Digital security

Sophisticated Aadhaar-related bank fraud has left police in Delhi and Noida baffled

The con involves the fraudulent withdrawal of money from bank accounts of victims with the help of a SIM card, Aadhaar and the United Payments Interface.

The police in Delhi and the neighbouring township of Noida are investigating several complaints of fraud in which money was suspected to be siphoned out of bank accounts of victims with the help of a Unified Payment Interface-supported application linked to Aadhaar, the 12-digit biometrically linked unique identification number that the government wants every Indian resident to have.

The fraud seems similar to the debit card scams that were rampant in India not long ago, which were aimed at people who are less digitally savvy and end up giving confidential information away on a phone call. Though the police are investigating a number of these cases, which involve Aadhaar-linked United Payments Interface apps, there is much they still do not understand about the scams.

The United Payments Interface is a system that allows users in India to transact across 30 banks using their smartphones. It was developed by the National Payments Corporation of India, an umbrella organisation of banks.

“Since March, the police in Delhi and Noida have received more than 30 such cases,” said Kislay Chaudhary, cyber security consultant to several government agencies and police departments in India.

How the scam works

According to Chaudhary, the modus operandi in this racket involves a complicated procedure in which a caller, pretending to be a representative of the Unique Identification Authority of India, which manages the Aadhaar database, calls the victim on the pretext of linking their Aadhaar with their Permanent Account Numbers. This is one of the linkages the Union government has been pushing hard for.

Chaudhury said that the caller first asks the victim for their Aadhaar number and then tells them this is a verification call. The caller then asks them to reveal the code sent to their phone from the Unique Identification Authority of India to complete the verification process. When the victim reveals this number, the caller’s job is done.

The code is actually a One-Time Password generated by the Unique Identification Authority of India. It is sent to the registered phone numbers of those enrolled with Aadhaar when a request is made on the website to change the personal details, such as telephone number, of an Aadhaar holder.

“This alteration can be done through the UIDAI [Unique Identity Authority of India] website, which is actually a facility provided for the convenience of people,” said Chaudhary.

He added that the conman then uses the One-Time Password to change the phone number linked to the victim’s Aadhaar number on the website. “The perpetrators are suspected to have replaced the victims’ phone numbers with numbers in their possession,” said Chaudhary.

The conman’s next step is to download a popular United Payment Interface-supported application, which automatically detects Aadhaar numbers linked to the SIM card of the phone in which the banking application is installed. The application automatically searches for bank accounts linked to the Aadhaar number linked to the phone, said Chaudhury. At the end of this operation, the conman has access to the victim’s bank account and can initiate banking transactions.

Though payments made via the Unified Payments Interface require a Personal Identification Number, this security measure proves useless as the conman himself gets to generate the PIN while registering with the Unified Payments Interface-linked application, said Chaudhury.

Investigators puzzled

Bhisham Singh, Deputy Commissioner of Police in Delhi (Crime Branch), said: “The pretext of linking Aadhaar with PAN seems like a new trend among conmen, who keep updating themselves with the times. We have a dedicated department in the cyber cell which looks into all such cases. Investigation into several such cases are underway.” Singh did not disclose any further details.

Superintendent of Police (Noida City) Arun Kumar Singh could not be reached for his response.

But investigators are baffled at the way the scam works. They say these instances of fraud are more sophisticated than those seen previously. In the past, gangs succeeded in getting people to disclose the secret details of their debit cards and used those details to steal their money. The Delhi police first encountered an Aadhaar-related phishing case in May 2015. “By the time an investigation could begin, three more cases were reported between May 2014 and 2017,” said a police official.

Police officials in Delhi who did not wish to be identified said that investigations into the more recent cases of fraud have apparently hit a dead end.

“From preliminary investigations, it has emerged that most of the transactions were executed through phone numbers issued on fake identity documents, and on mobile devices with duplicated IP addresses,” said an official. “So, none of the perpetrators could be traced so far.”

At the same time, there is much that investigators are yet to understand.

For instance, the victims of this scam say when the fraudulent transactions took place they did not receive text messages from their banks, which they usually do whenever they make transactions.

The police official said: “As banks send text messages to customers on the basis of phone numbers saved in their own databases, we do not understand how the conmen ensured that the victims did not receive text messages from their banks when they withdrew money from the victims’ accounts.”

He added: “The full modus operandi can be dissected only when a gang involved in this scam is busted.”

On Wednesday afternoon, senior UIDAI official responded to a query from Scroll.in. “Such incidents have come to our notice,” the official said. “People must know that UIDAI will never make any such phone call to verify Aadhaar details for the purpose of PAN. One must not disclose any verification code [which can actually be an OTP] with such callers.”

This article has been updated to include UIDAI’s response.

Support our journalism by subscribing to Scroll+ here. We welcome your comments at letters@scroll.in.
Sponsored Content BY 

Do you really need to use that plastic straw?

The hazards of single-use plastic items, and what to use instead.

In June 2018, a distressed whale in Thailand made headlines around the world. After an autopsy it’s cause of death was determined to be more than 80 plastic bags it had ingested. The pictures caused great concern and brought into focus the urgency of the fight against single-use plastic. This term refers to use-and-throw plastic products that are designed for one-time use, such as takeaway spoons and forks, polythene bags styrofoam cups etc. In its report on single-use plastics, the United Nations Environment Programme (UNEP) has described how single-use plastics have a far-reaching impact in the environment.

Dense quantity of plastic litter means sights such as the distressed whale in Thailand aren’t uncommon. Plastic products have been found in the airways and stomachs of hundreds of marine and land species. Plastic bags, especially, confuse turtles who mistake them for jellyfish - their food. They can even exacerbate health crises, such as a malarial outbreak, by clogging sewers and creating ideal conditions for vector-borne diseases to thrive. In 1988, poor drainage made worse by plastic clogging contributed to the devastating Bangladesh floods in which two-thirds of the country was submerged.

Plastic litter can, moreover, cause physiological harm. Burning plastic waste for cooking fuel and in open air pits releases harmful gases in the air, contributing to poor air quality especially in poorer countries where these practices are common. But plastic needn’t even be burned to cause physiological harm. The toxic chemical additives in the manufacturing process of plastics remain in animal tissue, which is then consumed by humans. These highly toxic and carcinogenic substances (benzene, styrene etc.) can cause damage to nervous systems, lungs and reproductive organs.

The European Commission recently released a list of top 10 single-use plastic items that it plans to ban in the near future. These items are ubiquitous as trash across the world’s beaches, even the pristine, seemingly untouched ones. Some of them, such as styrofoam cups, take up to a 1,000 years to photodegrade (the breakdown of substances by exposure to UV and infrared rays from sunlight), disintegrating into microplastics, another health hazard.

More than 60 countries have introduced levies and bans to discourage the use of single-use plastics. Morocco and Rwanda have emerged as inspiring success stories of such policies. Rwanda, in fact, is now among the cleanest countries on Earth. In India, Maharashtra became the 18th state to effect a ban on disposable plastic items in March 2018. Now India plans to replicate the decision on a national level, aiming to eliminate single-use plastics entirely by 2022. While government efforts are important to encourage industries to redesign their production methods, individuals too can take steps to minimise their consumption, and littering, of single-use plastics. Most of these actions are low on effort, but can cause a significant reduction in plastic waste in the environment, if the return of Olive Ridley turtles to a Mumbai beach are anything to go by.

To know more about the single-use plastics problem, visit Planet or Plastic portal, National Geographic’s multi-year effort to raise awareness about the global plastic trash crisis. From microplastics in cosmetics to haunting art on plastic pollution, Planet or Plastic is a comprehensive resource on the problem. You can take the pledge to reduce your use of single-use plastics, here.

This article was produced by the Scroll marketing team on behalf of National Geographic, and not by the Scroll editorial team.