Explained | Gaps in Aadhaar-enabled Payment System (AePS) abused by cybercriminals

Scammers are reportedly using leaked biometric details, bypassing the need for OTPs, to siphon money from users’ bank accounts 

May 15, 2023 10:19 am | Updated 12:01 pm IST

Gaps in Aadhaar-enabled Payment Services (AePS) are being used by cybercriminals to siphon money from users’ bank accounts.

Gaps in Aadhaar-enabled Payment Services (AePS) are being used by cybercriminals to siphon money from users’ bank accounts. | Photo Credit: V.V. Krishnan

Not sharing One Time Passwords (OTPs) or revealing bank account details may sound like a foolproof idea to avoid falling into the trap of scammers. However, cybercriminals have now taken to using silicone thumbs to operate biometric POS devices and biometric ATMs to drain users’ bank accounts.

Pushpendra Singh, a popular YouTuber, in a Twitter thread, shared how his mother’s bank account was drained using an Aadhaar-linked fingerprint without needing two-factor authentication. His mother was not informed of the transactions by her bank, via message or otherwise, and it was only when she updated her passbook that the scam was uncovered.

“Last Month I went to PNB Bank for mother passbook entry. I noticed 0 balance in Account. After that I asked with banker why it’s showing 0 balance, I called immediately to my mother & explained she has 0 balance. She said I never withdrawal any money, how come it possible? After sometime she came to bank along with me and we had started discussion with bank manager. Bank Manager replied: “Someone drained this account by using Aadhar card fingerprint from Bihar,” the thread read, verbatim.

In January this year, a similar incident was reported in Gurugram, Haryana, with complaint being lodged against unidentified suspects for allegedly misusing fingerprints to authenticate Aadhaar biometrics and withdrawing money from the victim’s bank account.

In this case, the victim Pathuri Kumar, once intimated of a transaction, immediately locked his Aadhaar biometric using a mobile-based application, avoiding further damage.

In Hyderabad, in June 2022, a gang of cybercriminals was arrested for accessing document from Andhra Pradesh Registration and Stamps Department’s official website to fraudulently withdraw ₹14.64 lakh from 149 customers. Authorities seized 2,500 cloned fingerprints, along with pen drives and other gadgets used to run the scam.

A quick search on Google reveals that similar incidents have been reported in many different parts of the country.

What is AePS and how does it remove the need for an OTP?

Aadhaar-enabled Payment Services (AePS) is a bank-led model which allows online financial transactions at Point-of-Sale (PoS) and Micro ATMs through the business correspondent of any bank using Aadhaar authentication. The model removes the need for OTPs, bank account details, and other financial details. It allows fund transfers using only the bank name, Aadhaar number, and fingerprint captured during Aadhaar enrolment, according to the National Payments Corporation of India (NCPI).

For AePs, these are the only inputs required for certain types of transactions, including cash deposit, cash withdrawal, balance inquiry, mini statement, Aadhaar to Aadhaar fund transfer, authentication, and BHIM Aadhaar pay.

Are AePS transactions enabled by default?

Neither Unique Identification Authority of India (UIDA)I nor NPCI mentions clearly whether AePS is enabled by default. Cashless India, a website managed and run by MeitY, says the service does not require any activation, with the only requirement being that the user’s bank account should be linked with their Aadhaar number.

Users who wish to receive any benefit or subsidy under schemes notified under section 7 of the Aadhaar Act, have to mandatorily submit their Aadhaar number to the banking service provider, according to UIDAI. Aadhaar is also the preferred method of KYC for banking institutions, thus enabling AePS by default for most bank account holders.

(The Hindu reached out to AePS India to inquire about the safety and security features of devices used for transactions but has not received any response.)

(For top technology news of the day, subscribe to our tech newsletter Today’s Cache)

How is biometric information leaked?

While data breaches in Aadhaar have been reported in 2018, 2019, and 2022, UIDAI has denied that any Aadhaar data was breached. In response to media reports, UIDAI said that Aadhaar data, including biometric information, is fully safe and secure.

However, UIDAI’s database alone is not the only location where data can be leaked.

“Aadhaar numbers are readily available in the form of photocopies, and soft copies, and criminals are using Aadhaar-enabled payment systems to breach user information. Scammers have, in the past, made use of silicone to trick devices into initiating transactions,” cybersecurity expert Rakshit Tandon, told The Hindu.

How do you secure Aadhaar biometric information?

The UIDAI is proposing an amendment to the Aadhaar (Sharing of Information) Regulations, 2016, which will require entities in possession of an Aadhaar number to not share details unless the Aadhaar numbers have been redacted or blacked out through appropriate means, both in print and electronic form.

The UIDAI has also implemented a new two-factor authentication mechanism that uses a machine-learning-based security system, combining finger minutiae and finger image capture to check the liveness of a fingerprint.

Additionally, users are also advised to ensure that they lock their Aadhaar information by visiting the UIDAI website or using the mobile app. This will ensure that their biometric information, even if compromised, cannot be used to initiate financial transactions. Aadhaar can be unlocked when the need for biometric authentication arises, such as for property registration and passport renewals, after which it can again be locked.

How do you lock Aadhaar online?

Aadhaar cards can be locked using the UIDAI website to generate a 16-digit VID number via SMS service. Users can also lock their Aadhaar biometric information using the My Aadhaar tab on the UIDAI website.

The 16-digit code generated when locking the Aadhaar will be needed to unlock it. Users can also lock and unlock their Aadhaar information using the myAadhaar app, available for iOS and Android.

What can be done in case of a financial scam using Aadhaar?

If users have not already locked their Aadhaar biometric information, they should do so immediately in case of any suspicious activity in their bank accounts. Users are also advised to inform their banks and the concerned authorities as soon as possible. Timely reporting can ensure that any money transferred using fraudulent means is returned to the victim.

The RBI in a circular has stated that a customer’s entitlement to zero liability arises where the unauthorised transaction occurs, and the customer notifies the bank within three working days of receiving a communication from the bank regarding such unauthorised transaction.

While banks and other financial service providers are instructed to inform customers of transactions through SMS and emails, lack of network or access to email IDs may stop them from doing so. As such, users are advised to regularly check their bank accounts and inform their banking institution in case of any suspicious activity.

Top News Today

Sign in to unlock member-only benefits!
  • Access 10 free stories every month
  • Save stories to read later
  • Access to comment on every story
  • Sign-up/manage your newsletter subscriptions with a single click
  • Get notified by email for early access to discounts & offers on our products
Sign in


Comments have to be in English, and in full sentences. They cannot be abusive or personal. Please abide by our community guidelines for posting your comments.

We have migrated to a new commenting platform. If you are already a registered user of The Hindu and logged in, you may continue to engage with our articles. If you do not have an account please register and login to post comments. Users can access their older comments by logging into their accounts on Vuukle.