Lack of live authentication led to Aadhaar-enabled Payment System fraud in Karnataka

Karnataka reports frauds using Aadhaar numbers & thumb impressions from public domain. Fraudsters used non-live authentication process to draw money from AePS. UIDAI wrote to States in Feb. to switch to live authentication from March 1. Banks warned customers of AePS frauds & asked to lock biometric data. UIDAI, NCPI yet to respond on Karnataka-related issue. Govt. masks first 8 digits of Aadhaar & curtails certified copy to one page. Centre discussed issue with Stamps & Registration Dept. officials.

As Karnataka reported cases of fraudulent financial transactions using Aadhaar numbers and thumb impressions downloaded from the public domain recently, it has now emerged that the transactions took place over the non-live fingerprint authentication that led to multiple frauds in the Aadhaar-enabled Payment System (AePS). This is despite the Unique Identification Authority of India (UIDAI) in February stating that the live authentication will be rolled out from March 1.

While such frauds by Bihar- and Jharkand-based gangs have been reported in several States across the country before, the frauds that came to light recently is the first in Karnataka, and the modus operandi here is also new, the police said. “Fraudsters have used different modus operandi elsewhere in a non-live authentication process. There have been similar cases in the MGNREGA system in other places,” a senior Bengaluru police official said.

The fraudsters used Aadhaar numbers and thumb impressions from the property registration documents that were available in the domain of the Stamps and Registration Department in Karnataka and created 3D images of the fingerprints. They then used them to draw money through non-live fingerprint authentication in Aaadhar-enabled Payment System (AePS). The police said that masking of the first eight digits had been mandated before, but had not been taken seriously.

In February 2023, the Unique Identification Authority of India (UIDAI) wrote to the States about technological solutions against possible spoofing attempts and informed them of its decision to switch over to the new modality of FMR-FIR fingerprint authentication with effect from March 1, 2023. The UIDAI said this would block any attempted non-live fingerprint authentication. In contrast to non-live authentication, in live authentication, the person has to be physically present to authenticate. It also asked removal of the Aaadhar number and thumb impressions from websites.

Sources in the Police Department confirmed that the current fraud had taken place over non-live fingerprint authentication as victims were unaware of the transactions. Though the live authentication process has been rolled out in the country, the UIDAI did not respond to The Hindu’s request to comment on the Karnataka-related issue. While a detailed questionnaire was sent to multiple authorised email IDs in the UIDAI on November 13, followed by a couple of reminders, The Hindu did not receive a response.

In India, about 70 million authentication transactions take place daily and so far over 100 billion authentication transactions have taken place.

Interestingly, weeks after the non-live transaction frauds came to light in Karnataka, a top bank in the country, in a newspaper advertisement warned customers of possible AePS frauds, and asked the customers to lock biometric data on the Aadhaar (UIDAI) website as per usage.