Get all your news in one place.
100’s of premium titles.
One app.
Start reading
The Hindu
The Hindu
Sharath S. Srivatsa

Lack of live authentication led to Aadhaar-enabled Payment System fraud in Karnataka

As Karnataka reported cases of fraudulent financial transactions using Aadhaar numbers and thumb impressions downloaded from the public domain recently, it has now emerged that the transactions took place over the non-live fingerprint authentication that led to multiple frauds in the Aadhaar-enabled Payment System (AePS). This is despite the Unique Identification Authority of India (UIDAI) in February stating that the live authentication will be rolled out from March 1.

While such frauds by Bihar- and Jharkhand-based gangs have been reported in several States across the country before, the frauds that came to light recently is the first in Karnataka, and the modus operandi here is also new, the police said. “Fraudsters have used different modus operandi elsewhere in a non-live authentication process. There have been similar cases in the MGNREGA system in other places,” a senior Bengaluru police official said.

The modus operandi
Documents were downloaded from the Kaveri system
Aadhaar number and thumb impression in documents were used
A 3D print of thumb impression found in document was generated
Fraudulent transactions undertaken using Aadhaar number and 3D print of the thumb to withdraw money using Aadhaar-enabled Payment System

The fraudsters used Aadhaar numbers and thumb impressions from the property registration documents that were available in the domain of the Stamps and Registration Department in Karnataka and created 3D images of the fingerprints. They then used them to draw money through non-live fingerprint authentication in the Aadhaar-enabled Payment System (AePS). The police said that masking of the first eight digits had been mandated before, but had not been taken seriously.

In February 2023, the Unique Identification Authority of India (UIDAI) wrote to the States about technological solutions against possible spoofing attempts and informed them of its decision to switch over to the new modality of FMR-FIR fingerprint authentication with effect from March 1, 2023. The UIDAI said this would block any attempted non-live fingerprint authentication. In contrast to non-live authentication, in live authentication, the person has to be physically present to authenticate. It also asked removal of the Aadhaar number and thumb impressions from websites.

Sources in the Police Department confirmed that the current fraud had taken place over non-live fingerprint authentication as victims were unaware of the transactions. Though the live authentication process has been rolled out in the country, the UIDAI did not respond to The Hindu’s request to comment on the Karnataka-related issue. While a detailed questionnaire was sent to multiple authorised email IDs in the UIDAI on November 13, followed by a couple of reminders, The Hindu did not receive a response.

In India, about 70 million authentication transactions take place daily and so far over 100 billion authentication transactions have taken place.

Interestingly, weeks after the non-live transaction frauds came to light in Karnataka, a top bank in the country, in a newspaper advertisement warned customers of possible AePS frauds, and asked the customers to lock biometric data on the Aadhaar (UIDAI) website as per usage.

Sources said that banks should not have allowed a single-step authentication since it is a financial transaction. “Ideally, the authentication should be of two steps — one involving biometrics and the other with an OTP. In this case, the fraudsters have been able to siphon off money because a non-live authentication is available.” Though most banks have a live authentication system, sources suspected that this fraud would not have taken place unless the banking correspondents hired/contracted by the banks who operate the AePS connived with the fraudsters.

The National Payment Corporation of India is the payment gateway for the AePS, and mails to its corporate communication ID to elicit its response on the issue went unanswered.

Karnataka masks first eight digits of the 12-digit Aadhaar number in documents

The State government has asked sub-registrars to mask the first eight of the 12-digit Aadhaar numbers in documents related to registrations and has curtailed the certified copy available on the public domain to one page.

“We have stopped making the full certified copy available. Only the first page that will provide details of the buyer, seller, and the property registered is being made available in the public domain. The government never mandated Aadhaar for property registration. However, if the buyer and seller insist on inserting the Aadhaar in the document, then eight digits have to be masked,” sources said. “There are multiple alternative identification documents that can be provided during registration. People have voluntarily used Aadhaar during registration,” sources said.

Meanwhile, on making available the certified copies online, it is learnt that it has been mandated to provide to those who seek documents under Section 57 (1) of the Registration Act, 1908. As per the provision, the registering authority has to allow inspection of certain books and indexes and provide certified copies to anyone applying for it. “It’s a tricky situation too. To maintain transparency, we are mandated to upload the documents also. Even the document is made available with a watermark of ‘for information’” a Revenue official said. 

While the UIDAI has written to the Union Department of Land Records and State governments to bring suitable changes to the Registration Act, the State government has a very limited role in changing the current system as the Registration Act is a Central law, and the State government has formed only rules to operationalise the Act, sources pointed out. “The State will highlight concerns, legal impediments, and possible suggestions since the Centre has asked for it,” sources said.

Centre has discussed the issue related to fraud with Stamps and Registration Dept. officials

The Centre has discussed the AePS fraud based on the documents available in the public domain with officials of the Stamps and Registration Department across the country.

“The Centre suggested that all documents could be sent to them and they would mask the details before it is put on the public domain. However, the question of possible leakage of information once it leaves the State’s domain was raised,” sources said. They feared that this system could lead to delays since these documents are covered under the Sakala programme that has fixed timelines. “While they do not have a large daily capacity to mask documents, on average Karnataka alone generates about 10,000 documents daily. We feel what the Centre is suggesting is not a practical idea,” they said.

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.