Digital security

Sophisticated Aadhaar-related bank fraud has left police in Delhi and Noida baffled

The con involves the fraudulent withdrawal of money from bank accounts of victims with the help of a SIM card, Aadhaar and the United Payments Interface.

The police in Delhi and the neighbouring township of Noida are investigating several complaints of fraud in which money was suspected to be siphoned out of bank accounts of victims with the help of a Unified Payment Interface-supported application linked to Aadhaar, the 12-digit biometrically linked unique identification number that the government wants every Indian resident to have.

The fraud seems similar to the debit card scams that were rampant in India not long ago, which were aimed at people who are less digitally savvy and end up giving confidential information away on a phone call. Though the police are investigating a number of these cases, which involve Aadhaar-linked United Payments Interface apps, there is much they still do not understand about the scams.

The United Payments Interface is a system that allows users in India to transact across 30 banks using their smartphones. It was developed by the National Payments Corporation of India, an umbrella organisation of banks.

“Since March, the police in Delhi and Noida have received more than 30 such cases,” said Kislay Chaudhary, cyber security consultant to several government agencies and police departments in India.

How the scam works

According to Chaudhary, the modus operandi in this racket involves a complicated procedure in which a caller, pretending to be a representative of the Unique Identification Authority of India, which manages the Aadhaar database, calls the victim on the pretext of linking their Aadhaar with their Permanent Account Numbers. This is one of the linkages the Union government has been pushing hard for.

Chaudhury said that the caller first asks the victim for their Aadhaar number and then tells them this is a verification call. The caller then asks them to reveal the code sent to their phone from the Unique Identification Authority of India to complete the verification process. When the victim reveals this number, the caller’s job is done.

The code is actually a One-Time Password generated by the Unique Identification Authority of India. It is sent to the registered phone numbers of those enrolled with Aadhaar when a request is made on the website to change the personal details, such as telephone number, of an Aadhaar holder.

“This alteration can be done through the UIDAI [Unique Identity Authority of India] website, which is actually a facility provided for the convenience of people,” said Chaudhary.

He added that the conman then uses the One-Time Password to change the phone number linked to the victim’s Aadhaar number on the website. “The perpetrators are suspected to have replaced the victims’ phone numbers with numbers in their possession,” said Chaudhary.

The conman’s next step is to download a popular United Payment Interface-supported application, which automatically detects Aadhaar numbers linked to the SIM card of the phone in which the banking application is installed. The application automatically searches for bank accounts linked to the Aadhaar number linked to the phone, said Chaudhury. At the end of this operation, the conman has access to the victim’s bank account and can initiate banking transactions.

Though payments made via the Unified Payments Interface require a Personal Identification Number, this security measure proves useless as the conman himself gets to generate the PIN while registering with the Unified Payments Interface-linked application, said Chaudhury.

Investigators puzzled

Bhisham Singh, Deputy Commissioner of Police in Delhi (Crime Branch), said: “The pretext of linking Aadhaar with PAN seems like a new trend among conmen, who keep updating themselves with the times. We have a dedicated department in the cyber cell which looks into all such cases. Investigation into several such cases are underway.” Singh did not disclose any further details.

Superintendent of Police (Noida City) Arun Kumar Singh could not be reached for his response.

But investigators are baffled at the way the scam works. They say these instances of fraud are more sophisticated than those seen previously. In the past, gangs succeeded in getting people to disclose the secret details of their debit cards and used those details to steal their money. The Delhi police first encountered an Aadhaar-related phishing case in May 2015. “By the time an investigation could begin, three more cases were reported between May 2014 and 2017,” said a police official.

Police officials in Delhi who did not wish to be identified said that investigations into the more recent cases of fraud have apparently hit a dead end.

“From preliminary investigations, it has emerged that most of the transactions were executed through phone numbers issued on fake identity documents, and on mobile devices with duplicated IP addresses,” said an official. “So, none of the perpetrators could be traced so far.”

At the same time, there is much that investigators are yet to understand.

For instance, the victims of this scam say when the fraudulent transactions took place they did not receive text messages from their banks, which they usually do whenever they make transactions.

The police official said: “As banks send text messages to customers on the basis of phone numbers saved in their own databases, we do not understand how the conmen ensured that the victims did not receive text messages from their banks when they withdrew money from the victims’ accounts.”

He added: “The full modus operandi can be dissected only when a gang involved in this scam is busted.”

On Wednesday afternoon, senior UIDAI official responded to a query from Scroll.in. “Such incidents have come to our notice,” the official said. “People must know that UIDAI will never make any such phone call to verify Aadhaar details for the purpose of PAN. One must not disclose any verification code [which can actually be an OTP] with such callers.”

This article has been updated to include UIDAI’s response.

We welcome your comments at letters@scroll.in.
Sponsored Content BY 

Bringing your parents into the digital fold can be a rewarding experience

Contrary to popular sentiment, being the tech support for your parents might be a great use of your time and theirs.

If you look up ‘Parents vs technology’, you’ll be showered with a barrage of hilariously adorable and relatable memes. Half the hilarity of these memes sprouts from their familiarity as most of us have found ourselves in similar troubleshooting situations. Helping a parent understand and operate technology can be trying. However, as you sit, exasperated, deleting the gazillion empty folders that your mum has accidentally made, you might be losing out on an opportunity to enrich her life.

After the advent of technology in our everyday personal and work lives, parents have tried to embrace the brand-new ways to work and communicate with a bit of help from us, the digital natives. And while they successfully send Whatsapp messages and make video calls, a tremendous amount of unfulfilled potential has fallen through the presumptuous gap that lies between their ambition and our understanding of their technological needs.

When Priyanka Gothi’s mother retired after 35 years of being a teacher, Priyanka decided to create a first of its kind marketplace that would leverage the experience and potential of retirees by providing them with flexible job opportunities. Her Hong Kong based novel venture, Retired, Not Out is reimagining retirement by creating a channel through which the senior generation can continue to contribute to the society.

Our belief is that tech is highly learnable. And learning doesn’t stop when you graduate from school. That is why we have designed specific programmes for seniors to embrace technology to aid their personal and professional goals.

— Priyanka Gothi, Founder & CEO, Retired Not Out

Ideas like Retired Not Out promote inclusiveness and help instil confidence in a generation that has not grown up with technology. A positive change in our parent’s lives can be created if we flip the perspective on the time spent helping them operate a laptop and view it as an exercise in empowerment. For instance, by becoming proficient in Microsoft Excel, a senior with 25 years of experience in finance, could continue to work part time as a Finance Manager. Similarly, parents can run consultation blogs or augment their hobbies and continue to lead a fulfilling and meaningful life.

Advocating the same message, Lenovo’s new web-film captures the void that retirement creates in a person’s life, one that can be filled by, as Lenovo puts it, gifting them a future.

Play

Depending on the role technology plays, it can either leave the senior generation behind or it can enable them to lead an ambitious and productive life. This festive season, give this a thought as you spend time with family.

To make one of Lenovo’s laptops a part of the family, see here.

This article was produced on behalf of Lenovo by the Scroll.in marketing team and not by the Scroll.in editorial staff.