Indian PM warned of rising Aadhaar payment fraud
Financial fraud related to the country’s unique biometric identifier Aadhaar is rising rapidly in India with, Indian Parliament member John Brittas warning that its victims are often the most vulnerable members of society.
Brittas addressed a letter to Prime Minister Narendra Modi this week asking him to direct the Finance Ministry and the IT Ministry to look into the issue, Hindustan Times reports.
Cybercriminals have been exploiting the county’s Aadhaar Enabled Payment System (AePS), a bank-led payment platform that allows all Aadhaar card holders to transact using a unique identification number. The scams involve cloning people’s Aadhaar-linked biometrics by using silicon fingerprints and unauthorized biometric devices and using them to steal money from their bank accounts.
“The system’s inability to distinguish between a genuine live fingerprint and a synthetic silicon fingerprint represents a significant flaw that is being maliciously exploited,” says Brittas, who is a member of the Communist Party of India.
The issue has been made worse by Aadhaar data leaks, including alleged leaks of biometric data stored by the Unique Identification Authority of India (UIDAI) which is in charge of the Aadhaar.
The National Payment Corporation of India (NPCI) has been spearheading Aadhaar Enabled Payment System (AePS) to promote cashless transactions in India and to simplify payments of social security benefits. It allows users to carry out banking and financial services through biometric-enabled micro ATM terminals and points of sale (POS). The model removes the need for one-time passwords, bank account details, and other financial details, allowing fund transfers using only the bank name, Aadhaar number, and fingerprint captured during Aadhaar enrolment.
Although the Aadhaar system is not as popular as the Unified Payments Interface (UPI), Indians still withdraw around 10 billion rupees a day using AePS, Brittas said in the letter. The adoption of security methods like masking Aadhaar cards and locking the cards has been “disturbingly low, particularly among the less educated segment of the population”.
Large banks have set up additional guardrails to prevent fraud, such as connecting mobile phone numbers. This, however, has raised transaction failures to between 10 and 15 percent, according to Economic Times.
“We are talking about poor consumers, some even below the poverty line, many of them do not own a mobile phone let alone getting them seeded with their bank account,” the report cites an unnamed banker.
This is not the first time that warnings have been issued about AePS fraud. In February, Indian Cybercrime Coordination under the Ministry of Home Affairs wrote to state governments about the misuse of AePS devices by fraudsters. The Ministry of Home Affairs stated that Aadhaar biometric data uploaded on state websites that host sale deeds and other agreements are being cloned by individuals to carry out unauthorized withdrawals from bank accounts.
The issue was brought back to public attention in May, when a popular Indian YouTuber named Pushpendra Singh shared how his mother’s bank account was drained using an Aadhaar-linked fingerprint without needing two-factor authentication. His mother was not informed of the transactions by her bank, Singh said in a Twitter thread.