In May, YouTuber Pushpendra Singh’s social media thread went viral. It detailed how money was allegedly siphoned out of his mother’s bank account using cloned Aadhaar details.
Singh alleged that when he went to the Punjab National Bank branch at Mohna Road in Ballabgarh in Haryana’s Faridabad in April, his mother’s passbook showed zero balance though funds had recently been deposited in her account from the sale of land that the family owned.
Singh, in his post, wrote that the bank manager told him the account was emptied using his mother’s Aadhaar number and biometric data – her fingerprints. When Singh said she had never shared such information anywhere, the bank manager told him that fingerprints can be hacked or cloned from registry documents for any property.
In the months since, several other cases of similar fraud have been reported, prompting the State Bank of India and the Karnataka cyber police to advise customers to “lock” their biometrics on the Aadhaar website to prevent misuse.
Many of these scams involve cloned or fraudulently obtained fingerprints and the Aadhaar-enabled Payment System, or AePS. The modus operandi is largely the same: stolen fingerprints are used to make copies, often using silicone, which are then used to authenticate financial transactions via Aadhaar, siphoning money directly out of bank accounts.
The Aadhaar-enabled Payment System requires customers to enter their Aadhaar number into swipe machines and authenticate a transaction – obtaining cash, for instance – by placing their finger on an attached scanner.
A cyber police officer in Haryana police told Scroll that fraudsters steal fingerprints from land revenue documents that are publicly available on the government’s official website for land record documents.
Muktesh Chander, Goa’s former director general of police and an expert on cyber security, explained how it is done. “A silicone-based latex glue is used to generate a skin-coloured fingerprint clone from the documents,” he said. Then, the fraudster sheaths their thumb or finger with this fake fingerprint to con the biometric scanner. “This is possible either because of the negligence of those running the swipe machines or their connivance.”
Satendra Yadav, a security consultant at Paladion Network, a cyber security firm, said Aadhaar authentication scanners used at Aadhaar Kendras run by the UIDAI, or Unique Identification Authority of India, only accept the live touch of a human. “But scanning systems of private operatives are not sensitive to liveliness of touch,” said Yadav.
This allows scammers to use fake fingerprints, such as rubber clones or digital prints, to authenticate the identity of the person. “It can be called an Aadhaar-based breach at end-user applications like banks or PDS,” said Yadav, referring to the public distribution system.
In September, the Kolkata police asked the state finance department to mask biometric information and Aadhaar card numbers of those who have uploaded land deeds to the state’ property registration website.
Cybersecurity and digital technology experts Scroll spoke to said locking biometrics may offer some level of protection but does little to address the inherent weaknesses in an ever-expanding Aadhaar-linked digital ecosystem.
Many of these problems, they say, stem from the insistence of the government over the years to link Aadhaar with various services, such as bank accounts, PAN cards, phone numbers and voter IDs. Aadhaar is also the de facto ID proof to access welfare programmes and subsidies that a vast population is dependent upon.
How AePS works
The Aadhaar-enabled payment system allows account holders to carry out basic transactions, including cash deposits and withdrawals, using Aadhaar biometric authentication. Bank accounts must be linked to Aadhaar numbers to carry out these transactions.
One of its aims is the financial inclusion of Indians in rural and remote areas where there are few bank branches and low familiarity with facilities such as debit cards or ATMs.
According to the National Payments Corporation of India, AePS payments can be carried out through business correspondents, who are authorised by banks to represent them.
Aadhaar authentication has widespread use. In April alone this year, the government said there had been more than 200.6 million, or 20 crore, last-mile banking transactions through the Aadhaar-enabled Payment System and the network of micro ATMs.
Yet, frauds are widespread. In October 2021, economist Jean Dreze, along with researcher Vipul Paikra, had written about a range of scams that were exploiting the Aadhaar-enabled payment system. For instance, business correspondents were found to be short-changing customers.
Those forced to rely on Aadhaar, such as the marginal and poor in urban and rural areas who need to access government subsidies and welfare programmes, have been the major victims of such scams. Since affluent Indians in urban India do not use subsidies or rely on Aadhaar-enabled payment systems, their risk of biometrics being compromised has been lower. That seems to be changing.
The ‘mandatory’ bank linkage
In mid-2017, the government ordered all customers to mandatorily link their bank accounts with their Aadhaar numbers by the end of the year or risk having their accounts made temporarily inoperable.
In September 2018, the Supreme Court ruled that such linking was not mandatory. But by then several Indians had already linked their bank accounts with their Aadhaar. “What they didn’t know was that while they were linking, they were also activating a new instrument,” said Srikanth Lakshmanan, a digital security expert and researcher. Linking Aadhaar and bank accounts automatically activates the Aadhaar-enabled Payment System.
Cybersecurity expert and digital technology researcher Srinivas Kodali drew parallels with bank-issued payment methods to explain how this has become a major vulnerability.
Banks offer customers different kinds of payment instruments, like credit and debit cards, and facilities such as internet banking and phone banking. But when someone opens a bank account, they do not have access to any of these. “You have to apply for them,” said Kodali. “In your form, you have to tell the bank manager, you want internet banking and you want a debit card.”
But the UIDAI, Kodali said, believes that marginalised or rural people will not know how to opt-in or opt-out of the AePS. “If the idea is to do default opt-in for the entire population when you link Aadhaar, then your bank should ideally give you an option to opt-out,” he said.
A public password
Kodali said that data theft and fraud are problems in other payment instruments too, like credit cards, which give you a range of controls such as blocking the card, setting transaction limits or changing PINs. “That option doesn’t exist with AePS with Aadhaar,” said Kodali.
Kodali drew a parallel: Aadhaar is the user ID while biometrics are the password. “And unfortunately, you can’t change that,” he said. “Your password is public.”
Suppose your password is leaked in a cybersecurity attack, then someone can access your account, said Kodali. “But by design, what you do then is you allow changing of passwords.” He said all major services allow users to change their passwords, even banks and internet banking. “But by design, with Aadhaar, you can’t change your password.” Because if your biometrics are your “password”, changing that is impossible.
Biometrics are a “public” password, said Kodali, because “you leave your fingerprints everywhere.” Property or land documents, driver licences, visa processing now all require biometrics, he pointed out.
Lakshmanan agreed. He said that people’s Aadhaar numbers being “leaky” and “widely available” has been a known fact among data security and privacy advocates.
“The fact that your fingerprint is available only with you is a factually incorrect statement. You leave your fingerprints all over,” he said.
But how does biometric data alone allow access to a bank account?
According to Lakshmanan, sensitive financial data is often “traded”. “You have the same kind of thing in card frauds,” he said. “Somebody steals your card but then the same person will not use it.”
Likewise, Aadhaar and fingerprints are traded separately, he said. “Whoever gets access to this (fingerprints or Aadhaar number) will not directly use it to withdraw money,” he said. “They would rather sell this access to somebody else who then uses it for some other purpose.”
As a result, fraudsters who already had Aadhaar data were also able to get their hands on fingerprint biometrics. Essentially, if anyone has linked their Aadhaar to their bank account, and have their biometrics compromised, theyare at the risk of fraudsters getting access to both these data points, said Lakshmanan, referring to biometrics and the details of the Aadhaar-linked bank account.
“If your Aadhaar number is public and your ‘password’ [meaning, fingerprints] is public, both your ID and password are public,” said Kodali. “Anyone can then use these details to withdraw money.”
There has been growing concern over Aadhaar-related financial frauds involving cloned biometric data with the Ministry of Home Affairs flagging the matter to states and Union Territories in February, The Print reported.
According to The Print, the home ministry’s Indian Cyber Crime Coordination Centre warned that data available on state registry websites for sale deeds and agreements was being scraped. Aadhaar is used for land and property sale as well.
The nodal agency also told states and Union Territories to ensure that their revenue and registration departments “mask the fingerprints on documents when uploading them to the registry websites”.
Is locking biometrics enough?
“These are design problems that the RBI or UIDAI do not want to fix and the cops don’t know what to do,” said Kodali, which is why the police say block biometrics.
But locking biometrics, Lakshmanan points out, is not a practical option for many, from those dependent on welfare programmes to government employees who authenticate their attendance through Aadhaar-based biometric systems. “Till date, there has not been a solution to this problem,” he said.
Lakshmanan said that another option was to allow users to lock access at their bank account level and not Aadhaar level, which would mean preventing AePS from accessing the bank account. This would allow users to continue daily authentication but protect their bank accounts.
Technically, people should be allowed to delink their Aadhaar from their bank accounts, because of the Supreme Court judgement – but banks have not provided such an option.
Kodali pointed out that right now, Aadhaar and biometrics are being used to steal money. But since Aadhaar is being linked to land documents as well, this opens up the worrying possibility that land registration details could be tampered with. “Because ID and passwords are public,” said Kodali. “And public for a host of systems, not just payments.”
“The fraud goes beyond banking…it can go to land and anywhere Aadhaar is used,” underlined Kodali. “The claim was that Aadhaar will fix fraud. But it doesn’t.”