Lack of live authentication led to Aadhaar-enabled Payment System fraud in Karnataka

In February 2023, UIDAI had informed States of its decision to switch over to new modality of fingerprint authentication with effect from March 1

December 02, 2023 09:43 pm | Updated December 03, 2023 12:35 am IST - Bengaluru

Fraudsters used Aadhaar numbers and thumb impressions from the property registration documents that were available in the domain of the Stamps and Registration Department in Karnataka.

Fraudsters used Aadhaar numbers and thumb impressions from the property registration documents that were available in the domain of the Stamps and Registration Department in Karnataka. | Photo Credit:

As Karnataka reported cases of fraudulent financial transactions using Aadhaar numbers and thumb impressions downloaded from the public domain recently, it has now emerged that the transactions took place over the non-live fingerprint authentication that led to multiple frauds in the Aadhaar-enabled Payment System (AePS). This is despite the Unique Identification Authority of India (UIDAI) in February stating that the live authentication will be rolled out from March 1.

While such frauds by Bihar- and Jharkhand-based gangs have been reported in several States across the country before, the frauds that came to light recently is the first in Karnataka, and the modus operandi here is also new, the police said. “Fraudsters have used different modus operandi elsewhere in a non-live authentication process. There have been similar cases in the MGNREGA system in other places,” a senior Bengaluru police official said.

The modus operandi
Documents were downloaded from the Kaveri system
Aadhaar number and thumb impression in documents were used
A 3D print of thumb impression found in document was generated
Fraudulent transactions undertaken using Aadhaar number and 3D print of the thumb to withdraw money using Aadhaar-enabled Payment System

The fraudsters used Aadhaar numbers and thumb impressions from the property registration documents that were available in the domain of the Stamps and Registration Department in Karnataka and created 3D images of the fingerprints. They then used them to draw money through non-live fingerprint authentication in the Aadhaar-enabled Payment System (AePS). The police said that masking of the first eight digits had been mandated before, but had not been taken seriously.

In February 2023, the Unique Identification Authority of India (UIDAI) wrote to the States about technological solutions against possible spoofing attempts and informed them of its decision to switch over to the new modality of FMR-FIR fingerprint authentication with effect from March 1, 2023. The UIDAI said this would block any attempted non-live fingerprint authentication. In contrast to non-live authentication, in live authentication, the person has to be physically present to authenticate. It also asked removal of the Aadhaar number and thumb impressions from websites.

Sources in the Police Department confirmed that the current fraud had taken place over non-live fingerprint authentication as victims were unaware of the transactions. Though the live authentication process has been rolled out in the country, the UIDAI did not respond to The Hindu’s request to comment on the Karnataka-related issue. While a detailed questionnaire was sent to multiple authorised email IDs in the UIDAI on November 13, followed by a couple of reminders, The Hindu did not receive a response.

In India, about 70 million authentication transactions take place daily and so far over 100 billion authentication transactions have taken place.

Interestingly, weeks after the non-live transaction frauds came to light in Karnataka, a top bank in the country, in a newspaper advertisement warned customers of possible AePS frauds, and asked the customers to lock biometric data on the Aadhaar (UIDAI) website as per usage.

Sources said that banks should not have allowed a single-step authentication since it is a financial transaction. “Ideally, the authentication should be of two steps — one involving biometrics and the other with an OTP. In this case, the fraudsters have been able to siphon off money because a non-live authentication is available.” Though most banks have a live authentication system, sources suspected that this fraud would not have taken place unless the banking correspondents hired/contracted by the banks who operate the AePS connived with the fraudsters.

The National Payment Corporation of India is the payment gateway for the AePS, and mails to its corporate communication ID to elicit its response on the issue went unanswered.

Karnataka masks first eight digits of the 12-digit Aadhaar number in documents

The State government has asked sub-registrars to mask the first eight of the 12-digit Aadhaar numbers in documents related to registrations and has curtailed the certified copy available on the public domain to one page.

“We have stopped making the full certified copy available. Only the first page that will provide details of the buyer, seller, and the property registered is being made available in the public domain. The government never mandated Aadhaar for property registration. However, if the buyer and seller insist on inserting the Aadhaar in the document, then eight digits have to be masked,” sources said. “There are multiple alternative identification documents that can be provided during registration. People have voluntarily used Aadhaar during registration,” sources said.

Meanwhile, on making available the certified copies online, it is learnt that it has been mandated to provide to those who seek documents under Section 57 (1) of the Registration Act, 1908. As per the provision, the registering authority has to allow inspection of certain books and indexes and provide certified copies to anyone applying for it. “It’s a tricky situation too. To maintain transparency, we are mandated to upload the documents also. Even the document is made available with a watermark of ‘for information’” a Revenue official said. 

While the UIDAI has written to the Union Department of Land Records and State governments to bring suitable changes to the Registration Act, the State government has a very limited role in changing the current system as the Registration Act is a Central law, and the State government has formed only rules to operationalise the Act, sources pointed out. “The State will highlight concerns, legal impediments, and possible suggestions since the Centre has asked for it,” sources said.

Centre has discussed the issue related to fraud with Stamps and Registration Dept. officials

The Centre has discussed the AePS fraud based on the documents available in the public domain with officials of the Stamps and Registration Department across the country.

“The Centre suggested that all documents could be sent to them and they would mask the details before it is put on the public domain. However, the question of possible leakage of information once it leaves the State’s domain was raised,” sources said. They feared that this system could lead to delays since these documents are covered under the Sakala programme that has fixed timelines. “While they do not have a large daily capacity to mask documents, on average Karnataka alone generates about 10,000 documents daily. We feel what the Centre is suggesting is not a practical idea,” they said.

Top News Today

Sign in to unlock member-only benefits!
  • Access 10 free stories every month
  • Save stories to read later
  • Access to comment on every story
  • Sign-up/manage your newsletter subscriptions with a single click
  • Get notified by email for early access to discounts & offers on our products
Sign in

Comments

Comments have to be in English, and in full sentences. They cannot be abusive or personal. Please abide by our community guidelines for posting your comments.

We have migrated to a new commenting platform. If you are already a registered user of The Hindu and logged in, you may continue to engage with our articles. If you do not have an account please register and login to post comments. Users can access their older comments by logging into their accounts on Vuukle.