The police in Delhi and the neighbouring township of Noida are investigating several complaints of fraud in which money was suspected to be siphoned out of bank accounts of victims with the help of a Unified Payment Interface-supported application linked to Aadhaar, the 12-digit biometrically linked unique identification number that the government wants every Indian resident to have.

The fraud seems similar to the debit card scams that were rampant in India not long ago, which were aimed at people who are less digitally savvy and end up giving confidential information away on a phone call. Though the police are investigating a number of these cases, which involve Aadhaar-linked United Payments Interface apps, there is much they still do not understand about the scams.

The United Payments Interface is a system that allows users in India to transact across 30 banks using their smartphones. It was developed by the National Payments Corporation of India, an umbrella organisation of banks.

“Since March, the police in Delhi and Noida have received more than 30 such cases,” said Kislay Chaudhary, cyber security consultant to several government agencies and police departments in India.

How the scam works

According to Chaudhary, the modus operandi in this racket involves a complicated procedure in which a caller, pretending to be a representative of the Unique Identification Authority of India, which manages the Aadhaar database, calls the victim on the pretext of linking their Aadhaar with their Permanent Account Numbers. This is one of the linkages the Union government has been pushing hard for.

Chaudhury said that the caller first asks the victim for their Aadhaar number and then tells them this is a verification call. The caller then asks them to reveal the code sent to their phone from the Unique Identification Authority of India to complete the verification process. When the victim reveals this number, the caller’s job is done.

The code is actually a One-Time Password generated by the Unique Identification Authority of India. It is sent to the registered phone numbers of those enrolled with Aadhaar when a request is made on the website to change the personal details, such as telephone number, of an Aadhaar holder.

“This alteration can be done through the UIDAI [Unique Identity Authority of India] website, which is actually a facility provided for the convenience of people,” said Chaudhary.

He added that the conman then uses the One-Time Password to change the phone number linked to the victim’s Aadhaar number on the website. “The perpetrators are suspected to have replaced the victims’ phone numbers with numbers in their possession,” said Chaudhary.

The conman’s next step is to download a popular United Payment Interface-supported application, which automatically detects Aadhaar numbers linked to the SIM card of the phone in which the banking application is installed. The application automatically searches for bank accounts linked to the Aadhaar number linked to the phone, said Chaudhury. At the end of this operation, the conman has access to the victim’s bank account and can initiate banking transactions.

Though payments made via the Unified Payments Interface require a Personal Identification Number, this security measure proves useless as the conman himself gets to generate the PIN while registering with the Unified Payments Interface-linked application, said Chaudhury.

Investigators puzzled

Bhisham Singh, Deputy Commissioner of Police in Delhi (Crime Branch), said: “The pretext of linking Aadhaar with PAN seems like a new trend among conmen, who keep updating themselves with the times. We have a dedicated department in the cyber cell which looks into all such cases. Investigation into several such cases are underway.” Singh did not disclose any further details.

Superintendent of Police (Noida City) Arun Kumar Singh could not be reached for his response.

But investigators are baffled at the way the scam works. They say these instances of fraud are more sophisticated than those seen previously. In the past, gangs succeeded in getting people to disclose the secret details of their debit cards and used those details to steal their money. The Delhi police first encountered an Aadhaar-related phishing case in May 2015. “By the time an investigation could begin, three more cases were reported between May 2014 and 2017,” said a police official.

Police officials in Delhi who did not wish to be identified said that investigations into the more recent cases of fraud have apparently hit a dead end.

“From preliminary investigations, it has emerged that most of the transactions were executed through phone numbers issued on fake identity documents, and on mobile devices with duplicated IP addresses,” said an official. “So, none of the perpetrators could be traced so far.”

At the same time, there is much that investigators are yet to understand.

For instance, the victims of this scam say when the fraudulent transactions took place they did not receive text messages from their banks, which they usually do whenever they make transactions.

The police official said: “As banks send text messages to customers on the basis of phone numbers saved in their own databases, we do not understand how the conmen ensured that the victims did not receive text messages from their banks when they withdrew money from the victims’ accounts.”

He added: “The full modus operandi can be dissected only when a gang involved in this scam is busted.”

On Wednesday afternoon, senior UIDAI official responded to a query from “Such incidents have come to our notice,” the official said. “People must know that UIDAI will never make any such phone call to verify Aadhaar details for the purpose of PAN. One must not disclose any verification code [which can actually be an OTP] with such callers.”

This article has been updated to include UIDAI’s response.