Modern Adversaries

Lalan's session, titled "eKYC Crisis: Securing the Lockers," will spotlight how flaws in eKYC systems could lead to persistent threats, undermining both individual privacy and national security.

"Considering personal and national security and the lack of regulations and secure infrastructure, I was motivated to explore the limitations in current services that rely on eKYC," Lalan said, citing a need for awareness and information security expertise in identifying these gaps.

eKYC processes have streamlined compliance and enhanced user convenience in sectors including banking, telecommunications, insurance and government services, but these solutions have inadvertently expanded the attack surface for threat actors. Unlike compromised payment cards, leaked KYC details - such as Aadhaar numbers or biometric data - are immutable, leaving victims vulnerable for a lifetime.

Lalan identified vulnerabilities across industries, including finance, telecom, healthcare and small private agencies. But, he said, the most significant impact is seen in e-governance, where the stakes are higher.

"Strategic crimes would become very easy if eKYC vulnerabilities remain unaddressed. For such a crucial solution, a secured architecture with governing fundamental security principles was found missing in current implementations," he said.

The key risks Lalan identified include replay attacks, where stolen KYC documents can be reused for unauthorized purposes, tampered documents that bypass verification systems and fraudulent activities stemming from poor traceability.

He also stressed the critical shortcomings in cryptographic infrastructure and authentication mechanisms that exacerbate these vulnerabilities.

Abhisek Datta, co-founder of SafeDep and a member of Nullcon's Call for Papers review panel, said the topic is particularly relevant in the Indian context, considering the nation's cultural shift and reliance on digital identity with Aadhaar and other KYC documents.

"We felt it is very important to publicly talk about weaknesses and potential misuse of eKYC and digital identity infrastructure with the goal of building awareness among consumers to securely handle digital identity documents, and for the policymakers to prioritize security and safety of the infrastructure," Datta explained.

Lalan's session will include live demonstrations of both resolved and unresolved vulnerabilities. "The demos include downloading someone else's documents, forging documents within official apps without detection, and showcasing their impact on national security and regulations," he said.

Lalan refrained from naming specific solutions or identifiers, citing responsible disclosure practices.

Lalan also will examine gaps in document wallet systems, often marketed as secure storage solutions for KYC data. Despite their promise, these systems often lack essential safeguards such as data authentication and counterfeit detection.

To mitigate risks such as replay attacks, forged documents and lack of traceability, Lalan recommends adopting practices from other existing domains, fine-tuned for KYC needs.

"Key solutions include data minimization, digital credentialing, document life cycle management, and balancing online and offline approaches. Public and private entities must collaborate on building robust, abuse-resistant systems," Lalan said.

"If the government is truly interested in addressing these issues, it must build a strong task force on a merit basis with a citizens-first approach," Lalan said, warning against complacency in digitization efforts.

Call for Action

According to Lalan, failure to address eKYC vulnerabilities poses not just technical but also systemic risks. "Strategic crimes will evolve as eKYC data becomes more accessible to attackers. Citizens must react first, followed by enterprises and governments, which need to go beyond compliance and focus on practical abuse cases," he said.

Among Lalan's proposed solutions are unique document identification numbers to enhance security and traceability.

Failure to implement such measures, he said, could extend beyond individual fraud, with attackers potentially leveraging leaked eKYC data to bypass national security protocols and execute large-scale scams.

Datta echoed these concerns, urging users to not over-rely on eKYC systems and establish conventional and matured authentication/verification when it comes to critical operations such as financial transactions.

With live demos, real-world examples and actionable insights, Lalan's session aims to shed light on a growing crisis that demands immediate attention from enterprise leaders and policymakers alike.

"It is very hard to educate users to securely leverage their private information such as their digital identity. Attackers and other vested interest groups will exploit vulnerabilities at the user end because they are easiest to target to harvest digital identifiers for malicious activities," Datta said.