Lock Aadhaar biometrics to prevent fraud: Experts

Lock your Aadhaar biometrics to prevent theft from your bank account, police and cybersecurity experts say.

Their advice comes in the wake of AEPS scammers cloning fingerprints to clean out bank accounts of unsuspecting victims.

AEPS stands for Aadhaar Enabled Payment System. It is an Aadhaar-linked service that allows a bank customer to perform basic transactions, like balance enquiry, cash withdrawal and remittances. These transactions are done in the presence of a ‘business correspondent’ or ‘bank mitra’ who carries a swiping machine, also called point of sale (PoS) machine, or micro ATM. To complete the transaction, users need to provide an Aadhaar number and bank name and authenticate their identity via a fingerprint or iris scan.

Cyber scammers have been exploiting AEPS lately to rob unsuspecting bank customers. The operation is done remotely, and no OTP or SMS verification alert is sent during such transactions.

Scammers lift people’s thumb impressions from publicly available documents like property records, clone them using silicone sheets or rubber stamps, and use them to complete AEPS transactions.

Last month, Karnataka’s CID department advised citizens to lock their Aadhaar credentials (see box). M A Saleem, DGP, CID, Karnataka, said, “We had received information from I4C (Indian Cybercrime Coordination Centre) that Aadhaar-linked biometric details had been misused in about 700 cases across the country.” Later, the Bengaluru police posted a similar advisory on social media.

‘All vulnerable’

Renu (name changed) locked her Aadhaar credentials and also that of her husband and parents recently. A chance meeting with a victim of an AEPS fraud prompted her to act.

The writer recalls, “A young woman giving me a haircut at a Basavanagudi salon looked upset. She said Rs 3,000 had been stolen from her bank account. That is all she had. She neither got an OTP nor SMS alert. When she went to the cybercrime police station, she was told, ‘Why did you not lock your Aadhaar credentials?’” That evening, Renu locked her family’s Aadhaar details. Saleem says everybody who has an Aadhaar-linked bank account is vulnerable — not just low-income or unlettered citizens.

‘Remove biometric’

AEPS frauds have reignited the criticism against biometric authentication. “The technology to clone fingerprints is cheap. And it was always known,” says Srinivas Kodali, independent researcher working on Aadhaar in Hyderabad.

Slamming the Aadhaar system as a “broken design”, he says, “Think of the Aadhaar number as your username and fingerprints as your password. Both are public! We can fix the design by removing biometrics as password.”

Locking the Aadhaar credentials is not a “scalable idea”, because, digital literacy in India is low, and not everybody has a smartphone, he explains. 

Pallavi Bedi from Centre for Internet & Society, Bengaluru, says biometrics should not be the only layer of authentication. She would like an OTP included. “As we grow older, it becomes
harder to capture our fingerprints,
so using fingerprints for authentication is not reliable,” says the senior researcher.

Watch your trail

“Whether you are enrolling for Aadhaar or buying a new SIM card, wipe your fingerprints from the scanner with a handkerchief or something before walking away... Some insiders sell fingerprints from stamp duty papers, ink pads and other surfaces,” says Ritesh Bhatia, cybercrime investigator and cybersecurity consultant from Mumbai.

Don’t ignore SMSes is another of his suggestions. “With AEPS, you can withdraw Rs 10,000 at a time and Rs 50,000 a day. If you get an SMS alert about an unauthorised withdrawal of Rs 10,000, you can call the bank to freeze your account and save Rs 40,000,” he explains.

Cybercrime consultant Mukesh Choudhary from Rajasthan says people should not furnish Aadhaar as ID proof unless it is necessary. “I show my voter ID card for most purposes. Sharing Aadhaar can be risky in places like hotels as they tend to store hard copies sometimes,” he says.

Audit agents

According to cybersecurity consultants, the rot lies in the intermediary network that operates Aadhaar equipment and micro ATMs, and the government has failed to audit them. “Severe penalties need to be imposed,” says Ritesh.

How to lock Aadhaar biometrics

1. Visit uidai.gov.in. Go to ‘My Aadhaar’ and then ‘Aadhaar services’. Click on ‘Lock/unlock biometrics’.

2. Download mAadhaar app on Play Store or App Store. Register and click on the three dots on the top corner to find the lock/unlock option.

Call 1947

It is the toll-free Aadhaar customer care number.

What does the law say?

The Aadhaar Act, 2016, prescribes a jail term of up to three years or a fine of up to Rs 10,000 for unauthorised use of Aadhaar credentials. The Information Technology Act, 2000, also has provisions for punishment, says advocate Akanksha Natesan.