India pushes liveness detection to biometric devices to cut payments fraud
The growing wave of fraud perpetrated against the Aadhaar-enabled Payments System (AePS), the widely-used last mile payments platform in India, has prompted responses from government authorities as well as banking institutions that support the service. A software update is being pushed to all fingerprint biometric devices from the Unique Identification Authority of India (UIDAI) to protect against fraud with liveness detection.
The AePS fraud has also pushed the police in the State of West Bengal to urge state services to take measures aimed at protecting the biometric data available on documents on some government websites, according to reports cited by Medianama.
Also, there has been a call on the Indian Cyber Crime Coordination Center (I4C) to ask states to guard against AePS fraud on the websites of their respective Land and Revenue services.
The “Finger Minutiae Record-Finger Image Record” biometric liveness software from the UIDAI was unveiled before India’s Parliament in March, the Economic Times of India reports (subscription required).
The software’s deployment is expected to be completed “very soon,” a bank official told the publication. In the meantime, Economic Times reports that chargeback claims have declined, though a reduced amount of fraud is continuing. The system is intended to improve in effectiveness with continued training as it rolls out.
These actions come after investigations by the police in Kolkota, the West Bengal capital, revealed that fraudsters have been downloading land deeds from property websites and stealing fingerprint biometric data as well as Aadhaar numbers from them. They steal the data once they have access to at least one Application Identification Number (AIN), a number through which genuine users can access digital copies of their land deeds.
Fintechs also told the Economic Times that the lack of audits of AePS agents contributes to the problem.
The stolen biometric information is then used to steal money from bank accounts using the AePS, which is run by the National Payments Corporation of India (NPCI).
Doing a transaction using the AePS only requires the bank name, Aadhaar number and a check of the biometric data linked to the account, but there have been calls for the setting up of a multi-factor authentication system on the platform.
Medianama quotes a researcher, Sourajeet Majumder, who confirmed that his findings showed an Insecure Direct Object References (IDOR) vulnerability on the West Bengal property website. Majumder said the vulnerability was reported to the relevant government officials, who later said they fixed the problem on September 27.
In the past, there have been many reports of fraudsters using cloned Aadhaar fingerprint biometrics to have unauthorized access to people’s bank accounts using the AePS. This has even prompted a petition from a member of parliament, John Brittas, calling on the government to take a closer look at the situation.
The AePS is a widely used payment system in India, with the UIDAI reporting more than 200 million transactions on the platform in April.
Meanwhile, as part of the fight against the rising AePS fraud, some banks offering the service, plan to rely on an AI-driven software which is being updated the by the UIDAI for liveness checks, the Economic Times reports.
The system began rolling out a few months ago following an uptick in fraud complaints.
The outlet cites an unnamed bank official as expressing optimism that chances of using compromised biometrics to steal from the AePS will significantly reduce once the biometric liveness detection feature has been added to the software.